par admin » 03 nov. 2025, 00:53
- ajoutez à la fin :
Code : Tout sélectionner
# Suppression des alertes APT pour deux IP specifiques
suppress gen_id 1, sig_id 2013504, track by_src, ip 172.0.0.2
suppress gen_id 1, sig_id 2013504, track by_src, ip 172.0.0.1
suppress gen_id 1, sig_id 2013504, track by_dst, ip 172.0.0.2
suppress gen_id 1, sig_id 2013504, track by_dst, ip 172.0.0.1
Notice: suricata: This is Suricata version 7.0.10 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 4
Info: affinity: can't get cpu-affinity node
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: suricata: No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: detect: 1 rule files processed. 54317 rules successfully loaded, 0 rules failed, 0
Info: threshold-config: Threshold config parsed: 4 rule(s) found
Info: detect: 54320 signatures processed. 944 are IP-only rules, 4188 are inspecting packet payload, 49016 inspect application layer, 109 are decoder event only
Notice: suricata: Configuration provided was successfully loaded. Exiting.
Ça marche donc. L'APT agent, n'est plus répertorié pour les ip : 172.0.0.2 et 172.0.0.1
Faire pour tester :
Puis, lancez un :
Sur une de vos machines Linux, vous ne devrais pas voir, dans fast.log , de lignes APT pour le code ip de vos machines linux.
[code]nano /etc/suricata/threshold.conf[/code]
- ajoutez à la fin :
[code]# Suppression des alertes APT pour deux IP specifiques
suppress gen_id 1, sig_id 2013504, track by_src, ip 172.0.0.2
suppress gen_id 1, sig_id 2013504, track by_src, ip 172.0.0.1
suppress gen_id 1, sig_id 2013504, track by_dst, ip 172.0.0.2
suppress gen_id 1, sig_id 2013504, track by_dst, ip 172.0.0.1
[/code][code]systemctl restart suricata
suricata -T[/code]
[quote]Notice: suricata: This is Suricata version 7.0.10 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 4
Info: affinity: can't get cpu-affinity node
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: suricata: No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: detect: 1 rule files processed. 54317 rules successfully loaded, 0 rules failed, 0
Info: threshold-config: Threshold config parsed: 4 rule(s) found
Info: detect: 54320 signatures processed. 944 are IP-only rules, 4188 are inspecting packet payload, 49016 inspect application layer, 109 are decoder event only
Notice: suricata: Configuration provided was successfully loaded. Exiting.[/quote]
Ça marche donc. L'APT agent, n'est plus répertorié pour les ip : 172.0.0.2 et 172.0.0.1
Faire pour tester :
[code]tail -f /var/log/suricata/fast.log[/code]
Puis, lancez un :
[code]apt update && apt upgrade -y[/code]
Sur une de vos machines Linux, vous ne devrais pas voir, dans fast.log , de lignes APT pour le code ip de vos machines linux.