How to tune Suricata to avoid alerts when HTTP status code is 404?

[1tsbaltwin-max]

Version

2.4.190

Installation Method

Other (please provide detail below)

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

24

RAM

64

Storage for /

8tb

Storage for /nsm

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi everyone,

I’m using Security Onion with Suricata and I often see alerts where the HTTP response has a status code 404. Many of these alerts are generated during scanning or enumeration activity where the request fails, so the 404 responses create a lot of noise.

I would like to tune Suricata so that an alert does NOT fire when the HTTP status code is 404.

My questions are:

Is there a recommended way to tune Suricata rules so that they do not alert when http_status_code = 404?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Have you thought about a BPF for Suricata on source IP of the scanning device? https://docs.securityonion.net/en/2.4/bpf.html#bpf

[1tsbaltwin-max]

Thanks for the suggestion. Since my sensor receives traffic via port mirroring and attacker IPs constantly change, filtering by source IP isn’t practical. In this scenario, would BPF still be effective, or is there a more suitable way to prevent Suricata alerts triggered by HTTP 404 responses?

[cm-ops]

In that case, you would probably need to modify the rules with a content not http_status_code 404. Depending on how many alerts you recieve, you would modify each rule with that.