either send USR2 signal or suricatasc ==> rule-reload
assuming alpine linux
vi /etc/periodic/hourly/suricata-update
#!/bin/sh
suricata-update >/dev/null \
&& kill -USR2 `cat /var/run/suricata.pid 2>/dev/null` \
|| echo error: could not update suricata rules from cron job
chmod +x /etc/periodic/hourly/suricata-update
first identify the matching gid and signature id from log-server (SIEM) (alert.gid and alert.signature_id fields)
gid=1 sigid=906200068 grep $sigid /var/lib/suricata/rules/suricata.rules
then disable that specific signature with some explanation for the record
cd /etc/suricata/ cp -i /usr/lib/suricata/python/suricata/update/configs/disable.conf . vi /etc/suricata/disable.conf # SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) # this is localhost talking to elasticsearch 1:906200068 # SURICATA STREAM TIMEWAIT ACK with wrong seq # we do not necessarily need that much detail unless we check layer1 1:2210042 # SURICATA STREAM Packet with invalid timestamp # maybe hardware checksum offload 1:2210044
and apply
suricata-update systemctl restart suricata systemctl status suricata
https://docs.suricata.io/en/latest/rule-management/suricata-update.html
https://nsrc.org/workshops/2015/pacnog17-ws/attachments/ex-suricata-rules.htm
https://nsrc.org/workshops/2015/pacnog17-ws/raw-attachment/wiki/Track2Agenda/ex-suricata-config-test.htm ==> blacksun
https://rules.emergingthreats.net/open/
https://rules.emergingthreats.net/OPEN_download_instructions.html
https://forum.netgate.com/topic/177097/suricata-stream-packet-with-invalid-timestamp/3 SURICATA STREAM Packet with invalid timestamp
https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html
https://forum.suricata.io/t/configuring-suricata-update-to-run-on-a-dedicated-host/539/12 ==> USR2
https://forum.suricata.io/t/logrotate-logs-not-rotating/2200 ==> HUP