Dear Suricata community,
I am working on Debian 12 with Suricata 8.0 installed and compiled from source. I have a use case where I want to run Suricata in AF_PACKET mode at Layer 2 (which is working fine).
Due to architectural constraints, I cannot modify Layer 3. I need to block some traffic that may be considered malicious.
The idea is to run a machine learning engine analyzing the eve.json logs to build a behavioral model.
When abnormal behavior is detected, I want to inject a Suricata rule and then reload the rules.
From what I’ve researched, reloading via the
suricatasccommand works, but the Layer 2 cache remains active. This means that existing cached flows continue to be processed until their timeout expires. The only current way to immediately apply changes is to restart the Suricata service, which causes downtime for all flows.What I want to achieve is a way to clear the Layer 2 cache or otherwise force Suricata to immediately apply new rules.
Do you have any recommendations or solutions to make this work?