Hello, After carefully monitoring /var/log/suricata/fast.log I ended up with conclusion that whatever supress rules are added in /var/lib/suricata/threshold.config these are ignored. I did checked oinkmaster.conf and the line for skipping threshold.conf is commented: # skipfile threshold.conf Ex: I use an Cisco Meraki AP that constantly check Meraki cloud Here is one suppress for traffic dome by Meraki equipments: #Meraki uses curl User-Agent Outbound - 209.206.58.5 seen in fast.logand SID [1:2013028:4] suppress gen_id 1, sig_id 2013028, track by_dst, ip 209.206.48.0/20 After more than a week with above supress rule, the fast.log still shows suricata blocking access to the Meraki cloud for the suppressed SID. Examples for one entire day: grep curl /var/log/suricata/fast.log 06/09/2019-00:07:20.470139 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41196 -> 209.206.58.5:80 06/09/2019-01:17:20.448397 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41226 -> 209.206.58.5:80 06/09/2019-02:24:06.120829 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41260 -> 209.206.58.5:80 06/09/2019-03:32:27.630445 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41306 -> 209.206.58.5:80 06/09/2019-04:37:39.230386 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41334 -> 209.206.58.5:80 06/09/2019-05:43:27.637144 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41362 -> 209.206.58.5:80 06/09/2019-06:47:15.419571 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41390 -> 209.206.58.5:80 06/09/2019-07:54:46.299543 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41418 -> 209.206.58.5:80 06/09/2019-08:58:34.541111 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41446 -> 209.206.58.5:80 06/09/2019-10:03:21.573281 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41474 -> 209.206.58.5:80 06/09/2019-11:09:41.265727 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41510 -> 209.206.58.5:80 06/09/2019-12:18:14.059065 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41542 -> 209.206.58.5:80 06/09/2019-13:26:28.229837 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41748 -> 209.206.58.5:80 06/09/2019-14:36:08.741069 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:41948 -> 209.206.58.5:80 06/09/2019-15:45:06.339883 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42050 -> 209.206.58.5:80 06/09/2019-16:48:11.990484 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42150 -> 209.206.58.5:80 06/09/2019-17:57:49.116869 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42206 -> 209.206.58.5:80 06/09/2019-19:02:34.997594 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42290 -> 209.206.58.5:80 06/09/2019-20:08:35.783349 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42344 -> 209.206.58.5:80 06/09/2019-21:19:14.855000 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42396 -> 209.206.58.5:80 06/09/2019-22:22:15.954240 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42572 -> 209.206.58.5:80 06/09/2019-23:24:21.124110 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42614 -> 209.206.58.5:80 06/10/2019-00:34:20.547832 [Drop] [**] [1:2013028:4] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} ppp0_ip:42644 -> 209.206.58.5:80 Thank you, Horace
Patch has been sent to the development mailing list: https://patchwork.ipfire.org/patch/2732/
As far as I am concerned, this patch has never made it into ipfire-2.x. Cc: Arne
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=1d84b352dfc6275dfefb8645b54ed2f0fa350524
https://blog.ipfire.org/post/ipfire-2-25-core-update-143-is-available-for-testing
https://blog.ipfire.org/post/ipfire-2-25-core-update-143-released