Suppress not suppressing alerts

[s0meguy1]

Hello,

Security Onion is not suppressing alerts when I specify criteria for the alerts. I am able to disable the alert entirely, but I am not ok with doing that with every alert, as I have a few noisy servers. There isn't one specific alert that causes this, so I have been using the alerts that are most easy to reproduce. So far I've tried:

Specifying criteria via suppress
Adding Thresholds (with criteria)
editing both the minions and global sls with the same information (no luck both individually and with the same information)

An example of what I have (at the moment) in my minions sls (this ID is for a lookup of a .world domain):

    2027870:
    - suppress:
        gen_id: 1
        ip: 192.168.0.94
        track: by_src

Then I would trigger the alert by doing an nslookup on a .world domain on 192.168.0.94 to see if my changes in the sls "took".

My system:
SO version:
Version: 2.3.160

Installed on a NUC (bare metal install)
8 cores
32gb ram
1TB SSD

The install is the only instance of SO on my network, so no other minion sensors located elsewhere.

Please let me know if more information is required!

EDIT:
doing some research in this area, threshold.conf does not seem to be getting updated when I restart the tools:

so-idstools-restart && so-rule-update
cat /opt/so/conf/suricata/threshold.conf
##### The thresholding pillar has not been defined

I don't know how to get threshold.conf to update correctly. According to the docs, it looks like I just need to update the minion sls file, then push the updates?

[sanba06c]

Hello,

In my environment, I used the following command:

salt \* cmd.run 'so-suricata-restart'

[s0meguy1]

Tried running that command, no change to the file (I don't know that updating threshold.conf is required). I was still able to trigger the alert I have disabled:

Again here is the config for the alert I've been triggering:

[dougburks]

@s0meguy1 Double-check your yaml syntax here:

     2027870:
    - suppress:
        gen_id: 1
        ip: 192.168.0.94
        track: by_src

Per https://docs.securityonion.net/en/2.3/managing-alerts.html, that section should start with:

thresholding:
  sids:

and then make sure each line is indented properly.

Suppressions should apply directly to Suricata instead of idstools.

[s0meguy1]

Sorry,

That was a screenshot of the last rule, I have a bunch, here is a better screenshot. I only have to specify sids once, correct?

[dougburks]

As I mentioned in my previous reply, please double-check your syntax. Specifically, please change threasholding to thresholding and make sure lines are indented as shown in the example at https://docs.securityonion.net/en/2.3/managing-alerts.html#threshold.

[s0meguy1]

Sorry @dougburks

I don't know how I missed your answer, you are correct! That was it!

[s0meguy1]

I ran:

cat /opt/so/saltstack/local/pillar/minions/securityonion_eval.sls| tr " " "*" | tr "\t" "&"

To show my indentation, the asterisks being spaces, does it look correct?

EDIT:

The last rule had two extra spaces, fixed, but still not suppressing alerts:

Alerts (using .world as a test case still):

[sanba06c]

Have you changed this typo "threasholding" to "thresholding" as dougburks mentioned? Also, make sure that the rule uuid is not duplicate. Btw, what is the rule uuid 11303? It seems strange to me.

Can you make a screenshot of all details or upload the txt file here for ease of reference?

[s0meguy1]

Jesus!

Yes the "Threashold/Threshold" typo was the problem! I need to be more careful where I get my config files from!

I feel dumb, but thank you so much for catching that!

[sanba06c]

@dougburks is the person who spotted this typo first :). I'm glad that it helped.