I’m going through my Suricata alerts to try and filter out bad alerts and it’s catching so many false positives that I would block my own systems regularly if I were to turn blocking on.
Example: if someone tries to print to a printer and Suricata detects a Applayer Protocol skipped or malformed packet and logs it well there goes my printer into the blocked list.
I can’t babysit the alert page 24/7 to keep disabling false positives and disabling all the Suricata rules would make Suricata pointless. So what’s the best practices for Suricata alerts?