Hello I have some strange behavior with my suricata on opnsense and was wondering if anyone is experiencing the same:
I wanted to keep a IPS signature active, dropping the packages, but not get an alert every time, since the source is beyond the scope of my control (neighbour) and the alerts spamming my log.
Since this isn't implemented in the GUI yet, I manually added
include: threshold.config
To /usr/local/etc/suricata/custom.yaml
And added
suppress gen-id 1, sig-id 1234567
To /usr/local/etc/suricata/threshold.config
However after this suricata wouldn't start anymore, giving the error it couldn't load threshold.config, cause it needs to have YAML 1.1 and
as first lines.
Not only does this differ from the documentation, it also differs form the example file.
With this added anyway suricata will start, but have errors in the logs, it
couldn't parse YAML 1.1
couldn't parse
And
couldn't parse suppress gen-id 1, sig-id 1234567
So its still not working....
Anyone got an idea what's wrong here, or how I could drop packets silently?
EDIT: when changing the suppression to
suppress gen_id 1, sig_id 1234567
I get the warning
suppress gen_id 1, sig_id 1234567 is deprecated. Please use suppress gen-id 1, sig-id 1234567 on line 3
When starting suricata
BUT NO parsing error about the suppress line (only about the YAML and
lines), indicating it works now?
Seems not intended, or do I do something wrong?