Suricata Available Rule Categories
-
Hi
WAN Rules->Available Rule Categories->EX:select et-mlware.rules->it redirect custom.rules
When I select any rules, It is always back to custrom.rules
2.5.2-RELEASE and Suricata 6.0.3_3
-
To be sure I am understanding you correctly, do you mean that on the RULES tab when you select any category in the listing it only shows you Custom Rules? Or are you saying the Category drop-down is blank except for the Custom Rules choice?
In either case that sounds like something cached on the browser client maybe ???
-
Hi @bmeeks
The RULES tab when you select category in the listing it , select any rules, it redirect Custom Rules. EX: i select etpro-mlware.rules
it redirect custom rules, do not show etpro-mlware.rules
-
I just fired up a pfSense 2.5.2-RELEASE virtual machine with Suricata 6.0.3_3 installed on it, and I cannot replicate this behavior. I can select any category in the list on that tab and it populates the table below just fine.
I would suspect maybe something is being pulled from a corrupted cache for the browser? I really have no other explanation for what could be wrong. All I can say is that I am unable to reproduce the issue you describe. I am testing with Chrome on Windows 10 as the browser.
-
This post is deleted! -
I find it.
Because i check this option
"Enable Automatic SID State Management"
i use Disable SID List, so how can i do? Is it a issue?
-
@everfree said in Suricata Available Rule Categories:
I find it.
Because i check this option
"Enable Automatic SID State Management"
i use Disable SID List, so how can i do? Is it a issue?
I see absolutely no way that setting is connected to what you are seeing. In that same VM I tested with yesterday, Enable Automatic SID State Management is enabled, and everything still works fine. I just fired that machine up again and tested to make sure.
You have something else going on, but I do not at this point believe it is a bug in the package code. I have not been able to reproduce it with my testing. And as further evidence, there are no other such bug reports existing that I am aware of.
-
-
That is very strange. I have the same setup in my testing virtual machine. The WAN interface is configured with a combination of manually-enabled rules categories checked on the CATEGORIES tab and rules categories enabled from Automatic SID Management.
Let me try some additional combinations of things to see if I can replicate your problem.
-
@bmeeks I have exactly the same problem. Only "Auto-Flowbit Rules" are showed.
Legacy Mode, Auto-Enable rules for checked flowbits, Enabled some categories by hand and the rest is done by SID Mgmt (Enable, Disable) -
I find something. My disable.conf have
app-layer-events,decoder-events,dnp3-events,dns-events,files,http-events,ipsec-events,kerberos-events,modbus-events,nfs-events,ntp-events,smb-events,smtp-events,stream-events,tls-events
remove that
It Works. It do not redirect to custom.rules
-
@everfree said in Suricata Available Rule Categories:
I find something. My disable.conf have
app-layer-events,decoder-events,dnp3-events,dns-events,files,http-events,ipsec-events,kerberos-events,modbus-events,nfs-events,ntp-events,smb-events,smtp-events,stream-events,tls-events
remove that
It Works. It do not redirect to custom.rules
That file is telling the SID Managment code to remove those categories from the list, so that's what it is doing. Those are the built-in rules shipped with Suricata.
Check all of your other files carefully. I think you have something non-standard going on in your conf files for SID Management. I still am unable to reproduce the problem on my test virtual machine.
And just to be clear, it is not "redirecting" anything. It simply is showing Custom Rules because your SID Management conf file (or files) is telling the code to remove categories, so the only one left to load into the drop-down selector is Custom Rules as that one is a default that cannot be removed.
-
@bmeeks That's strange, i've disabled:
app-layer-events
stream-events
filessince 2015 (using jflsakfja's list)