How to block all traffic which matches BitTorrent-DHT?

I’ve created a rule

drop bittorrent-dht any any -> any any (msg: "Block torrent traffic"; priority:1; sid:1000000; rev:1;)

in logs it’s marked as "action":"blocked", however traffic is not blocked, BitTorrent-DHT still works.

Web-viewer: evebox
Suricata version: 7.0.0
OS: Debian GNU/Linux 12 (bookworm)
Installed from backports packages.
IPS/inline mode using nftables.

I’ve replaced alert by drop for rules that detect such traffic, i.e.:

sed -e '/torrent/Is/^alert/drop/g' \
    -e '/dht/Is/^alert/drop/g' \
    /var/lib/suricata/rules/suricata.rules \
    > /var/lib/suricata/rules/custom.rules

But still no luck, torrents are not blocking.

How are you running Suricata and how does the config look like?
Changing the rules is not enough, you need to make sure that you run IPS mode instead of IDS.

nftables snippet:

table inet filter {
	chain forward {
		type filter hook forward priority 0
		queue flags bypass,fanout to 0-1
		policy accept

In /lib/systemd/system/suricata.service I’ve replaced ExecStart by:

ExecStart=/usr/bin/suricata -D -c /etc/suricata/suricata.yaml --pidfile /run/ -q 0 -q 1

Is it enough to run it in IPS mode?

However, for sure, blocking other requests via dns.query,, tls.sni, and quic.sni (by the way, what is the equivalent for http2 to block some host?) is working.

Config file is almost default: suricata.yaml (82.1 KB)
bittorrent-dht enabled

Can you provide the stats.log as well as the related eve.json output for those flows that should have been blocked, and also the alert event?

Sorry for the late reply.

(eve.bittorrent-dht.json filtered by grep torrent < eve.json | perl -pe 's|"src_ip":".*?"|"src_ip":"<redacted>"|g' | perl -pe 's|"dest_ip":".*?"|"dest_ip":"<redacted>"|g' | perl -pe 's|ipv6=.*?"|ipv6=<redacted>"|g')

With only

sed -e '/torrent/Is/^alert/drop/g' \
    -e '/dht/Is/^alert/drop/g' \
    /var/lib/suricata/rules/suricata.rules \
    > /var/lib/suricata/rules/custom.rules

eve.bittorrent-dht.json (100.1 KB)
stats.log (83.3 KB)

Torrent that was already added was downloading.

With additional rule:

drop bittorrent-dht any any -> any any (msg: "Block torrent traffic"; priority:1; sid:1000186; rev:1;)

stats.log (53.8 KB)
eve.bittorrent-dht.json (96.7 KB)

New torrent wasn’t downloading (as http tracker gives no response).

Tested with debian torrent and transmission client.

However if torrent was added via magnet URL, then run it without suricata for some time, and then again with suricata, torrent still downloading.

So for new connections the block works but for established connections it does not work?

yes exactly, any suggestions on how can i patch this problem