IDH-Alarms - exempt IP-addresses of vulnerability scanners from generating false positives #12547

ejgh-oe · 2024-03-09T10:35:11Z

ejgh-oe
Mar 9, 2024

Hi,
Our vulnerability scanners are generating a lot of false positives when hitting our internal honeypots (SO IDH-Nodes).
What's the best way to prevent these alarms from being generated in the first place?

I was thinking about a BPF, but where should I put the BPF? BPF for PCAP, BPF for Zeek or BPF for Suricata?
IDH-alarms come from playbook, but in the end it boils down to there the packets come from.

Thanks much in advance for any clue.

Answered by izidood

Mar 19, 2024

so i havn't tested it myself, i will in a bit.
i just put in the ignore list in the default.yaml file for IDH, which is fine, but i think if you upgrade node it wont save it.
im thinking it might have to look like this perhaps ?

idh:
  opencanary:
    config:
      ip.ignorelist: [x.x.x.x.x]

i'll test it out myself as well at some point.

View full answer

InfosecGoon · 2024-03-13T14:12:38Z

InfosecGoon
Mar 13, 2024

Sorry, just to be clear -- the alerts are being generated by Playbook (your vulnerability scanners interacting with the honeypot services) or by Suricata (the traffic from your scanners to the honeypot node)?

6 replies

ejgh-oe Mar 13, 2024
Author

The IDH alerts are generated by playbook - e.g.

and in detail view

The corresponding playbook definition (Play #2134) reads

As pointed out in my original question I'd like to suppress these alerts for certain source-IP (vulnerability-scanners) while leaving it intact (i.a. alarming) for all others.

izidood Mar 13, 2024

just some additional info, you can make an ip ignore list in idh advanced tap. then only the idh's will ignore the scanners.

ejgh-oe Mar 14, 2024
Author

just some additional info, you can make an ip ignore list in idh advanced tap. then only the idh's will ignore the scanners.

The corresponding dialog box only says "it's YAML" and "be careful" ;-)

Any ideas about the syntax? I haven't found anything in the docs, i.e. https://docs.securityonion.net/en/2.4/idh.html#configuration.

izidood Mar 19, 2024

so i havn't tested it myself, i will in a bit.
i just put in the ignore list in the default.yaml file for IDH, which is fine, but i think if you upgrade node it wont save it.
im thinking it might have to look like this perhaps ?

idh:
  opencanary:
    config:
      ip.ignorelist: [x.x.x.x.x]

i'll test it out myself as well at some point.

Answer selected by ejgh-oe

jaypfe Mar 27, 2024

@GitGoodGod

Your solution is tested functional for me!

Not OP but thanks for the input on this thread, really saved me some headache.

izidood Mar 27, 2024

awesome m8, seems like it also worked for me.

ejgh-oe · 2024-03-27T17:58:10Z

ejgh-oe
Mar 27, 2024
Author

Thanks @GitGoodGod - definitely helps getting out those false alarms triggered by vulnerability scans :-)

1 reply

izidood Mar 27, 2024

great!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

IDH-Alarms - exempt IP-addresses of vulnerability scanners from generating false positives #12547

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 7 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

IDH-Alarms - exempt IP-addresses of vulnerability scanners from generating false positives #12547

Uh oh!

ejgh-oe Mar 9, 2024

Replies: 2 comments · 7 replies

Uh oh!

InfosecGoon Mar 13, 2024

Uh oh!

ejgh-oe Mar 13, 2024 Author

Uh oh!

izidood Mar 13, 2024

Uh oh!

ejgh-oe Mar 14, 2024 Author

Uh oh!

izidood Mar 19, 2024

Uh oh!

jaypfe Mar 27, 2024

Uh oh!

izidood Mar 27, 2024

Uh oh!

ejgh-oe Mar 27, 2024 Author

Uh oh!

izidood Mar 27, 2024

ejgh-oe
Mar 9, 2024

Replies: 2 comments 7 replies

InfosecGoon
Mar 13, 2024

ejgh-oe Mar 13, 2024
Author

ejgh-oe Mar 14, 2024
Author

ejgh-oe
Mar 27, 2024
Author