Millions of triggered alerts

[trocade]

Hello,

I am getting loads of false alerts from what I think is a failure to use my $HOME_NET properly.

After running for ~2 hours I have 25 million alerts.

The subnet that triggers all these alerts are in the 10.0.0.0/8 range and I have this configured in global.sls and have pushed it and verified that suricata.yml on the sensor is updated properly (and of course so-restart suricata)

hnmanager: '10.0.0.0/8,100...'

The rules that triggers looks like this:
alert ip $EXTERNAL_NET any -> $HOME_NET any ..

So I did try to configure EXTERNAL_NET to be '!$HOME_NET' as mentioned in the documentation, but it still continues to trigger.

Where should I start looking or what am I missing in the setup?

SO version: 2.3.10
network install on Ubuntu 18.04 LTS
Distributed setup

[weslambert]

Did you make sure the follow the guidance here? https://docs.securityonion.net/en/latest/suricata.html?highlight=HOME_NET#configuration

[trocade]

Yes, I think I was just not patient enough when I did this since it went away by itself during the evening.