Tune a rule
#14576
Replies: 1 comment
-
|
Is the rule Looking at the rule summary / detection logic its looking for the hostname of 'kali' in a dhcp request. So if you change the default hostname you, you shouldn't be triggering this rule anymore. Just make sure the new hostname doesn't include 'kali' in it |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.110
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Standalone
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
4
RAM
25G
Storage for /
100G
Storage for /nsm
400G
Network Traffic Collection
span port
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
Hello,
I installed a standalone instance of SO and i'm learning how to use it.
After navigating around the different interfaces and menus, I'd like to reduce the background noise. I have a huge number of alerts and want to reduce false positives.
I watched videos and read about detection tuning but can't figure out how to tune a rule.
The rule is part of ET OPEN. It detects a kali instance on the network based on dhcp request.
I have 2 kali instances on my network and don't want to receive alerts for these.
But when tuning detection you can only use src or dst ip. Obviously when sending a dhcp request at boot my kali vm don't have an ip and are known only by mac addr.
Is there a way to do it with mac addr ?
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions