[Oisf-users] Why blocks suri this traffic?

Stefan Sabolowitsch Stefan.Sabolowitsch at felten-group.com
Tue Mar 4 08:11:36 UTC 2014

Hi all,
have here latest git version an this start option:
suricata --user sguil --group sguil -c /etc/nsm/Serrig-intern/suricata.yaml -q 0 -q 1 -q 2 -q 3 -l /nsm/sensor_data/Serrig-intern --runmode workers

I wanted to prevent that suri blocks access to a Web page. Here the appropriate log entry in evejson -> alert.

"message": "{\"time\":\"03\\/04\\/2014-07:15:17.412182\",\"event_type\":\"alert\",\"src_ip\":\"\",\"src_port\":80,\"dest_ip\":\"\",\"dest_port\":51538,\"proto\":\"TCP\",\"alert\":{\"action\":\"wDrop\",\"gid\":1,\"signature_id\":2221021,\"rev\":1,\"signature\":\"SURICATA HTTP response header invalid\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3}}",

Then made the following entries in threshold.conf and restart suri.

suppress gen_id 1, sig_id 2221021, track by_src, ip

Now although no alert more in evejson written, but the traffic is still blocked. I found this drop message in evejson.


Why still blocks suri the traffic, a Bug?
Is threshold.conf in the IPS-mode not effective?


More information about the Oisf-users mailing list