suppress gen_id 1, sig_id 5001684, track by_dst, ip 192.168.137.19 suppress gen_id 1, sig_id 5001684, track by_dst, ip 192.168.137.20 #with the above 2 rules, if enabled both at the same time - it does not work as supposed (does not suppress the alert) # if we enable only one (or change the sig_id of one of the rules), it does work (alerts are suppressed) - the same situation below with "trck by_src" #if you enable both of the rules below - an alert would be generated with suppresstest.pcap (although it should not) #if it is only one suppress rule enabled (82.96.58.41) - it works as expected #suppress gen_id 1, sig_id 5001684, track by_src, ip 82.96.58.41 #suppress gen_id 1, sig_id 5001684, track by_src, ip 5.5.5.5 # with both below rules enabled - suricata works as expected (notice the difference between the sid_id) #suppress gen_id 1, sig_id 1234567, track by_src, ip 5.5.5.5 #suppress gen_id 1, sig_id 5001684, track by_src, ip 82.96.58.41 # so it actually (judging by the tests) comes down to the same sig_id value, if you have it more than once, it seems it is not working