Setting up suppressions for different sensors

[tuamortemo]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16-32

RAM

16-32

Storage for /

200-300 GB

Storage for /nsm

1 TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello, i have a distributed installation of SO with many sensors. In version 2.3, I could adjust my suppressions for each of the sensors by editing its sls file. How can this be done in version 2.4 without using configurations in the web interface so that the suppression of a subnet or a single ip does not affect all sensors. . Or is it planned to add the ability to select which sensor specifically to record a list of suppressions as implemented with zeek/suri cpu, firewall, etc?

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[reyesj2]

BPF can be used to filter hosts / network subnets from reaching suricata all together. That would disable any rule from alerting for any traffic from certain hosts / networks / port . https://docs.securityonion.net/en/2.4/bpf.html

By modifying Suricata address-groups you could set variables for specific host groups like DNS_SERVERS and you would be able to set those unique to each sensor. Then when suricata rules are evaluated it takes into account the $DNS_SERVERS variable set on each sensor config. https://docs.securityonion.net/en/2.4/suricata.html#home-net

For creating new suricata address-groups #12086

Here is an example suricata rule from etopen

alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5; metadata:created_at 2011_11_10, updated_at 2019_07_26;)

You're also able modify / rewrite rules to leverage your additional suricata variables. https://docs.securityonion.net/en/2.4/managing-alerts.html

[tuamortemo]

The question is a little different. BPF and address-groups modifying it's not I need to. I have several sensors in different subnets that are not connected to each other. Suppression was set up on each one according to the instructions from the documentation

- suppress:
gen_id:
track: <by_src | by_dst | by_either>
ip: <ip | subnet>
In version 2.3, it was possible to exclude the triggering of a rule at a specific address on a specific sensor. In 2.4, there is only a general list for all sensors, which is not very convenient