Detailed alert suppression documentation needed #2910
-
|
I have a lot of Alerts that are known traffic that I am comfortable ignoring completely. I've reviewed the SO docs and tried a few things to suppress those alerts but can't seem to figure out how to successfully filter those out so I never see them. The docs seem lacking in this area. Please add samples with screenshots and/or syntax options to the docs. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 10 replies
-
|
Hi @innovate-support , Would you be able to provide an example of what you were trying to suppress, and how you attempted to do so? |
Beta Was this translation helpful? Give feedback.
-
|
I've read that entire managing-alerts.html page in the docs and then added the following lines to my global.sls file nids: My intent was to 'hide' all the alerts with those rule.uuid numbers because they're known traffic that I don't want to see as Alerts. The nids bpf lines did filter out all that traffic as expected, but the thresholding sids rules did not. I'm still seeing the same traffic being alerted for rule.uuid 2010935 for that IP. Here's a screenshot of the alert in question.
I suspect that I'm just making a simple syntax error with my suppression rule and/or I'm entering it in the wrong config file. This seems like an easy request for someone who knows what they're doing. This also seems to be something that EVERYONE needs once they get their systems up and running. Filtering out the noise is a huge part of making your product useful as apposed to something that's just a flood of random data. I need to get this suppression stuff figured out because I'm about to start sending Wazuh traffic into the system and I will need to suppress some stuff there too. I figured I should get it working with this basic network traffic before I was flooded with the Wazuh logs. |
Beta Was this translation helpful? Give feedback.
-
|
I updated the docs to add the note about repeating sids. https://docs.securityonion.net/en/2.3/managing-alerts.html#threshold |
Beta Was this translation helpful? Give feedback.
-
|
Good stuff. Might be worth also adding an example that includes multiple IPs as I’ve seen people get tripped up with the syntax for that before. |
Beta Was this translation helpful? Give feedback.
-
|
We are working on a alert tuning tool so that folks can use the tool vs modifying files directly preventing errors in syntax etc. So hopefully this documentation will be obsolete soon. |
Beta Was this translation helpful? Give feedback.
-
Holy carp! I will personally buy the person(s) who implement this feature a drink of their choice. |
Beta Was this translation helpful? Give feedback.
-
|
I'll buy them their second drink! |
Beta Was this translation helpful? Give feedback.
-
|
There's definitely something funny going on with that global.sls file. I tried appending a BPF to it the other day, several times actually, in slightly different ways, and all it ever did was refuse to generate any alerts at all after that. Exactly what I did seems irrelevant, under the circumstances, when entered exactly as shown in the docs. |
Beta Was this translation helpful? Give feedback.
I've read that entire managing-alerts.html page in the docs and then added the following lines to my global.sls file
nids:
bpf:
- not host 10.11.12.69 &&
- not port 1984
thresholding:
sids:
2010935:
- suppress:
gen_id: 1
track: by_src
ip: 10.11.12.72
My intent was to 'hide' all the alerts with those rule.uuid numbers because they're known traffic that I don't want to see as Alerts. The nids bpf lines did filter out all that traffic as expected, but the thresholding sids rules did not. I'm still seeing the same traffic being alerted for rule.uuid 2010935 for that IP. Here's a screenshot of the alert in question.
I suspect that I'm just making a simple syntax error with my suppression rule…