Poor Reputation Groups

[spetrillo]

Hello all,

I have alot of poor reputation group alerts in Suricata. Is there a way to drop them en mass, rather than having to hit them one at a time? Is there a downside to dropping them en mass?

Thanks,
Steve

[JakaylaLee]

Suricata provides the flexibility to handle alerts, including those related to poor reputation groups, in various ways. Dropping alerts en masse can be a quick solution, but it's essential to consider potential downsides and implications. Suricata rules can be configured to take specific actions upon triggering an alert, such as dropping packets associated with the alert. You can configure Suricata to drop packets for all alerts matching a particular rule or category. This approach involves modifying the Suricata configuration file to adjust the action taken for alerts from poor reputation groups. You would modify the "drop" action for the relevant rule or category. Dropping alerts en masse can be effective in blocking potentially malicious traffic associated with poor reputation groups, thereby reducing the risk of security incidents.

[spetrillo]

Let me ask the question in a different way...

I am noticing that the drops I setup are still showing up in the log. I do not care to see them. Is there a way to have them removed from the log, so I can see what is still in Alert status?