I am new to Graylog and find it to be an amazing tool. We have deployed Suricata signatures on our firewall which is sending logs to Graylog. We have configured Alerts in such a way that anything that is Level 1, 2, 3 in Suricata will be triggered. My question is how do i reduce the False Positives usign the Alerts feature in Graylog? Can i specify IP addresses so that a signature for that particular IP address will not be triggered?
Thanks in advance for your help.
Depending on how many addresses, could one or more of “AND NOT” expressions be a solution in your event rule?
ie find firewall rule with tracker ID 1483595106 and not containing your subnet 192.168.16.0/24
1483595106 AND NOT 192.168.16.*
I haven’t used them myself but I think a lookup table would also work. I don’t think you can use lookups in Events but you can in extractors so maybe you could set an “exclusion” field to 1 if the IP address from your firewall is in a lookup list and use “AND NOT” logic on that field in your Alert.
Anyway I’m sure there are better ways but that’s my suggestion.