Alert once per connection with Suricata rules

I am trying to get a comprehensive list of every destination IP my network connects to using Suricata rules, but right now I am getting WAY too many logs. When I view the logs created by my Suricata alert rules it shows many duplicate logs with the same timestamp, source ip, and destination ip (sometimes as many as 15 duplicates in a row). I really need to reduce the total number of logs being created.

I have a set of Suricata rules set up and want to generate one alert per connection (i.e. eliminate my duplicate logs). How can I change my Suricata rules to only create an alert ONE time per connection? Please let me know if this is possible to accomplish using flowints or otherwise. Here are my current rules:

alert ip any -> any 53 (msg:"DNS LOOKUP logged"; flow:to_server, established; sid: 1000001 ; rev:1; metadata:updated_at 2022_05_20; )
alert tls any -> any any ( msg:"INITIAL TLS egress to collect all outgoing traffic"; flow:to_server, established; sid: 1000002 ; rev:1; metadata:updated_at 2022_05_20; )
alert http any -> any any ( msg:"INITIAL http egress to collect all outgoing traffic"; flow:to_server, established; sid: 1000003 ; rev:1; metadata:updated_at 2022_05_20; )

Have you look at the flow event type? Its enabled by default and will give you one record per flow and also provide the protocol information. However, you get these records when the flow is complete/timed out, not as the flow is created.

Unfortunately I do not see any flow event types in my logs. The closest thing I see is a flow_id which is often repeated in consecutive logs.

I’d look into re-enabling if you can as it is enabled in the default configuration file. It seems it would give you what you need, perhaps more efficiently than using rules. However, the flowint keyword might help you out: 6.10. Flow Keywords — Suricata 6.0.10 documentation

Thank you for your responses Jason! :slight_smile: I am using AWS Network Firewall so as far as I know I don’t have access to a configuration file, just Suricata rules. I have been looking into using flowint to fix my issue but haven’t been able to figure out how to apply it to my use case. Any chance you could show me how I might re-write my rules?

With flowbits (sorry, not flowints) I think you could do:

flowbits: set,logged; flowbits:isnotset,logged;

The idea is that it will only alert when the flowbit logged is not set, but then also set the flowbit logged.

This looks very promising, thank you! Just to make sure I understand: the flowbits:isnotset,logged; part will generate an alert because logged is not set. But in the same line set,logged; will set logged. Once logged is set, subsequent events in the same connection will not generate any more alerts. Am I understanding that correctly?

Also, does the rule reset after each connection? So for example if I had 2 egress connections to I would still get 1 alert for each connection, correct?

And this won’t alter logs in any way right? I will still get all the same fields and info in my logs, just no more duplicate logs?

Subsequent alerts for that rule will not trigger. If there are other rules that match, they will trigger, which is probably what you want.

The logs will not change.

Awesome. I have played around with flowbits some more today and I am wondering if the following solution would also work:
Since I am going to be whitelisting domains in the future anyways, what if I started writing pass rules now to cut down the number of logs I am getting? If I use flowbits:set, suppressalert; in my pass rules for a domain (say “”) and flowbits: isnotset, suppressalert; in my alert rule, then I should never get an alert from a TLS connection to, correct?

pass tls any any -> any any (tls.sni; content:""; msg:"pass"; flowbits:set, suppressalert; ...)
alert tls any -> any any ( msg:"alert for TLS outgoing traffic"; flowbits: isnotset, suppressalert; ...)

I am hoping this gives me alerts for every outgoing TLS connection EXCEPT for