Tuning question #14812
Unanswered
Manvanrita
asked this question in
2.4
Tuning question
#14812
Replies: 1 comment
-
|
Hey, See examples in last part of https://biot.com/capstats/bpf.html |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.150
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Eval
Location
on-prem with Internet access
Hardware Specs
Meets minimum requirements
CPU
4
RAM
16
Storage for /
256GB
Storage for /nsm
256
Network Traffic Collection
span port
Network Traffic Speeds
Less than 1Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
Hello, I'm looking for some help with tuning. I have three hosts that I don't want any alerts to be generated for, so I have added the following rule to the Configuration->BPF section->Suricata section:
not host 192.168.1.36 or not host 192.168.1.19 or not host 192.168.1.5
Having done so, I have rebooted my instance but I still have alerts being triggered for these hosts.
I have also tried to disable rules by moving the slider that is present on the alert overview. Even though I did this more than a week ago, there are still alerts being generated today. I don't understand why this is because the host traffic should never reach the rule processor if the BFP filter has worked correctly. And if the rule is disabled then no alerts should be generated either?
I thought therefore that I had tuned my BPF to exclude particular hosts and have disabled the rules I'm not interested in.
Can someone help me understand what I am doing wrong and what I can do to correct this behaviour please?
I am using version 2.4.150
Warm regards,
Rob
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions