Wiki

User Tools

Site Tools

Trace:
pfsense:suricata:alerts

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:suricata:alerts [2021/01/15 18:36] peterpfsense:suricata:alerts [2021/01/21 10:26] (current) peter
Line 1: Line 1:
 ====== PFSense - Suricata - Alerts ====== ====== PFSense - Suricata - Alerts ======
 +
 +See [[https://redmine.openinfosecfoundation.org/projects/suricata|Suricata Redmine site]] for further information.
 +
 +----
 +
 +[[PFSense:Suricata:Alerts:Disable an entire group of rules|Disable an entire group of rules]]
 +
 +----
 +
  
 [[PFSense:Suricata:Alerts:ET CINS Active Threat Intelligence Poor Reputation IP|ET CINS Active Threat Intelligence Poor Reputation IP]] [[PFSense:Suricata:Alerts:ET CINS Active Threat Intelligence Poor Reputation IP|ET CINS Active Threat Intelligence Poor Reputation IP]]
Line 8: Line 17:
  
 [[PFSense:Suricata:Alerts:ET SCAN Internal Dummy Connection User-Agent Inbound|ET SCAN Internal Dummy Connection User-Agent Inbound]] [[PFSense:Suricata:Alerts:ET SCAN Internal Dummy Connection User-Agent Inbound|ET SCAN Internal Dummy Connection User-Agent Inbound]]
 +
 +[[PFSense:Suricata:Alerts:ET SCAN Possible WordPress xmlrpc.php BruteForce in Progress - Response|ET SCAN Possible WordPress xmlrpc.php BruteForce in Progress - Response]]
  
 [[PFSense:Suricata:Alerts:ET SCAN Sipvicious User-Agent Detected (friendly-scanner)|ET SCAN Sipvicious User-Agent Detected (friendly-scanner)]] [[PFSense:Suricata:Alerts:ET SCAN Sipvicious User-Agent Detected (friendly-scanner)|ET SCAN Sipvicious User-Agent Detected (friendly-scanner)]]
 +
 +[[PFSense:Suricata:Alerts:ET TOR Known Tor Exit Node Traffic group 60|ET TOR Known Tor Exit Node Traffic group 60]]
  
 [[PFSense:Suricata:Alerts:ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26|ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26]] [[PFSense:Suricata:Alerts:ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26|ET TROJAN DNS Reply Sinkhole - Anubis - 195.22.26.192/26]]
  
 [[PFSense:Suricata:Alerts:SURICATA Applayer Mismatch protocol both directions|SURICATA Applayer Mismatch protocol both directions]] [[PFSense:Suricata:Alerts:SURICATA Applayer Mismatch protocol both directions|SURICATA Applayer Mismatch protocol both directions]]
 +
 +[[PFSense:Suricata:Alerts:SURICATA Applayer Wrong direction first Data|SURICATA Applayer Wrong direction first Data]]
  
 [[PFSense:Suricata:Alerts:SURICATA HTTP Host header invalid|SURICATA HTTP Host header invalid]] [[PFSense:Suricata:Alerts:SURICATA HTTP Host header invalid|SURICATA HTTP Host header invalid]]
Line 22: Line 37:
  
 [[PFSense:Suricata:Alerts:SURICATA HTTP unable to match response to request|SURICATA HTTP unable to match response to request]] [[PFSense:Suricata:Alerts:SURICATA HTTP unable to match response to request|SURICATA HTTP unable to match response to request]]
 +
 +[[PFSense:Suricata:Alerts:SURICATA ICMPv4 invalid checksum|SURICATA ICMPv4 invalid checksum]]
  
 [[PFSense:Suricata:Alerts:SURICATA IKEv2 weak cryptographic parameters (Auth)|SURICATA IKEv2 weak cryptographic parameters (Auth)]] [[PFSense:Suricata:Alerts:SURICATA IKEv2 weak cryptographic parameters (Auth)|SURICATA IKEv2 weak cryptographic parameters (Auth)]]
Line 32: Line 49:
  
 [[PFSense:Suricata:Alerts:SURICATA STREAM 3way handshake SYNACK with wrong ack|SURICATA STREAM 3way handshake SYNACK with wrong ack]] [[PFSense:Suricata:Alerts:SURICATA STREAM 3way handshake SYNACK with wrong ack|SURICATA STREAM 3way handshake SYNACK with wrong ack]]
 +
 +[[PFSense:Suricata:Alerts:SURICATA STREAM 3way handshake SYNACK resend with different ack|SURICATA STREAM 3way handshake SYNACK resend with different ack]]
  
 [[PFSense:Suricata:Alerts:SURICATA STREAM 3way handshake SYN resend different seq on SYN recv|SURICATA STREAM 3way handshake SYN resend different seq on SYN recv]] [[PFSense:Suricata:Alerts:SURICATA STREAM 3way handshake SYN resend different seq on SYN recv|SURICATA STREAM 3way handshake SYN resend different seq on SYN recv]]
Line 40: Line 59:
  
 [[PFSense:Suricata:Alerts:SURICATA STREAM CLOSEWAIT FIN out of window|SURICATA STREAM CLOSEWAIT FIN out of window]] [[PFSense:Suricata:Alerts:SURICATA STREAM CLOSEWAIT FIN out of window|SURICATA STREAM CLOSEWAIT FIN out of window]]
 +
 +[[PFSense:Suricata:Alerts:SURICATA STREAM ESTABLISHED invalid ack|SURICATA STREAM ESTABLISHED invalid ack]]
 +
 +[[PFSense:Suricata:Alerts:SURICATA STREAM ESTABLISHED packet out of window|SURICATA STREAM ESTABLISHED packet out of window]]
  
 [[PFSense:Suricata:Alerts:SURICATA STREAM excessive retransmissions|SURICATA STREAM excessive retransmissions]] [[PFSense:Suricata:Alerts:SURICATA STREAM excessive retransmissions|SURICATA STREAM excessive retransmissions]]
 +
 +[[PFSense:Suricata:Alerts:SURICATA STREAM FIN invalid ack|SURICATA STREAM FIN invalid ack]]
 +
 +[[PFSense:Suricata:Alerts:SURICATA STREAM FIN out of window|SURICATA STREAM FIN out of window]]
  
 [[PFSense:Suricata:Alerts:SURICATA STREAM Packet with invalid ack|SURICATA STREAM Packet with invalid ack]] [[PFSense:Suricata:Alerts:SURICATA STREAM Packet with invalid ack|SURICATA STREAM Packet with invalid ack]]
Line 48: Line 75:
  
 [[PFSense:Suricata:Alerts:SURICATA STREAM reassembly overlap with different data|SURICATA STREAM reassembly overlap with different data]] [[PFSense:Suricata:Alerts:SURICATA STREAM reassembly overlap with different data|SURICATA STREAM reassembly overlap with different data]]
 +
 +[[PFSense:Suricata:Alerts:SURICATA STREAM SHUTDOWN RST invalid ack|SURICATA STREAM SHUTDOWN RST invalid ack]]
  
 [[PFSense:Suricata:Alerts:SURICATA STREAM TIMEWAIT ACK with wrong seq|SURICATA STREAM TIMEWAIT ACK with wrong seq]] [[PFSense:Suricata:Alerts:SURICATA STREAM TIMEWAIT ACK with wrong seq|SURICATA STREAM TIMEWAIT ACK with wrong seq]]
  
 [[PFSense:Suricata:Alerts:SURICATA UDPv4 invalid checksum|SURICATA UDPv4 invalid checksum]] [[PFSense:Suricata:Alerts:SURICATA UDPv4 invalid checksum|SURICATA UDPv4 invalid checksum]]
 +
 +[[PFSense:Suricata:Alerts:SURICATA TLS invalid handshake message|SURICATA TLS invalid handshake message]]
  
 [[PFSense:Suricata:Alerts:SURICATA TLS invalid record/traffic|SURICATA TLS invalid record/traffic]] [[PFSense:Suricata:Alerts:SURICATA TLS invalid record/traffic|SURICATA TLS invalid record/traffic]]
Line 57: Line 88:
 [[PFSense:Suricata:Alerts:SURICATA TLS invalid record type|SURICATA TLS invalid record type]] [[PFSense:Suricata:Alerts:SURICATA TLS invalid record type|SURICATA TLS invalid record type]]
  
----- +[[PFSense:Suricata:Alerts:SURICATA TLS invalid TLS header|SURICATA TLS invalid TLS header]]
- +
-===== Disable an entire group of rules ===== +
- +
-Navigate to **Services -> Suricata -> Interfaces -> edit > WAN(interface) -> Rules**.+
  
-Select the specific group, for example: 
  
-<code> 
-stream-events.rules 
-</code> 
  
-Disable. 
  
 ---- ----
pfsense/suricata/alerts.1610735771.txt.gz · Last modified: 2021/01/15 18:36 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki