Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata not taking account suppress list

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 820 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jorgek
      last edited by

      How to use the suppress list in Suricata to don't log alerts such as
      SURICATA STREAM Packet with invalid timestamp.

      Below is the rule I created to ignore those alerts/blocking:

      Screen Shot 2021-07-27 at 16.40.59.png
      Apparently, even with this rule, Suricata still keep alerting/blocking.
      Anything am I missing?

      Thanks

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @jorgek
        last edited by bmeeks

        @jorgek said in Suricata not taking account suppress list:

        How to use the suppress list in Suricata to don't log alerts such as
        SURICATA STREAM Packet with invalid timestamp.

        Below is the rule I created to ignore those alerts/blocking:

        Screen Shot 2021-07-27 at 16.40.59.png
        Apparently, even with this rule, Suricata still keep alerting/blocking.
        Anything am I missing?

        Thanks

        Once you have created this custom Suppress List, you will need to go back to the INTERFACE SETTINGS tab for the interface where you want to use the list. Scroll down to the Suppress List drop-down selector and select your custom list. Save the change on that tab, and then go over to the INTERFACES tab and restart Suricata on the interface for it to see the list. The SUPPRESS tab is where you create or edit Suppression Lists, but they are not used until assigned to an interface on its respective INTERFACE SETTINGS tab.

        If you did all of the above steps already, and the Suppression List is not working, you may have duplicate Suricata processes running on the same interface. If that is the case, only one of the processes will respond to the Suppress List change. The other duplicate(s) will not. To see if you have multiple running instances on the same interface, run this command from a shell prompt on the firewall:

        ps -ax | grep suricata

        You should see exactly one process per configured Suricata interface. If you see any duplicates, you will need to kill them. Easiest way to do this is to run these commands from the same shell prompt:

        /usr/local/etc/rc.d/suricata.sh stop
ps -ax | grep suricata
kill -9 <pid>

        where <pid> is the process ID of any remaining Suricata processes. You can then restart Suricata on all interfaces using this command:

        /usr/local/etc/rc.d/suricata.sh start
        J 1 Reply Last reply Reply Quote 1
        • J
          jorgek @bmeeks
          last edited by

          @bmeeks Thanks, I didn't notice that option in interface settings. I did that and now I am monitoring the behavior of Suricata. Cheers

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.