Suricata IDS/IPS False Positives
-
I am new to adding suricata to PFsense 23.01. Currently not blocking anything as looking through alerts on LAN and WAN interfaces to try to identify known false positives. That is where I am a bit overwhelmed. So much in there. I have found some topics on it and following to "clean it up" before blocking. Any great posts or hints for cleaning up some of the false positives? I do understand not a black and white answer and more of gray area trial and error in managing, just wonder if any great tips or tricks. Thank you for any assistance or advice you may have.
-
@stanwij1 Some notes of ours:
- check "Disable hardware checksum offload" in (System->Advanced->Networking)
- disable ALL stream-events.rules or it will block lots of traffic on false positives
- set up on LAN interface (not WAN) to 1) avoid checking packets the firewall will block anyway, and 2) alerts will show LAN IPs
- uncheck "Enable HTTP Log" on the interface (logs all HTTP requests)
- on Log Mgmt tab ensure log rotation is enabled and "Enable Directory Size Limit" is checked
Per BMeeks, the package maintainer:
βThe ET Policy and ET Info rules are really not for detecting "bad" things. They are designed to alert you if some machine is doing something that matches the policy. So that ET POLICY WMIC WMI rule is simply telling you that it detected WMI (Windows Management Instrumentation) traffic over the link. That is typically harmless and does not mean malware exists. Generally speaking, for home users and even most small business users, the ET POLICY rules are not a good thing to enable. They will give you plenty of alerts, but the alerts do not mean anything bad is happening. I would recommend not using that rule category in most circumstances.β -
ET Info and ET Policy are good for threat hunting.
For example, im testing out a SIEM.Some of the alerts i get
03/27/2023-09:12:46.731218 [] [1:2019401:37] ET POLICY Vulnerable Java Version 1.8.x Detected [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.50.241:51450 -> 192.229.211.108:80
03/27/2023-14:13:39.739567 [] [1:2018959:4] ET POLICY PE EXE or DLL Windows file download HTTP [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 34.104.35.123:80 -> 192.168.50.241:56415Like @SteveITS methioned these are not bad per se.