Question on supressing alerts

[killmasta93]

Hi
Currently i was wondering what the correct way to suppress from a source IP

i was reading https://docs.securityonion.net/en/2.4/managing-alerts.html#disable-the-alert

as they say suppress but from a specific ID and i want to suppress all from a certain IP

would it be like this but not sure if thats correct

  - suppress:
      gen_id: 1
      track: by_src
      ip: 10.10.3.0/24

[robbiemarshall]

It would be easier to utilize a Suricata BPF to filter out that IP. https://docs.securityonion.net/en/2.4/bpf.html

[killmasta93]

hi @robbiemarshall i was reading a bit on the doc you sent me would be something like this?

out of curiosity if i would want to also suppress the alert ET POLICY Cleartext WordPress Login
which has rule UUID 2012843

would it be something like this

[robbiemarshall]

In the first picture, you'd want to put that in suricata instead of pcap. In the second pic, that looks correct.

[killmasta93]

hi @robbiemarshall thanks for the reply, in the second picture i added the supress but i keep seeing it
ex added these two

2012843:
  - suppress:
      gen_id: 1
      track: by_src
      ip: 192.168.7.0/24
2034771:
  - suppress:
      gen_id: 1
      track: by_src
      ip: 192.168.7.0/24

[izidood]

If you want to suppress a suricata rule, its done in:

suricata

threshholding
SIDS.

as i understand, in the sids (disable, enable, modify) section, its only the ID of the rule you put in line pr. line.

[killmasta93]

@GitGoodGod thanks for the reply, im trying to add the ID of the rule but im getting this issue

[izidood]

when i read my message again i see its a bit missunderstanding.

So this is right. you just put it in the wrong place.

2012843:
  - suppress:
      gen_id: 1
      track: by_src
      ip: 192.168.7.0/24
2034771:
  - suppress:
      gen_id: 1
      track: by_src
      ip: 192.168.7.0/24
      

The above needs to go into:

-> suricata

-> thresholding

SIDS

2012843:
  - suppress:
      gen_id: 1
      track: by_src
      ip: 192.168.7.0/24
2034771:
  - suppress:
      gen_id: 1
      track: by_src
      ip: 192.168.7.0/24
      

If you want to disable a rule completly, you can simply add the rule.uuid in:

-> sids

-> disabled
2034771

[killmasta93]

thank you so much

[izidood]

you're welcome m8.

[killmasta93]

hi @GitGoodGod quick question if i want to ignore an ip completely that i currently have that ip using greenbone to scan which creates alerts i assume i would add it on bpf was reading the docs and was wondering if this is correct?
dont want 85.xx.xx.xx to be neither in the pcap or suricata or zeek

[izidood]

pretty sure if you ignore the ip in zeek bpf, it won't even bother about the traffic from that ip specific, maybe that's the easiest way ?

Edit:
you might also need to do it Suricata I guess.

but try it out and see if they disappear.