Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to learn about advanced suricata tuning

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thawee
      last edited by thawee

      I am new to researching Suricata alerts, and googling doesn't seem to bring much clarity to me about how I should view the alerts I am seeing let alone decide how and when to suppress alerts, or block the ip addresses responsible for any attacks on my system.

      Is there, any tutorial posts that will help understand the advanced side of how to look into these alerts and ultimately decide if they are threats?

      NollipfSenseN bmeeksB 2 Replies Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @thawee
        last edited by

        @thawee

        There are about eight pinned posts in this subsection worth reading...

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @thawee
          last edited by bmeeks

          @thawee said in How to learn about advanced suricata tuning:

          I am new to researching Suricata alerts, and googling doesn't seem to bring much clarity to me about how I should view the alerts I am seeing let alone decide how and when to suppress alerts, or block the ip addresses responsible for any attacks on my system.

          Is there, any tutorial posts that will help understand the advanced side of how to look into these alerts and ultimately decide if they are threats?

          This old and very long thread contains a lot of useful information. It's a conversation among experienced and newbie security admins on various ways to configure Suricata and what rules are key and which are more prone to just generate noise.

          https://forum.netgate.com/topic/70170/taming-the-beasts-aka-suricata-blueprint.

          Unfortunately there is no single place for documenting what the various rules are for. Likewise there are few (if any) tutorials out there either. The folks who create these rules are writing something in a hurry to detect an active in-the-wild threat, so time is of the essence to get it authored and deployed in the next rule set update. That means documentation of what the rule does and how it does it generally is saved for later. Of course anyone who writes software knows what "later" means ... ☺. It is a synonym for either "never" or "when I get around to it". It happens that way because right about the time the author gets around to documenting that last rule another new threat shows up and his boss says "write me a detection rule for this ASAP" ... ☹.

          NollipfSenseN 1 Reply Last reply Reply Quote 0
          • NollipfSenseN
            NollipfSense @bmeeks
            last edited by

            @bmeeks said in How to learn about advanced suricata tuning:

            https://forum.netgate.com/topic/70170/taming-the-beasts-aka-suricata-blueprint.

            I was thinking of suggesting that post but felt those pinned ones were a great start.

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            1 Reply Last reply Reply Quote 0
            • T
              thawee
              last edited by

              Thanks for the replys! they are appreciated.

              I will check them out :)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.