auto ignore Salt connection Alerts #2648
Replies: 1 comment 2 replies
-
|
You can filter these out from the Wazuh alerts by modifying the Wazuh rules. However, we may need to consider making a default filter/modified rule for these. |
Beta Was this translation helpful? Give feedback.
-
|
Ok, can someone supply an example of what to edit and the syntax of the rule? I've read this page https://docs.securityonion.net/en/2.3/managing-alerts.html?highlight=suppression#suppressions but it's a bit over my head. I just want to filter out all the 'normal' ssh salt traffic between the Sensor IP and the Manager IP. |
Beta Was this translation helpful? Give feedback.
-
|
back in the Squert days I could add 'ignore' rules right in the web interface and filter out a lot automatically. It would be nice to be able to do that with SOv2 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I'm seeing a lot of 'sudo root' alerts that look like they're nothing more than the automated Salt checkins by from the Sensors to the Manager. Shouldn't that particular Alert be ignored with an auto-created BFP rule during setup since it's a known connection setup by the Admin?
Beta Was this translation helpful? Give feedback.
All reactions