Open JoppeOostenrijk opened 2 years ago
Just a last check: What is the src_ip and dest_ip event that got generated and what is the suppression rule ?
src_ip = 192.168.1.178 dest_ip = 142.251.39.110 (not exactly, but a same type of google IP, currently no access to this machine) suppression rule = 192.168.1.178 (misstyped the IP in the post above) also tried 192.168.1.0/24 as suppresion rule
@JoppeOostenrijk can you try something out as a test. Can you try to adjust the file
containers-data/suricata/etc/selks6-addin.yaml
Change the following line
grep -i threshold /etc/suricata/selks6-addin.yaml
threshold-file: /etc/suricata/threshold.config
to
threshold-file: /etc/suricata/rules/threshold.config
Can you please redo the test and see if it works?
Hi, it seems to have worked to stop generating alerts. However, when trying to build suricata (through ruleset update) it throws an "nosuchpatherror at /suricata/update" error at the build stage...
I could not reproduce that error. We actually emerged the fix, maybe pull and recreate the containers and redo the test ?
I reinstalled the docker containers, also cleaning their data, however, it doesn't seem to have fixed the issue after all. With the suppression rule the traffic still generates alerts.
Hi, Did you sync up the git code as well ?(git pull)
https://github.com/StamusNetworks/SELKS/wiki/Docker#upgrade-all-containers
Thanks for trying it out!
-- Regards, Peter Manev
On 17 Dec 2021, at 19:50, JoppeOostenrijk @.***> wrote:
I reinstalled the docker containers, also cleaning their data, however, it doesn't seem to have fixed the issue after all. With the suppression rule the traffic still generates alerts.
— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.
Hi yes, I just completely removed it from my system and cloned it again to make it work, double checked the selks6_addin.yaml to be sure.
glad to hear it works. I think this routine below should be good for the next time an upgrade is needed:
git pull
docker-compose pull
docker-compose stop
docker-compose up -d
Hi Peter,
I think you misunderstood, it still doesn't supress the alerts for me.
Hi @JoppeOostenrijk ,
Sorry i missed that. Can you please share the contents of the threshold file. You can do that from the docker running directory , via :
docker exec -it suricata /bin/bash
cat /etc/suricata/rules/threshold.conf
?
Hi @pevma ,
the contents is:
cat /etc/suricata/rules/threshold.config
suppress gen_id 1, sig_id 2008983, track by_src, ip 192.168.1.179
suppress gen_id 1, sig_id 2008983, track by_src, ip 192.168.1.0/24
suppress gen_id 1, sig_id 2030137, track by_src, ip 192.168.1.0/24
while the file is named threshold.config instead of .conf, this is in line with your earlier comment and code edit.
Yes, thank you.
Do those seem like the suppressions you made ? Are they not suppressing everything form src_ip 192.168.1.179
lets say ?
These are the suppressions I added specifically to those rules.
ok so basically , if i understand correctly you are receiving alerts from : the IP/Networks above for those specific signatures - 2008983, 2030137. It seems like a suppression bug if that is the case. Can you please confirm or share a screenshot of an example alert?
Hi, I think you understand correctly, see images below.
Ok.
Did you also do the Ruleset actions
(Suricata
tab in management) - select all actions/apply. After a suppression or any rule adjustment change you need to update/push those. (apologies if i am repetitive, just making sure we will not miss something in order to pinpoint the issue)
I am also facing the same issue. I have tried to apply the ruleset actions but that hasn't helped.
Is this still an unresolved issue ?
I'm running SELKS-ce in docker. (4 vCPU's & 16Gb RAM) I set up drop rules, with the neccessary IPS code in the SELKS-6_addin.yaml.
As part of my testing I wanted to try out supressing (parts of) rules. My understanding of supressing a rule is that it shouldn't generate alerts?
I try to simulate alerts by running "curl -A "BlackSun" www.google.com" to generate a "ET USER_AGENTS Suspicious User Agent (BlackSun)" alert. I run this command on the same machine as where SELKS is running. This works fine, the alert is generated. Then, I try to supress this rule (SID 2008983) for the IP of my SELKS machine (..*.176) by doing the following:
After posting this to discord, I got confirmed this is a bug.