Snort3 not supressing rules

[RaveNN-0]

Hello, I installed the latest version of snort and used an older config I already had but it seems to me that Snort isn't surpressing the rules I defined,

Snort version:

snort.lua (I removed the home and external net): snort.zip

How I run Snort: /usr/local/snort/bin/snort -u snort -g snort -c /usr/local/snort/etc/snort/snort.lua --daq-dir /usr/local/lib/daq_s3/lib/daq --plugin-path /usr/local/snort/lib64/snort/plugins/extra/ --plugin-path=/usr/local/snort/so_rules -l /var/log/snort/ens1f1np1 -i ens1f1np1 -D

Triggered alerts:

Any solutions ?

P.S: It also doesn't load up the so_rules but this is another issue. Don't know if they are related

[VytalyGorbatov]

Hey @RaveNN-0,

Thank you for bringing this to our attention. The behaviour definitely seems incorrect and I've been able to reproduce it on my own setup. We will thoroughly investigate this issue.

In the meantime, I have a workaround that may help. Try to ensure that you don't have the same gid:sid pair in both the suppress and event_filter tables. As a test, I have removed any duplicate entries from your configuration, and I no longer see any unwanted alerts.

[RaveNN-0]

I try not to repeat them in both suppress and event_filter but I guess I still left some unknowingly ! Thank you !