Suricata generates alerts despite disabled rules

I’m new to Suricata and have just started using it. I’m having a problem with Suricata generating logs, even though I have disabled some stream rules. I tried to find a solution online, but no luck. I would appreciate your help in figuring out what I’m doing wrong.

I am currently running Suricata version 7.0.3 on an RPI but plan to install it on a more powerful machine after some lab tests.

Disable.conf file

root@RPI/etc/suricata# cat disable.conf 

I have executed these commands to update the rules. I can see that it indicates "disabled " for the STREAM rules during the update.

suricatasc -c reload-rules 

I checked the Suricata rules and it seems disabled

root@RPI/etc/suricata#   cat /var/lib/suricata/rules/suricata.rules | grep "SURICATA STREAM FIN recv but no session"
# alert tcp any any -> any any (msg:"SURICATA STREAM FIN recv but no session"; stream-event:fin_but_no_session; classtype:protocol-command-decode; sid:2210037; rev:2;q)

Eve JSON log showing alert despite rule being disabled.

  "timestamp": "2024-02-23T14:13:06.685396+0000",
  "flow_id": 1189738729779373,
  "in_iface": "eth0",
  "event_type": "alert",
  "vlan": [
  "src_ip": "SRC-IP",
  "src_port": 443,
  "dest_ip": "DST-IP",
  "dest_port": 10459,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "alert": {
    "action": "allowed",
    "gid": 1,
    "signature_id": 2210037,
    "rev": 2,
    "signature": "SURICATA STREAM FIN recv but no session",
    "category": "Generic Protocol Command Decode",
    "severity": 3
  "direction": "to_server",
  "flow": {
    "pkts_toserver": 14,
    "pkts_toclient": 0,
    "bytes_toserver": 9770,
    "bytes_toclient": 0,
    "start": "2024-02-23T14:12:36.604687+0000",
    "src_ip": "SRC-IP",
    "dest_ip": "DST-IP",
    "src_port": 443,
    "dest_port": 10459

What do I miss?

Another question: Is there a best practice configuration for the rules that you would recommend I start using before tweaking them to fit my environment?


Please paste your run command on how you start suricata and also the suricata.yaml along the suricata.log.

Hi Andreas,
Thanks for the quick respone. I just start the service
sudo service suricata start

suricata.yaml (85.2 KB)
suricata.log (39.6 KB)

I also attached the requested files

You have this path for rules in your yaml:

default-rule-path: /etc/suricata/rules

But you seem to manage the rules with suricata-update in /var/lib/suricata/rules/ based on your initial post. So you would have to adjust that.

Thanks for your help! I feel like this was a simple question, but sometimes you’re blind and need a couple more sets of eyes.