Disabling metadata #12981
Replies: 1 comment 3 replies
-
|
You could try removing the content match from your example. Another option might be BPF: |
Beta Was this translation helpful? Give feedback.
-
|
Hmm but I wonder if it will remove the match from my alerts too. Let’s say I want to keep my suricata dns alerts while not collecting the dns metadata. Will that work in that example? |
Beta Was this translation helpful? Give feedback.
-
|
The second option of BPF would definitely prevent alerts for any traffic filtered by BPF. For the first option of removing the content match from your example, I think (but haven't tested) that it would still allow alerts to fire and would simply prevent the logging of DNS metadata. |
Beta Was this translation helpful? Give feedback.
-
Sadly content match didnt work for me and I dont want to restrict it with bpf because it will prevent alerts. All problem lies with other options enabled in suricata.conf such as presented on this screen. |
Beta Was this translation helpful? Give feedback.
-
Version
2.4.60
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Distributed
Location
airgap
Hardware Specs
Exceeds minimum requirements
CPU
doest not matter
RAM
doest not matter
Storage for /
doest not matter
Storage for /nsm
doest not matter
Network Traffic Collection
tap
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
I have a simple question yet I cannot find the answer anywhere. I am using suricata for metadata, but I want to disable some of the metadata sources entirely.
For example - I want to disable DNS metadata entirely, the provided examples for rules are only for disabling it for specific domains like
config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;)How can I do it ? :)
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions