[Oisf-users] signature action drop instead of alert

[Vieri]

On Friday, January 24, 2020, 8:58:01 AM GMT+1, Vieri <rentorbuy at yahoo.com> wrote:
>
>> I'm using Suricata 5.0.1, and I'm getting lots of "drops" for several SURICATA STREAM signatures.
>
> In general you don't want to convert those rules to drop as they will
> trigger quite often at mixed traffic environments in some cases.

Would you suggest not dropping the SURICATA STREAM rules or the whole protocol-command-decode class type?
Any general guideline as to which categories/rulesets to drop for sure and which should be taken into account more cautiously for the drop action to take place?

> Can you check what path is set in the suricata config?
> I would guess that it's using another ruleset where you have action drop
> instead of alert.

OK, I think I pinpointed the problem.

# grep -r 2210042 /var/lib/suricata/*
/var/lib/suricata/rules/suricata.rules:alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong seq"; stream-event:timewait_ack_wrong_seq; classtype:protocol-command-decode; sid:2210042; rev:2;)

# grep -r 2210042 /usr/share/suricata/rules/*
/usr/share/suricata/rules/stream-events.rules:alert tcp any any -> any any (msg:"SURICATA STREAM TIMEWAIT ACK with wrong seq"; stream-event:timewait_ack_wrong_seq; classtype:protocol-command-decode; sid:2210042; rev:2;)

They're both with the "alert" event type, though.

suricata-update reports:

<Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
<Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
...etc...

So Suricata loads BOTH /usr/share/suricata/rules files AND /var/lib/suricata/rules/suricata.rules.
Why?
Is loading of the /usr/share/suricata/rules files hardcoded?

# grep -r /usr/share/suricata /etc/suricata/*
#

The files in /usr/share/suricata/rules are installed when installing Suricata, or are they pulled in by suricata-update?

Should I simply delete them?

Vieri