Disable suricata rule / whitelist

HI all,
I’m looking for a way to disable one suricata rule by its SID without disabling whole category. Is it enough to put the SID taken from evebox in the file /etc/pulledpork/disablesid.conf followed by a signal-event nethserver-suricata-update and systemctl restart suricata ?
What can I do if I would only whitelist an IP address to have it not filtered for any rule?
BR Stefano

Yes, that should do it.

I didn’t test it but you may create your own rule file in /etc/suricata/rules/passip.rules with following content:

pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:100000;)

To add it to /etc/suricata/suricata.yaml we need a dirty copied custom template:

cp /etc/e-smith/templates/etc/suricata/suricata.yaml/10base /etc/e-smith/templates-custom/etc/suricata/suricata.yaml/

Edit /etc/e-smith/templates-custom/etc/suricata/suricata.yaml/10base and add - passip at line 64:

...
rule-files:
 - passip
{
    $blockCategories = $suricata{'BlockCategories'} || '';
...

A signal-event nethserver-suricata-update is needed to apply the changes.

The disadvantage of this solution is that if the suricata template file is updated by i.e. a system update, you have to manually copy the template to the custom one /etc/e-smith/templates-custom/etc/suricata/suricata.yaml/10base. You can find more information about templates in the docs.

Source:

1 Like

Thanks Markus, disabling the SID by putting it in disablesid.conf works like a charm, I will try the other suggestion in a few days and let you know if it works too.
BR

2 Likes