SELKS icon indicating copy to clipboard operation
SELKS copied to clipboard

Published 20 hours ago verified publisher icon StamusNetworks

🐞💿 Suppression gives 400 Bad Request

Open timguyuk opened this issue 1 year ago • 6 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current Behavior

Installing Selks 10 I have the system up and running. I have a internal server that is hit by authorised traffic but ET SCAN Potential SSH Scan picks it up. no problem I add the authorised src ips to suppression accept I cant in selks 10. If I try and add from the hunting Dashboard I get a 400 Bad Request. Within https://x.x.x.x/rules/rule I can no longer click on the comments to see the suppression. I can goto history there are entry's but no information other than ip 172.18.0.2? If I goto https://x.x.x.x/rules/ruleset/1/ I can see suppressions but if I click on the id number i get "Server Error (500)"

Expected Behavior

No response

Steps To Reproduce

  1. Goto hunting dashboard
  2. Filter by Source IP
  3. Policy Actions / Supress
  4. Default Rule Set / Comments
  5. Submit
  6. 400 Bad Reques

Anything else?

No response

timguyuk avatar Jun 26 '24 14:06 timguyuk

I have managed to add hunting suppressions but when i goto hunting / policies I get "failed to fetch policies statistics"

also https://x.x.x.x/rules/rule/pk/2001219/ doesnt match hunting policies so still have issue

Ive tried a few different browsers.

Permissions?

timguyuk avatar Jun 26 '24 15:06 timguyuk

Reinstalled today to make sure it wasnt something weird. Still problems. Everything appears to work I just can confidently say that suppression is working. Certainly all the errors from my first post stand.

timguyuk avatar Jun 27 '24 12:06 timguyuk

Hi,

Are there any errors in docker/containers-data/scirius/logs/django-error.log, if you could share those please?

Thanks

pevma avatar Jun 29 '24 13:06 pevma

Another way to do the suppression manually is to use the docker/containers-data/suricata/etc/threshold.config and edit it directly, afterwhich you just need to restart the suricata container.

pevma avatar Jun 30 '24 08:06 pevma

Hi,

Are there any errors in docker/containers-data/scirius/logs/django-error.log, if you could share those please?

Thanks

Very basic reinstall and trying to add a supression on the first event and the django-error.log gives

2024-07-04 10:22:28,834 WARNING Not Found: /favicon.ico 2024-07-05 09:51:38,453 WARNING Bad Request: /rest/rules/processing-filter/

timguyuk avatar Jul 05 '24 09:07 timguyuk

Does the workaround work ? (in my previous comment)

pevma avatar Jul 05 '24 10:07 pevma