Issue threshold.conf / suppressing

Started by Steven-B, June 24, 2025, 04:18:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 24, 2025, 04:18:10 PM
Hi all,

I am trying to suppress some SIDs but it seems my threshold.conf is not working.
I tried altering the suricata.yaml configuration file by removing the hashtag at threshold-file: /usr/local/etc/suricata/threshold.conf also tried with custom.yaml and give in the location of the threshold file but I do not seem to succeed...

suppress gen_id 1, sid_id 2030387

I've also tested with other rules with and without adding track by_src | by_dst, ip xxx.xxx.xxx.xxx but  whatever I am doing, it wont suppress the alerts.
Does anyone else has this problem?

I am on OPNsense 25.1.9_2-amd64 which is using Suricata 7.0.10.

Greetings,
Steven
June 25, 2025, 12:10:07 AM #1
Hi all,

After analyzing the logs this evening I realized I made a gigantic typo :)

this:
suppress gen_id 1, sid_id 2030387

should be:
suppress gen_id 1, sig_id 2030387


Problem solved!

Grts,
Steven
Print
Go Up Pages1
User actions