Hi everyone,

I have an issue which I can't resolve. I have Googled this a lot but can't understand how I can achieve my goal.

I am sending Suricata alerts to Splunk. They are in JSON format. There are tons of alerts, so I want to make a filter. Most of them of course are False-Positive. I know about Suricata disable.conf and threshhold.conf but they can't provide the level of accuracy I need. Disable.conf will totally disable, but this can be appropriate only for a few rules. Threshold.conf can disable alerts based on src_ip or dst_ip, not both, and without mention of ports. So, Suricata doesn't provide any mechanism to effectively filter alerts. Provided methods can only make very "rude" filtering.

What I want is to filter events based on src_ip, src_port, dest_ip, dest_port.
Also there must be someplace where I could store and update conditions.
CSV file and lookup seem suitable for this purpose.

For example, I have a regular alert which has these values:

signature_id: 1111
src_ip - 192.168.1.1
src_port - 12345
dst_ip - 192.168.1.2
dst_port - 445

To exclude this particular event from search the CSV could be as follows:

"sid","s_ip","s_port","d_ip","d_port"
"1111","192.168.1.1","12345","192.168.1.2","445"

Also, in many cases it will be necessary to use a wildcard * for any field or having more than 1 string for a particular signature.

For example:

"sid","s_ip","s_port","d_ip","d_port"
"9999","192.168.2.3"," *","192.168.2.5"," *"
"9999","192.168.2.4"," *","192.168.2.5"," *"

So, I need to make a search in Splunk that is similar to something like the following: "Show me all alerts except some of them which can be excluded based on conditions from a lookup (which is based on CSV)."

I made something close to my goal, but it doesn't work the way that I need it to.

index=suricata_alerts
NOT (
    [inputlookup suricata_alerts_exclusions | fields sid    | rename sid    as alert.signature_id] AND
    [inputlookup suricata_alerts_exclusions | fields s_ip   | rename s_ip   as src_ip] AND
    [inputlookup suricata_alerts_exclusions | fields s_port | rename s_port as src_port] AND
    [inputlookup suricata_alerts_exclusions | fields d_ip   | rename d_ip   as dest_ip] AND
    [inputlookup suricata_alerts_exclusions | fields d_port | rename d_port as dest_port]
    )

If I have the next CSV look like this:

"sid","s_ip","s_port","d_ip","d_port"
"1111","192.168.1.1","12345","192.168.1.2","445"
"2222"," *"," *","192.168.1.2"," *"

The next alert will be excluded:

signature_id: 1111
src_ip - ANY
src_port - ANY
dst_ip - 192.168.1.2
dst_port - 445

As you can see, I have strict conditions for Signature ID 1111. But because of wildcards in the third row it applies to any row in the CSV. In other words, this search considers any value from any row.

Obviously, my search returns all events which simultaneously correspond to ANY of values in the COLUMN (in CSV). They are not limited by rows.

Please give me some advice on how to create a search that will be able to process the aforementioned CSV's correctly. Or maybe there is another way to filter events by "sid","s_ip","s_port","d_ip","d_port" using exact or wildcard values.