Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata & Snort Suppression List

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      ghkrauss
      last edited by

      Gentlemen:

      I am currently using Suricata with emerging Threats ETPro. I have a suppression list and have found that a number of times suppressed alerts "grayed out" still caused an IP to be blocked. This now has seemly stopped with Suricata but I find the issue continues to occur with Snort. Has anyone noticed this issue?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        A couple of issues can cause this.  One is Snort did not get restarted when the last change was made to the suppress list.  This should have automatically happened, but perhaps did not.  A second more rare possibility is that you have a duplicate zombie Snort process running and that process is blocking/alerting.

        You should have exactly one Snort process per interface where Snort is enabled.  Check that with this command from the CLI:

        
ps -ax |grep snort

        If you see extra Snort processes, stop Snort then kill any remaining zombie processes and then restart Snort.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.