Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata IDS/IPS False Positives

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stanwij1
      last edited by

      I am new to adding suricata to PFsense 23.01. Currently not blocking anything as looking through alerts on LAN and WAN interfaces to try to identify known false positives. That is where I am a bit overwhelmed. So much in there. I have found some topics on it and following to "clean it up" before blocking. Any great posts or hints for cleaning up some of the false positives? I do understand not a black and white answer and more of gray area trial and error in managing, just wonder if any great tips or tricks. Thank you for any assistance or advice you may have.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @stanwij1
        last edited by

        @stanwij1 Some notes of ours:

        • check "Disable hardware checksum offload" in (System->Advanced->Networking)
        • disable ALL stream-events.rules or it will block lots of traffic on false positives
        • set up on LAN interface (not WAN) to 1) avoid checking packets the firewall will block anyway, and 2) alerts will show LAN IPs
        • uncheck "Enable HTTP Log" on the interface (logs all HTTP requests)
        • on Log Mgmt tab ensure log rotation is enabled and "Enable Directory Size Limit" is checked

        Per BMeeks, the package maintainer:
        β€œThe ET Policy and ET Info rules are really not for detecting "bad" things. They are designed to alert you if some machine is doing something that matches the policy. So that ET POLICY WMIC WMI rule is simply telling you that it detected WMI (Windows Management Instrumentation) traffic over the link. That is typically harmless and does not mean malware exists. Generally speaking, for home users and even most small business users, the ET POLICY rules are not a good thing to enable. They will give you plenty of alerts, but the alerts do not mean anything bad is happening. I would recommend not using that rule category in most circumstances.”

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote πŸ‘ helpful posts!

        M 1 Reply Last reply Reply Quote 3
        • M
          michmoor LAYER 8 Rebel Alliance @SteveITS
          last edited by michmoor

          ET Info and ET Policy are good for threat hunting.
          For example, im testing out a SIEM.

          Some of the alerts i get

          03/27/2023-09:12:46.731218 [] [1:2019401:37] ET POLICY Vulnerable Java Version 1.8.x Detected [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.50.241:51450 -> 192.229.211.108:80
          03/27/2023-14:13:39.739567 [] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 34.104.35.123:80 -> 192.168.50.241:56415

          Like @SteveITS methioned these are not bad per se.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.