When to filter out vs alter rules #11761
Replies: 1 comment
-
|
I think it depends mostly on the individual analyst concerned. Varying patterns in legitimate traffic can point to nefarious activity. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
As the title suggest I'm curious as to how others handle this process. What are you evaluating when making the decision to alter an alert rule or to completely filter out the undesired traffic.
E.g. We have some expected ldap connections that are being alerted on by Suricata. They're coming from servers they should going to expected destinations. We can either alter the rule to omit the specific traffic we don't want to see alerted or we can set a BPF for dropping that traffic entirely.
The conundrum here is I don't have a template or idea on how I want to evaluate what to drop and what to keep but not alert on.
Any insight on workflows/decisions etc. would be helpful
Beta Was this translation helpful? Give feedback.
All reactions