Disabling Specific Suricata Alert for Local SQL Server Access #14284
-
|
Hi everyone, I'm encountering a high volume of Suricata alerts regarding local IP addresses accessing our SQL server. I've been trying to find a solution to disable a specific Suricata alert when the source is within my HOME_NET and the destination is a particular SQL server IP address. I've searched extensively but haven't found a clear answer. Any assistance on how to achieve this would be greatly appreciated. Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
Could this work? Tunning -> Modify -> Regex: Regards |
Beta Was this translation helpful? Give feedback.
-
|
Would it be possible to create a pass rule? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, you should be able to create a pass rule: Another option might be to create a BPF: |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! |
Beta Was this translation helpful? Give feedback.
Yes, you should be able to create a pass rule:
https://docs.securityonion.net/en/2.4/nids.html#adding-new-nids-rules
https://docs.suricata.io/en/latest/performance/ignoring-traffic.html#pass-rules
Another option might be to create a BPF:
https://docs.securityonion.net/en/2.4/bpf.html