We have a pfSense router running with packet inspection. Our logs are filling up with these requests:
SURICATA UDPv4 invalid checksum
Research shows that we should do the following:
Disable the stream-events.rules via SID Mgmt. (Yeah, I mean the whole category. Zillions of FPs.)
However, I can't find that stream-events.rules under the categories list.
We are running pfSense with suricata using snort related rules.
According to this site, you can create a disablesid.conf file that looks somewhat like this (there's extra in this, use what you need)
https://forum.pfsense.org/index.php?topic=95881.0
# Messes up with DNS resolution on LAN
1:2200073 # SURICATA IPv4 invalid checksum
# Bittorrent noise, DNS
1:2200075 # SURICATA UDPv4 invalid checksum
1:2200078 # SURICATA UDPv6 invalid checksum
# Lots of useless noise
1:2200076 # SURICATA ICMPv4 invalid checksum
1:2200079 # SURICATA ICMPv6 invalid checksum
Then set it as the Disable SID File for the interface you are interested in.
I know this is an old post but I had an issue finding answers that got straight to the point. With the recent update, you can edit Suricata rules from the GUI.
Services tab>Suricata>Interfaces>edit via pencil icon in interface list under "actions" column>lan (or wan) rules.
Choose the category of the alert that you wish to change. In this case it would be "decoder-events.rules". Just refer back to your interface alerts if needed. I use ctrl+F to look for the specific SID I want to change on this page and just hit the icon under the "state" column. Make sure you hit apply. Hope this helps someone!
