Powered by Zoomin Software. For more details please contactZoomin

Flowmon User Guide

Table of Contents

Configuration in the Command Line

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 5 minute read
    • Flowmon Products
    • Flowmon
    • Documentation

This section contains a description of advanced settings of the Suricata IDS system. These settings can be configured only using the command-line interface.

False Positive Tuning with “suppress"

When there are too many uninteresting events detected, you can suppress any of them in the threshold configuration file saved as /data/idsp/user-config/threshold.config.

The syntax of a suppress rule is as follows:

suppress gen_id <gid>, sig_id <sid>

To suppress one or more IP addresses in a specific signature, use a suppress rule:

suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst|by_either>, ip <ip|subnet|addressvar>

To select all signatures or all groups, select sig_id 0 or gen_id0.

For more information, see the official documentation of the Suricata IDS.

Example for signature with ID 2022886:

  1. Log in as user flowmon to IDS probe.

  2. vim /data/idsp/user-config/threshold.config

  3. Write suppress gen_id 1, sig_id 2022886

  4. Restart the IDS Probe.

  5. Check the result in IDS event browser:

Signature 2022886 is displayed in green and as you can see after 10:25 when we processed the suppress, this event is no longer displayed.

Setup of Network Variables in the Suricata Config File

It helps to describe networks as variables which can be used for suppression or rule setup.

IP addresses can be defined as variables in the /data/idsp/user-config/suricata.yaml file.

  1. Log in as the flowmon user to the Flowmon IDS Probe.

  2. vim /data/idsp/user-config/suricata.yaml

  3. Set some variables, you can also use negation: EXTERNAL_NET : “!$HOME_NET” Now you can use these variables in rules or suppress commands. For example: suppress gen_id 1, sig_id 0, track by_src, ip $EXTERNAL_NET
    This rule suppresses events where source IP addresses are from the external network.

  4. Restart the IDS Probe.

For more information, see the official documentation of the Suricata IDS.

%YAML 1.1
---
vars:
    # more specific is better for alert accuracy and performance
    address-groups:
        HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
        #HOME_NET: "[192.168.0.0/16]"
        #HOME_NET: "[10.0.0.0/8]"
        #HOME_NET: "[172.16.0.0/12]"
        #HOME_NET: "any"

        EXTERNAL_NET: "!$HOME_NET"
        #EXTERNAL_NET: "any"

        HTTP_SERVERS: "$HOME_NET"
        SMTP_SERVERS: "$HOME_NET"
        SQL_SERVERS: "$HOME_NET"
        DNS_SERVERS: "$HOME_NET"
        TELNET_SERVERS: "$HOME_NET"
        AIM_SERVERS: "$EXTERNAL_NET"
        DNP3_SERVER: "$HOME_NET"
        DNP3_CLIENT: "$HOME_NET"
        MODBUS_CLIENT: "$HOME_NET"
        MODBUS_SERVER: "$HOME_NET"
        ENIP_CLIENT: "$HOME_NET"
        ENIP_SERVER: "$HOME_NET"
    port-groups:
        HTTP_PORTS: "80"
        SHELLCODE_PORTS: "!80"
        ORACLE_PORTS: 1521
        SSH_PORTS: 22
        DNP3_PORTS: 20000
        MODBUS_PORTS: 502
        FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
        FTP_PORTS: 21

Suricata Rules Management

For management of the rules, the Flowmon IDS Probe uses a preconfigured Suricata-Update tool. The tool gathers rules from multiple sources combining them into one suricata.rules file.

By default, the tool is configured to gather rules from two sources:

  • Flowmon Services (Remote Rule Source)

  • /data/idsp/user-config/rules (Local Rule Source)

    • All files ending in .rules inside this folder are loaded.

    • The directory is empty after a new installation. The folder is intended to be used for the user-defined rules.

The rules sources can be adjusted using configuration files:

  • /data/idsp/user-config/update.yaml

    • The sources and local attributes can be used to add additional remote or local sources. Default sources provided by the Flowmon IDS Probe are not visible in this configuration file.

    • Examples for sources attribute:

# Remote rule sources. Simply a list of URLs.
sources:
  # Emerging Threats Open with the Suricata version dynamically replaced.
  # -
https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz
  # The SSL blacklist, which is just a standalone rule file.
  # - https://sslbl.abuse.ch/blacklist/sslblacklist.rules

  • /data/idsp/user-config/flowmon-idsp-suricata-update.yaml

    • The enable_flowmon_rules_feed attribute allows you to disable the default rules from Flowmon Services feed. Deactivation is useful for completely replacing default rules with your own rules source.

The Suricata-Update tool allows you to customize rulesets using separated configuration files. The order of application of configuration files and their meaning is as follows:

  • /data/idsp/user-config/disable.conf (deactivate rules)

  • /data/idsp/user-config/enable.conf (activate deactivated rules)

  • /data/idsp/user-config/drop.conf (convert rules action to “drop” (not usable for IDSP))

  • /data/idsp/user-config/modify.conf (rewrite rules definition)

Configuration files inside the /data/idsp/user-config/ folder can be recreated (if they are missing or invalid) by copying their original version in the following way:

cp /data/components/flowmon-idsp-suricata-update/etc/suricata/* /data/idsp/user-config/

The configuration is applied during the next execution of the Suricata-Update tool. The tool is scheduled to be executed every hour. To speed up the process, you can manually restart the service by executing the following command:

sudo systemctl restart flowmon-idsp-suricata-update

You can check the flowmon-idsp-suricata-update log using the journalctl tool to validate configuration changes.

sudo journalctl --no-pager -eu flowmon-idsp-suricata-update

For more information about suricata-update tool configuration files and rule matching, please visit the official documentation.

NOTE

The Flowmon IDS Probe uses its own service for executing the suricata-update tool.

Do not run the suricata-update command directly.

Managing Custom Classifications

You can configure custom classifications that are added to the list of existing classifications generated by Suricata-Update. The classifications can be managed in /data/idsp/user-config/classification.config using following format:

config classification: <shortname>, <short description>, <priority>

When custom classifications are added, changes are applied with the next execution of the Suricata-Update tool. The tool is scheduled to be executed every hour. To speed up the process, you can manually restart the service by executing the following command:

sudo systemctl restart flowmon-idsp-suricata-update

NOTE

When existing custom classifications are modified or the changes do not take effect, you must restart the Flowmon IDSP module to for the changes to reflect.

GID - Group/Generator ID

You can set the GID when creating new rules or preparing a copy of some rule for test purposes. The default GID is 1 for all rules. New ones must be greater than 1 000 000.

You can use the GID to suppress rules.

alert tls any any -> any any (msg:"SURICATA TLS invalid record version"; flow:established; app-layer-event:tls.invalid_record_version; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; gid:1000001; sid:2230015; rev:1;)

Suricata IDS Probe Restart

You can restart the Flowmon IDS Probe in the Versions section of the Flowmon Configuration Center (FCC) left menu. Click Stop IDS Probe row and after that, click Start.

NOTE

Every restart of the IDS probe leads to the restart of the Flowmon exporter, so there may be loss of flow data.

NOTE

Note that the Flowmon IDSP Probe uses its own service for executing Suricata.

Do not run the suricata command directly.

TitleResults for “How to create a CRG?”Also Available inAlert