[Oisf-users] SOLVED Suricata ignoring disable.conf

Jason Ish jason.ish at oisf.net
Mon Nov 4 14:43:35 UTC 2019

On 2019-11-02 7:03 p.m., James Moe wrote:
> On 31/10/2019 2.27 pm, James Moe wrote:
>>    I decided to disable the SURICATA rules since they do not really impart any
>> useful information for our network. I added "re:SURICATA" to <disable.conf> and
>> restarted. SURICATA rules are still in effect.
>>    Where should I look to discover why suricata is not heeding the rules?
>    Apparently, when the host was restarted 22 days ago, suricata failed to create
> a PID file. Each subsequent request to stop/start/reload failed because the
> control script could not find a PID file to know which process to stop.
>    Hence, suricata had never reloaded the changed rules.

You might want to look into suricatasc to do the reload. It will use the 
unix-socket which might be more reliable in cases like this.


More information about the Oisf-users mailing list