disabled and suppressed alerts to not show in the log tab view
-
How do I get disabled and suppressed alerts to not show in the log tab view?
If this is not possible, please release an update to the alert log view filter that allows us to not show suppressed and disabled alerts.
My logs quite literally get spammed with invalid ack 10000s of times making it so I cannot see anything useful.
https://i.postimg.cc/903JhwfZ/invalidack.png
-
@itsupport1212121 said in disabled and suppressed alerts to not show in the log tab view:
How do I get disabled and suppressed alerts to not show in the log tab view?
If this is not possible, please release an update to the alert log view filter that allows us to not show suppressed and disabled alerts.
My logs quite literally get spammed with invalid ack 10000s of times making it so I cannot see anything useful.
https://i.postimg.cc/903JhwfZ/invalidack.png
Once you suppress an alert or disable a rule, you should receive no new alerts from that item. However, any past existing alerts in your logs will continue to show up as the ALERTS tab code simply reads the active log and displays the contents. The suppressed or disabled alerts will disappear as your log "ages" and the older alerts are rotated out. Of coures you also have the option of manually clearing all alerts from the active log. That will remove the older now suppressed alerts as well.
I'm not sure about the utility of filtering suppressed or disabled alerts because, as I mentioned above, they will self-filter on their own as your log file ages and gets rotated based on the settings you have under LOGS MGMT. However, if you wish to code a solution and post it here as a Pull Request it will be considered for inclusion in the package.
-
Oh, I see. I have to clear logs to get it to not show.
maybe you might know.
Is it possible to get an excerpt of the code when this alert matches?
ET POLICY Powershell Activity Over SMB - Likely Lateral Movement
-
@itsupport1212121
You can enable packet capturing/logging on the INTERFACE SETTINGS tab for the interface. That will take up quite a bit of disk space, though. -
Thanks. The int I want to log doesn't have much traffic and I am the only one that would be sending powershell commands. Also, where can I view it?
Let me know if this thinking is wrong below.
I take it that 32 'maximum size in MB for a packet log file' for a max of 1000 entries would be 32gb? So, if I set the max to 5 MB, it should only use 5GB disk space?
-
@itsupport1212121
I don't currently have an open Suricata session in front of me, but from memory the settings let you select a maximum size for the packet log in megabytes and a limit on the number of captured packets. So the actual disk consumption is determined by the size of each packet (typically 1500 bytes) and how many packets you save. The log size limit is like an override that prevents the log from growing too large.All log data lives in /var/log/suricata and then in a sub-directory underneath for each configured interface. The sub-directory will be named with the physical interface name combined with a random GUID.
