Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    disabled and suppressed alerts to not show in the log tab view

    Scheduled Pinned Locked Moved IDS/IPS
    6 Posts 2 Posters 760 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      itsupport1212121
      last edited by

      How do I get disabled and suppressed alerts to not show in the log tab view?

      If this is not possible, please release an update to the alert log view filter that allows us to not show suppressed and disabled alerts.

      My logs quite literally get spammed with invalid ack 10000s of times making it so I cannot see anything useful.

      https://i.postimg.cc/903JhwfZ/invalidack.png

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @itsupport1212121
        last edited by

        @itsupport1212121 said in disabled and suppressed alerts to not show in the log tab view:

        How do I get disabled and suppressed alerts to not show in the log tab view?

        If this is not possible, please release an update to the alert log view filter that allows us to not show suppressed and disabled alerts.

        My logs quite literally get spammed with invalid ack 10000s of times making it so I cannot see anything useful.

        https://i.postimg.cc/903JhwfZ/invalidack.png

        Once you suppress an alert or disable a rule, you should receive no new alerts from that item. However, any past existing alerts in your logs will continue to show up as the ALERTS tab code simply reads the active log and displays the contents. The suppressed or disabled alerts will disappear as your log "ages" and the older alerts are rotated out. Of coures you also have the option of manually clearing all alerts from the active log. That will remove the older now suppressed alerts as well.

        I'm not sure about the utility of filtering suppressed or disabled alerts because, as I mentioned above, they will self-filter on their own as your log file ages and gets rotated based on the settings you have under LOGS MGMT. However, if you wish to code a solution and post it here as a Pull Request it will be considered for inclusion in the package.

        1 Reply Last reply Reply Quote 0
        • I
          itsupport1212121
          last edited by itsupport1212121

          Oh, I see. I have to clear logs to get it to not show.

          maybe you might know.

          Is it possible to get an excerpt of the code when this alert matches?

          ET POLICY Powershell Activity Over SMB - Likely Lateral Movement

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @itsupport1212121
            last edited by

            @itsupport1212121
            You can enable packet capturing/logging on the INTERFACE SETTINGS tab for the interface. That will take up quite a bit of disk space, though.

            I 1 Reply Last reply Reply Quote 0
            • I
              itsupport1212121 @bmeeks
              last edited by itsupport1212121

              @bmeeks

              Thanks. The int I want to log doesn't have much traffic and I am the only one that would be sending powershell commands. Also, where can I view it?

              Let me know if this thinking is wrong below.

              I take it that 32 'maximum size in MB for a packet log file' for a max of 1000 entries would be 32gb? So, if I set the max to 5 MB, it should only use 5GB disk space?

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @itsupport1212121
                last edited by

                @itsupport1212121
                I don't currently have an open Suricata session in front of me, but from memory the settings let you select a maximum size for the packet log in megabytes and a limit on the number of captured packets. So the actual disk consumption is determined by the size of each packet (typically 1500 bytes) and how many packets you save. The log size limit is like an override that prevents the log from growing too large.

                All log data lives in /var/log/suricata and then in a sub-directory underneath for each configured interface. The sub-directory will be named with the physical interface name combined with a random GUID.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.