Detections / Tuning , Surpress vulnerability scanner IP from ALL #13163
-
|
Hello All , First Off, SO Team -- Thank you for the hard work and the addition of the detections module .. Loving it .. Hope this hadn't been answered before as I did look some and didn't see it , in my environment I have a vulnerability scanner that as imagined lights up the alerts really well :) , If there a way to GLOBALLY suppress alerts from that single IP? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
I was able to successfully block spam alerts from vulnerability scanners by adding a BPF rule for Suricata. Go to: Add a line like this where 1.2.3.4 is the IP address of your vulnerability scanner. If you have multiple scanners, then add a line like this instead: where each IP address is one of your scanners. |
Beta Was this translation helpful? Give feedback.
-
|
Edit: Fixed syntax of BPF rule. |
Beta Was this translation helpful? Give feedback.
-
|
Incredible , thanks will try |
Beta Was this translation helpful? Give feedback.
-
|
You can read more about BPF in our documentation: |
Beta Was this translation helpful? Give feedback.
I was able to successfully block spam alerts from vulnerability scanners by adding a BPF rule for Suricata.
Go to:
Administration -> Configuration -> BPF -> Suricata
Add a line like this
where 1.2.3.4 is the IP address of your vulnerability scanner.
If you have multiple scanners, then add a line like this instead:
where each IP address is one of your scanners.