Discussion:
[pfSense] Suricata alert suppression
Steve Yates
2015-07-13 20:16:35 UTC
Permalink
I got Suricata installed and operating. I found, oddly, that the highest volume of packet errors alerted was to/from Symantec IPs. I added that subnet as "trusted" but apparently that doesn't take effect unless automatic blocking is also enabled. I have not had much luck having it actually suppress the alerts though... I edited the Suppress rules to use a subnet, which seems to be allowed, like so:

#SURICATA STREAM Packet with invalid ack
suppress gen_id 1, sig_id 2210045, track by_dst, ip 143.127.136.0/24

...and then disabled and re-enabled Suricata on the WAN interface. However, IPs from within that /24 still show in the Alerts tab?

--

Steve Yates
ITS, Inc.
Steve Yates
2015-07-29 15:37:43 UTC
Permalink
For posterity, I found references in the web forum that the "stream" rules basically don't work the way IDS is set up on pfSense so should be disabled. I believe the issue is that it looks at the traffic in parallel so packets might be processed out of order.

Still not sure why it wasn't honoring the Suppress instruction.

--

Steve Yates
ITS, Inc.
Post by Steve Yates
I got Suricata installed and operating. I found, oddly, that the highest
volume of packet errors alerted was to/from Symantec IPs. I added that
subnet as "trusted" but apparently that doesn't take effect unless automatic
blocking is also enabled. I have not had much luck having it actually suppress
the alerts though... I edited the Suppress rules to use a subnet, which seems
#SURICATA STREAM Packet with invalid ack
suppress gen_id 1, sig_id 2210045, track by_dst, ip 143.127.136.0/24
...and then disabled and re-enabled Suricata on the WAN interface. However,
IPs from within that /24 still show in the Alerts tab?
Loading...