Delete rule for one forward node

[cherryCokeBack]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

64

Storage for /

2to

Storage for /nsm

20to

Network Traffic Collection

span port

Network Traffic Speeds

more than 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Hello,

after reading the documentation, I don't know if it's still possible with version 2.4.X.
https://docs.securityonion.net/en/2.4/managing-alerts.html
I want to delete several alerts only on one probe

in the administration section we can delete a rule on all forward nodes
however I only want to delete a rule on a single node.
can we modify the file relating to the node in the following location :
/opt/so/saltstack/local/pillar/minions/

thank you for your help

have a nice day

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

I assume you mean Suricata alerts? You can't modify the rule list for a single Forward Node, because the rule list is compiled on the Manager and then pushed out to the Forward Nodes as a completed entity. If there are particular rules you want to suppress from particular networks, would modifying the rule to ignore particular source IPs or subnets work for your use case?

[cherryCokeBack]

thanks for the reply, I'm going to modify the suricata rules to filter they sources.