Did some more testing and I think we have pinpointed the issue.
suppress gen_id 1, sig_id 5001684, track by_dst, ip 192.168.137.19
suppress gen_id 1, sig_id 5001684, track by_dst, ip 192.168.137.20
#with the above 2 rules, if enabled both at the same time - it does not work as supposed (does not suppress the alert)
- if we enable only one (or change the sig_id of one of the rules and enable both), it does work (alerts are suppressed) - the same situation below with "trck by_src"
#if you enable both of the rules below - an alert would be generated with suppresstest.pcap (although it should not)
#if it is only one suppress rule enabled (82.96.58.41) - it works as expected - suppresses the alert
#suppress gen_id 1, sig_id 5001684, track by_src, ip 82.96.58.41
#suppress gen_id 1, sig_id 5001684, track by_src, ip 5.5.5.5
- with both below rules enabled - suricata works as expected (notice the difference between the sid_id)
#suppress gen_id 1, sig_id 1234567, track by_src, ip 5.5.5.5
#suppress gen_id 1, sig_id 5001684, track by_src, ip 82.96.58.41
- so it actually (judging by the tests) comes down to the same sig_id value, if you have it more than once, it seems it is not working
please find a 7 packet pcap attached along with a yaml conf file
The pcap has source ip - 82.96.58.41 and destination ip - 192.168.137.19
You can use repeatedly:
suricata -c /etc/suricata/suricata.yaml -s supress.rule -r suppresstest.pcap
to verify the issue.
thanks