[Oisf-users] SOLVED Suricata ignoring disable.conf
Jason Ish
jason.ish at oisf.net
Mon Nov 4 14:43:35 UTC 2019
On 2019-11-02 7:03 p.m., James Moe wrote:
> On 31/10/2019 2.27 pm, James Moe wrote:
>
>> I decided to disable the SURICATA rules since they do not really impart any
>> useful information for our network. I added "re:SURICATA" to <disable.conf> and
>> restarted. SURICATA rules are still in effect.
>>
>> Where should I look to discover why suricata is not heeding the rules?
>>
> Apparently, when the host was restarted 22 days ago, suricata failed to create
> a PID file. Each subsequent request to stop/start/reload failed because the
> control script could not find a PID file to know which process to stop.
> Hence, suricata had never reloaded the changed rules.
You might want to look into suricatasc to do the reload. It will use the
unix-socket which might be more reliable in cases like this.
Jason
More information about the Oisf-users
mailing list