Issues with thresholding and alerts #9903

Flav74 · 2023-03-07T15:28:04Z

Flav74
Mar 7, 2023

Hello all,
I want to ignore several alerts that point to the same address. So I modified the Global pillar /opt/so/saltstack/local/pillar/global.sls and I add this :
suricata:
config:
vars:
address-groups:
EXCLUSION_HTTP: '[X.X.X.X, Y.Y.Y.Y, Z.Z.Z.Z]'
thresholding:
sids:
2006380:
gen_id: 1
track: by_dst
ip: $EXCLUSION_HTTP
But it seems not working because I have always alerts on this rule and theses IPs...
Could you help me?
Just for information, I begin with Security Onion

Answered by InfosecGoon

Mar 8, 2023

Rather than thresholding, you might be better off modifying the rule to handle this.

Try this instead, from the Manager node:

so-rule modify add 2006380 'any any' '![$EXCLUSION_HTTP] any'

That will modify the rule to fire on any destination IP that is NOT contained in the variable EXCLUSION_HTTP.

View full answer

InfosecGoon · 2023-03-08T14:54:30Z

InfosecGoon
Mar 8, 2023

Rather than thresholding, you might be better off modifying the rule to handle this.

Try this instead, from the Manager node:

so-rule modify add 2006380 'any any' '![$EXCLUSION_HTTP] any'

That will modify the rule to fire on any destination IP that is NOT contained in the variable EXCLUSION_HTTP.

0 replies

Flav74 · 2023-03-08T18:20:40Z

Flav74
Mar 8, 2023
Author

Thank you, it's working!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Issues with thresholding and alerts #9903

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Issues with thresholding and alerts #9903

Uh oh!

Flav74 Mar 7, 2023

Replies: 2 comments

Uh oh!

InfosecGoon Mar 8, 2023

Uh oh!

Flav74 Mar 8, 2023 Author

Flav74
Mar 7, 2023

InfosecGoon
Mar 8, 2023

Flav74
Mar 8, 2023
Author