Sometimes, there are attackers which generate 99% of the alerts, which in the code are called bad_ip and are skipped. Furthermore, there are alerts that occur way too often and could be filtered, if necessary (see below).
The bad_ip might be dataset-specific, and the checks for "Attempted Information Leak" and "Non Suspicious Traffic" might be needed only in case of bad_ip.
Proposed Solution
Check bad IPs for CPTC/CCDC and decide on how to proceed
Check what happens if we remove the check for "Not Suspicious Traffic"? _remove_duplicate method checks for NON_MALICIOUS traffic, however the former is a SURICATA category, while the latter is part of the MicroAttackStage framework
azqanadeem
commented
1 year ago
Description
Sometimes, there are attackers which generate 99% of the alerts, which in the code are called
bad_ipand are skipped. Furthermore, there are alerts that occur way too often and could be filtered, if necessary (see below).The
bad_ipmight be dataset-specific, and the checks for "Attempted Information Leak" and "Non Suspicious Traffic" might be needed only in case ofbad_ip.Proposed Solution
_remove_duplicatemethod checks forNON_MALICIOUStraffic, however the former is a SURICATA category, while the latter is part of theMicroAttackStageframework_parsefunction accordingly