Replies: 2 comments 1 reply
-
|
You may have to do the path exclusion before the existing check for Do you have a pcap you could share ? |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for helping me! These are the files I transferred via SMB. Let me know if you need anything else. |
Beta Was this translation helpful? Give feedback.
-
|
I don't know if you are still looking for an answer to this, but try writing your exclusion like this: |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.141
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Meets minimum requirements
CPU
8
RAM
64
Storage for /
500GB
Storage for /nsm
1TB
Network Traffic Collection
span port
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
Hi all,
I'm trying to tune a Suricata rule (
ET INFO SMB2 NT Create AndX Request For a Powershell .ps1 File) on Security Onion to exclude a specific SMB file path or folder (for example, to avoid alerts on files under\Sample\like\Sample\test.ps1).I duplicated the original rule and tried tuning the copied one. I've tried using negated
content:!directly in the rule, and also tried creating a modify tuning under the "Tuning" section, but neither approach worked.Is there a recommended way to do this? Any example syntax, suggestions, or help would be greatly appreciated!
Please see the attached screenshots below for reference:
Original Rule
Copied Rule with adding
content: !"|00|\\|00|S|00|a|00|m|00|p|00|l|00|e|00|\\|00|"; nocase;directly in the rule.Modify tuning under the "Tuning" section of the copied rule
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions