Suppressing rule issues
In addition to the include
and exclude
options mentioned in the CLI Reference, which are used to enable and disable checkers for entire rules files, you can also suppress issues on for individual rules using suricata-check
keyword in the metadata
option.
For example, if you consider a certain issue (e.g., S800
) to be a false positive or if its something you do not want to focus on currently, you can disable a specific issue code as follows:
alert ip any any -> any any (msg:"Test"; sid:1; metadata: suricata-check "S800";)
You can suppress multiple issues by seperating them using commas:
alert ip any any -> any any (msg:"Test"; sid:1;; metadata: suricata-check "S800,S100,C100";)
You can also use regular expressions to suppress issues:
alert ip any any -> any any (msg:"Test"; sid:1; metadata: suricata-check "S800,S.*,C.*";)
Ignoring issues for specific rules as described above will result in output without any of the suppressed issues for that rule. Therefore, these issues will not be present in stdout
, suricata-check.fast
, suricata-check.jsonl
and not reflected in suricata-check.stats
.