TLS offloaded sensor, suppress certain rules for only that sensor?

Hi all,

I’m just starting to brainstorm the best way to go about this. I have a handful of suricata sensors, and one of them is fed traffic from a TLS offloaded source. So, inevitably, the rule ET POLICY HTTP traffic on port 443 (POST) is firing like crazy, as are ET Policy rules for passwords in cleartext.

My initial thought is to suppress those rules only on the sensor in question. Is this the best solution, or are there other options here? I am very much open to, and grateful for other suggestions.

I am running suricata 6.0.16 on all sensors.


For any signatures that you see firing on decrypted traffic that don’t seem appropriate. You can open a ticket with ET via Feedback or post on

For the sig that you mentioned above and ones similar we will have updated for today with some extra metadata. For your use case with the sensor being fed decrypted traffic you may want to look for signatures that have metadata “deployment SSLDecrypt” and “tls_state TLSDecrypt”.

This is something we are actively working on from the ET side to try and help customers more easily tune their rulesets effectively so we appreciate any feedback!


1 Like

Thanks JT, glad to hear someone is considering this element already! I’ll take a look at the metadata in the newer rules, and submit feedback as necessary.

1 Like