Suricata & Snort Suppression List



  • Gentlemen:

    I am currently using Suricata with emerging Threats ETPro. I have a suppression list and have found that a number of times suppressed alerts "grayed out" still caused an IP to be blocked. This now has seemly stopped with Suricata but I find the issue continues to occur with Snort. Has anyone noticed this issue?



  • A couple of issues can cause this.  One is Snort did not get restarted when the last change was made to the suppress list.  This should have automatically happened, but perhaps did not.  A second more rare possibility is that you have a duplicate zombie Snort process running and that process is blocking/alerting.

    You should have exactly one Snort process per interface where Snort is enabled.  Check that with this command from the CLI:

    
    ps -ax |grep snort
    
    

    If you see extra Snort processes, stop Snort then kill any remaining zombie processes and then restart Snort.

    Bill


Log in to reply