Suricata Rules Best Practices?

I’m going through my Suricata alerts to try and filter out bad alerts and it’s catching so many false positives that I would block my own systems regularly if I were to turn blocking on.

Example: if someone tries to print to a printer and Suricata detects a Applayer Protocol skipped or malformed packet and logs it well there goes my printer into the blocked list.

I can’t babysit the alert page 24/7 to keep disabling false positives and disabling all the Suricata rules would make Suricata pointless. So what’s the best practices for Suricata alerts?

Because the rules keep updating there are always going to be some false positives. This is what SOC teams do, go through logs and make determinations.

1 Like