Suricata/Unifi IPS confuses Zerotier for Edonkey

Hi all,

From time to time my Unifi gateway IDS/IPS blocks zerotier traffic because it matches an Edonkey signature. I’ve opened a case with Unifi. They pointed me to the Suricata Emerging Threats ruleset.

curl "https://rules.emergingthreats.net/open/suricata-5.0/emerging-all.rules" -slient -o -| grep "ET P2P Edonkey Search Request (search by name)"

Points to this rule:

alert udp $HOME_NET [!3389,1024:65535] -> $EXTERNAL_NET [!3389,1024:65535] (msg:"ET P2P Edonkey Search Request (search by name)"; dsize:>5; content:"|e3 98|"; depth:2; content:"|01|"; within:3; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; classtype:policy-violation; sid:2003319; rev:4; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

I will fill in the Emerging Threats feedback form for this rule, but I guess more information about the ZT packet structure will be necessary to refine this rule. Is it documented somewhere?

Thx,

Timmmy