How to learn about advanced suricata tuning



  • I am new to researching Suricata alerts, and googling doesn't seem to bring much clarity to me about how I should view the alerts I am seeing let alone decide how and when to suppress alerts, or block the ip addresses responsible for any attacks on my system.

    Is there, any tutorial posts that will help understand the advanced side of how to look into these alerts and ultimately decide if they are threats?



  • @thawee

    There are about eight pinned posts in this subsection worth reading...



  • @thawee said in How to learn about advanced suricata tuning:

    I am new to researching Suricata alerts, and googling doesn't seem to bring much clarity to me about how I should view the alerts I am seeing let alone decide how and when to suppress alerts, or block the ip addresses responsible for any attacks on my system.

    Is there, any tutorial posts that will help understand the advanced side of how to look into these alerts and ultimately decide if they are threats?

    This old and very long thread contains a lot of useful information. It's a conversation among experienced and newbie security admins on various ways to configure Suricata and what rules are key and which are more prone to just generate noise.

    https://forum.netgate.com/topic/70170/taming-the-beasts-aka-suricata-blueprint.

    Unfortunately there is no single place for documenting what the various rules are for. Likewise there are few (if any) tutorials out there either. The folks who create these rules are writing something in a hurry to detect an active in-the-wild threat, so time is of the essence to get it authored and deployed in the next rule set update. That means documentation of what the rule does and how it does it generally is saved for later. Of course anyone who writes software knows what "later" means ... ☺. It is a synonym for either "never" or "when I get around to it". It happens that way because right about the time the author gets around to documenting that last rule another new threat shows up and his boss says "write me a detection rule for this ASAP" ... ☹.



  • @bmeeks said in How to learn about advanced suricata tuning:

    https://forum.netgate.com/topic/70170/taming-the-beasts-aka-suricata-blueprint.

    I was thinking of suggesting that post but felt those pinned ones were a great start.



  • Thanks for the replys! they are appreciated.

    I will check them out :)


Log in to reply