[Oisf-users] Suricata ignoring disable.conf

James Moe jimoe at sohnen-moe.com
Thu Oct 31 21:27:20 UTC 2019


Hello,
  suricata v5.0.0
  opensuse 15.1

  I decided to disable the SURICATA rules since they do not really impart any
useful information for our network. I added "re:SURICATA" to <disable.conf> and
restarted. SURICATA rules are still in effect.

  Where should I look to discover why suricata is not heeding the rules?


  From <fast.log>:
10/31/2019-14:12:23.621724  [**] [1:2210042:2] SURICATA STREAM TIMEWAIT ACK with
wrong seq [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
{TCP} 192.168.69.115:34396 -> 192.168.69.246:3128


  In <suricata.rules>:
# alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong
seq"; stream-event:timewait_ack_wrong_seq; classtype:protocol-command-decode;
sid:2210042; rev:2;)


  In <suricata.yaml>:
default-rule-path: /usr/local/var/lib/suricata/rules
rule-files:
 - suricata.rules


  From the rules update log:
31/10/2019 -- 07:19:14 - <Info> -- Writing rules to
/usr/local/var/lib/suricata/rules/suricata.rules: total: 26165; enabled: 20590;
added: 1; removed 0; modified: 1

  The command line:
/usr/local/bin/suricata -v --pidfile /d500g/var/run/suricata.pid -c
/usr/local/etc/suricata/suricata.yaml -q 0

-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191031/c69445c9/attachment.sig>


More information about the Oisf-users mailing list