Hi, I received the following messages from the ipfire overnight until this morning. Can anyone help me figure out what they mean?
This is not a crash notification. It is a notification of an alert from your suricata.
You have obviously turned on the reporting and added a user email but left the severity of the reporting at one of the two lowest severity settings as you have been notified of a Low Severity detection.
As you have enabled the reporting it looks like you want the messages but you might be better of setting the severity to “High and Medium Severity” or “High Severity Only”.
You can always look through the IPS Logs and see which of the messages, in terms of severity, you would like to get an immediate email about and which ones are okay to just get in the daily or weekly or monthly pdf reports.
The other thing you should note from this alert is that it has blocked the DNS Firewall trying to access the IPFire DBL for the list download or update.
If you have enabled the DNS Firewall then you need to find which suricata rule you have enabled as it is blocking it.
EDIT:
For information the Hunting ruleset has the following description
Hunting–This category is for signatures that provide indicators that when matched with other signatures can be very useful for threat hunting in an environment. These rules can provide false positives on legitimate traffic and inhibit performance. They are only recommended for use when actively researching potential threats in the environment.
Yes, don’t enable that category.
You are blocking Unbound checking the DNSSEC trust anchor.
OK, but where exactly is that mentioned in the rules?
I can’t copy the appropriate bit from the message as it is provided as an image.
The signature says ET HUNTING so the provider is Emerging Threats (ET) and the ruleset is HUNTING.
So if you press the Customize ruleset button you will find a list of rulesets and one of them will be
In my case this is not selected.
The simplest thing is for you to unselect this list unless you are actively researching potential threats in your environment otherwise you need to find the rule
that is highlighted but as this list is quite high on false positives as mentioned in the Emerging Threats description for the Hunting ruleset I think your best bet is to just unselect the whole of the ET HUNTING ruleset.