[Oisf-users] Suricata ignoring disable.conf

James Moe jimoe at sohnen-moe.com
Thu Oct 31 21:27:20 UTC 2019

  suricata v5.0.0
  opensuse 15.1

  I decided to disable the SURICATA rules since they do not really impart any
useful information for our network. I added "re:SURICATA" to <disable.conf> and
restarted. SURICATA rules are still in effect.

  Where should I look to discover why suricata is not heeding the rules?

  From <fast.log>:
10/31/2019-14:12:23.621724  [**] [1:2210042:2] SURICATA STREAM TIMEWAIT ACK with
wrong seq [**] [Classification: Generic Protocol Command Decode] [Priority: 3]
{TCP} ->

  In <suricata.rules>:
# alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong
seq"; stream-event:timewait_ack_wrong_seq; classtype:protocol-command-decode;
sid:2210042; rev:2;)

  In <suricata.yaml>:
default-rule-path: /usr/local/var/lib/suricata/rules
 - suricata.rules

  From the rules update log:
31/10/2019 -- 07:19:14 - <Info> -- Writing rules to
/usr/local/var/lib/suricata/rules/suricata.rules: total: 26165; enabled: 20590;
added: 1; removed 0; modified: 1

  The command line:
/usr/local/bin/suricata -v --pidfile /d500g/var/run/suricata.pid -c
/usr/local/etc/suricata/suricata.yaml -q 0

James Moe
moe dot james at sohnen-moe dot com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20191031/c69445c9/attachment.sig>

More information about the Oisf-users mailing list