Code : Tout sélectionner
nano /etc/suricata/threshold.confCode : Tout sélectionner
# Suppression des alertes APT pour deux IP specifiques
suppress gen_id 1, sig_id 2013504, track by_src, ip 172.0.0.2
suppress gen_id 1, sig_id 2013504, track by_src, ip 172.0.0.1
suppress gen_id 1, sig_id 2013504, track by_dst, ip 172.0.0.2
suppress gen_id 1, sig_id 2013504, track by_dst, ip 172.0.0.1
Code : Tout sélectionner
systemctl restart suricata
suricata -TÇa marche donc. L'APT agent, n'est plus répertorié pour les ip : 172.0.0.2 et 172.0.0.1Notice: suricata: This is Suricata version 7.0.10 RELEASE running in SYSTEM mode
Info: cpu: CPUs/cores online: 4
Info: affinity: can't get cpu-affinity node
Info: suricata: Running suricata under test mode
Info: suricata: Setting engine mode to IDS mode by default
Info: suricata: No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'
Info: logopenfile: fast output device (regular) initialized: fast.log
Info: logopenfile: eve-log output device (regular) initialized: eve.json
Info: detect: 1 rule files processed. 54317 rules successfully loaded, 0 rules failed, 0
Info: threshold-config: Threshold config parsed: 4 rule(s) found
Info: detect: 54320 signatures processed. 944 are IP-only rules, 4188 are inspecting packet payload, 49016 inspect application layer, 109 are decoder event only
Notice: suricata: Configuration provided was successfully loaded. Exiting.
Faire pour tester :
Code : Tout sélectionner
tail -f /var/log/suricata/fast.logCode : Tout sélectionner
apt update && apt upgrade -y