I am trying to suppress all of the SURICATA STREAM alerts but what I’m doing doesn’t seem to be working. I’ve disabled all anomaly events in suricata.yml, and tried adding re:SURICATA STREAM and group:stream-events.rulesto disable.conf. I tried grep’ing a few random SIDs from stream-events.rules in suricata.rules, and they all appear uncommented…I don’t want to have to add every single SURICATA STREAM SID to disable.conf, so is there a way I can suppress those rules with one setting somewhere? TIA!
What does the rule section of your suricata.yaml look like? It should be something close to:
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
Then after running suricata-update, all SURICATA STREAM rules should be disabled in /var/lib/suricata/rules/suricata.rules.
If that fails please include as much information as possible like how you installed Suricata, what OS and distribution, etc. Some guides and packages do things differently.
I thought for sure I had run suricata-update + suricatasc -c reload-rules several times after modifying disable.conf , but maybe it slipped my mind…Thanks!
Hi @ish , so this morning I noticed that we are receiving SURICATA STREAM events again =( The only cause I can think of is I have this cron job running every night:
59 23 * * * /bin/suricata-update && /bin/suricatasc -c reload-rules
We noticed in our elasticsearch cluster, where we have suricata logs being shipped to, that there was a sudden, large spike in suricata events right at midnight, so I’m assuming that was the cause, but I don’t understand why a subsequent suricata-update would then re-enable those rules…
Suricata 6.0.14 installed from rpm, running on CentOS 7.9.2009. Here’s the rule section of my suricata.yaml:
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
- /var/lib/suricata/rules/daffainfo.rules
and relevant disable.conf lines:
...
...
group:stream-events.rules
re:suricata stream
...