Missing 1 piece of the puzzle

I just started with Suricata (version 6.0.1) on Ubuntu server.
I do understand what IDS, IPS and iptables are, but there is one piece of the puzzle that I still don’t understand. Oh and I did read the documentation :slightly_smiling_face:.

Installing Suricata (and after the installation do a suricata-update) makes that there is a default installation. With “suricata-update enable-source” I enabled the non-commercial rulesets. for example “suricata-update enable-source et/open”
The detection is working, because I see entries in the fast.log and eve.json.

Tthe default installation makes it that Suricata is an IDS system. It only alerts. (please correct me if I’m wrong!).

But what puzzles me is how to change a default rule from “alert” to “drop”. :thinking:

For example. The next entry is in the eve.json file is triggered by my default installation.

“timestamp”: “2021-02-05T12:22:52.833975+0000”,
“flow_id”: 1931222203671012,
“in_iface”: “eth0”,
“event_type”: “alert”,
“src_ip”: “”,
“src_port”: 80,
“dest_ip”: “”,
“dest_port”: 38937,
“proto”: “TCP”,
“metadata”: {
“flowints”: {
“applayer.anomaly.count”: 1
“alert”: {
“action”: “allowed”,
“gid”: 1,
“signature_id”: 2260002,
“rev”: 1,
“signature”: “SURICATA Applayer Detect protocol only one direction”,
“category”: “Generic Protocol Command Decode”,
“severity”: 3
“http”: {
“http_port”: 0,
“http_method”: “\xaa\xaa\xaa\xaaUUUUUUUU\xaa\xaa\xaa\xaaUUUU\xaa\xaa\xaa\xaaUUUU\xaa\xaa\xaa\xaaUUUU\xaa\xaa\xaa\xaaUUUU\xaa\xaa\xaa\xaaUUUU\xaa\xaa\xaa\xaaUUUU\xaa\xaa\xaa\xaa”,
“length”: 327
“app_proto”: “http”,
“app_proto_ts”: “failed”,
“flow”: {
“pkts_toserver”: 4,
“pkts_toclient”: 4,
“bytes_toserver”: 298,
“bytes_toclient”: 547,
“start”: “2021-02-05T12:09:18.893412+0000”

This now is an event_type alert but I would rather have these kind of attacks to be blocked (dropped). So how can a change a default rule that it wil not sent an alert but drop such kind of attacks? Do I simply edit the /var/lib/suricata/rules/suricata.rules file and change the rule from alert to drop?
By enabling iptables a rule will not suddenly block, the rule itself will stay as an alert type.

Be aware that I’m talking about the default set of rules that are deliverd. I have not written the rule by myself!

Can someone enlighten me how this works? How to drop instead of alert.


The rules need to be edited to use the drop keywod, yes.
I believe suricata-update can do this for you. Have a look at suricata-update - Update — suricata-update 1.2.0 documentation

Thanks you. This is indeed what I was looking for. I never imagined that is was in the suricate-update part.