SELKS icon indicating copy to clipboard operation
SELKS copied to clipboard

Published 20 hours ago verified publisher icon StamusNetworks

Why do I disable the rules, but I still see the rules in Rules activity and generate so many alerts?

Open Linn1 opened this issue 3 years ago • 6 comments

I enable all rules in web page, and found that there are a few rules are not useful. So I want to stop them generating more alerts. Because it has generated so many usefuless alerts. I clicked the sid and disabled these rules. But it still work and generated a lot of alerts. How can I stop these rules? By the way, all opration was done on the web page and the Rules activity is a table and it shows the top 20 rules which generate the most alerts.

Linn1 avatar Jan 05 '22 03:01 Linn1

You can disable a specific rule from the Home tab, click on any sig, then left hand side under Action, click the desired action. Or use the the Hunting view to threshold or suppress a rule after selecting a signature (from the policy actions menu, right upper corner)

pevma avatar Jan 05 '22 17:01 pevma

You can disable a specific rule from the Home tab, click on any sig, then left hand side under Action, click the desired action. Or use the the Hunting view to threshold or suppress a rule after selecting a signature (from the policy actions menu, right upper corner)

I have clicked the disable rule button and the status of these rules are inactive. It still generate a lot of alerts! One of them even generated 702,789 alerts! I try to threshold and supperess these rules,but I don't know what threshold and supperess mean.

Linn1 avatar Jan 06 '22 02:01 Linn1

For example: I supress a rule by source IP and the net is 0.0.0.0/32. So the generated alerts are supressed, but how about the newly generated alerts?

Linn1 avatar Jan 06 '22 02:01 Linn1

I want to let these rules stop working so that won't generate more alerts.. I don't need to delete the generated alerts every day. I delete them because these alerts are false positives. I tried to disable these rules but it didn't work. So what can I do to reduce the numer of false positives. Thanks for your patience very much.

Linn1 avatar Jan 06 '22 02:01 Linn1

After disabling the rule you need to go to the Suricata tab , select Ruleset actions all check boxes and hit Apply.

pevma avatar Jan 06 '22 07:01 pevma

@pevma Thanks I was also searchign for this thing as I simply disabled the rule without further doing anything. Maybe you could update the logic or at least the documentation if someones disables something then you need to also hit the apply button?

derritter88 avatar Feb 08 '23 16:02 derritter88