Hi,
I’m new to Suricata and have just started using it. I’m having a problem with Suricata generating logs, even though I have disabled some stream rules. I tried to find a solution online, but no luck. I would appreciate your help in figuring out what I’m doing wrong.
I am currently running Suricata version 7.0.3 on an RPI but plan to install it on a more powerful machine after some lab tests.
Disable.conf file
root@RPI/etc/suricata# cat disable.conf
group:stream-events.rules
I have executed these commands to update the rules. I can see that it indicates "disabled " for the STREAM rules during the update.
suricata-update
suricatasc -c reload-rules
I checked the Suricata rules and it seems disabled
root@RPI/etc/suricata# cat /var/lib/suricata/rules/suricata.rules | grep "SURICATA STREAM FIN recv but no session"
# alert tcp any any -> any any (msg:"SURICATA STREAM FIN recv but no session"; stream-event:fin_but_no_session; classtype:protocol-command-decode; sid:2210037; rev:2;q)
Eve JSON log showing alert despite rule being disabled.
{
"timestamp": "2024-02-23T14:13:06.685396+0000",
"flow_id": 1189738729779373,
"in_iface": "eth0",
"event_type": "alert",
"vlan": [
123
],
"src_ip": "SRC-IP",
"src_port": 443,
"dest_ip": "DST-IP",
"dest_port": 10459,
"proto": "TCP",
"pkt_src": "wire/pcap",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2210037,
"rev": 2,
"signature": "SURICATA STREAM FIN recv but no session",
"category": "Generic Protocol Command Decode",
"severity": 3
},
"direction": "to_server",
"flow": {
"pkts_toserver": 14,
"pkts_toclient": 0,
"bytes_toserver": 9770,
"bytes_toclient": 0,
"start": "2024-02-23T14:12:36.604687+0000",
"src_ip": "SRC-IP",
"dest_ip": "DST-IP",
"src_port": 443,
"dest_port": 10459
}
What do I miss?
Another question: Is there a best practice configuration for the rules that you would recommend I start using before tweaking them to fit my environment?
Thanks!