Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Available Rule Categories

    Scheduled Pinned Locked Moved IDS/IPS
    13 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • everfreeE
      everfree @bmeeks
      last edited by everfree

      Hi @bmeeks

      The RULES tab when you select category in the listing it , select any rules, it redirect Custom Rules. EX: i select etpro-mlware.rules

      cats.jpg

      it redirect custom rules, do not show etpro-mlware.rules

      cats2.jpg

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        I just fired up a pfSense 2.5.2-RELEASE virtual machine with Suricata 6.0.3_3 installed on it, and I cannot replicate this behavior. I can select any category in the list on that tab and it populates the table below just fine.

        I would suspect maybe something is being pulled from a corrupted cache for the browser? I really have no other explanation for what could be wrong. All I can say is that I am unable to reproduce the issue you describe. I am testing with Chrome on Windows 10 as the browser.

        everfreeE 2 Replies Last reply Reply Quote 0
        • everfreeE
          everfree @bmeeks
          last edited by everfree

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • everfreeE
            everfree @bmeeks
            last edited by everfree

            @bmeeks

            I find it.

            Because i check this option

            "Enable Automatic SID State Management"

            i use Disable SID List, so how can i do? Is it a issue?

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @everfree
              last edited by

              @everfree said in Suricata Available Rule Categories:

              @bmeeks

              I find it.

              Because i check this option

              "Enable Automatic SID State Management"

              i use Disable SID List, so how can i do? Is it a issue?

              I see absolutely no way that setting is connected to what you are seeing. In that same VM I tested with yesterday, Enable Automatic SID State Management is enabled, and everything still works fine. I just fired that machine up again and tested to make sure.

              You have something else going on, but I do not at this point believe it is a bug in the package code. I have not been able to reproduce it with my testing. And as further evidence, there are no other such bug reports existing that I am aware of.

              1 Reply Last reply Reply Quote 0
              • everfreeE
                everfree
                last edited by everfree

                Hi

                this is my suricata video

                Youtube Video

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  That is very strange. I have the same setup in my testing virtual machine. The WAN interface is configured with a combination of manually-enabled rules categories checked on the CATEGORIES tab and rules categories enabled from Automatic SID Management.

                  Let me try some additional combinations of things to see if I can replicate your problem.

                  D everfreeE 2 Replies Last reply Reply Quote 0
                  • D
                    digdug3 @bmeeks
                    last edited by

                    @bmeeks I have exactly the same problem. Only "Auto-Flowbit Rules" are showed.
                    Legacy Mode, Auto-Enable rules for checked flowbits, Enabled some categories by hand and the rest is done by SID Mgmt (Enable, Disable)

                    1 Reply Last reply Reply Quote 0
                    • everfreeE
                      everfree @bmeeks
                      last edited by everfree

                      @bmeeks

                      I find something. My disable.conf have

                      app-layer-events,decoder-events,dnp3-events,dns-events,files,http-events,ipsec-events,kerberos-events,modbus-events,nfs-events,ntp-events,smb-events,smtp-events,stream-events,tls-events

                      remove that

                      It Works. It do not redirect to custom.rules

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks @everfree
                        last edited by bmeeks

                        @everfree said in Suricata Available Rule Categories:

                        @bmeeks

                        I find something. My disable.conf have

                        app-layer-events,decoder-events,dnp3-events,dns-events,files,http-events,ipsec-events,kerberos-events,modbus-events,nfs-events,ntp-events,smb-events,smtp-events,stream-events,tls-events

                        remove that

                        It Works. It do not redirect to custom.rules

                        That file is telling the SID Managment code to remove those categories from the list, so that's what it is doing. Those are the built-in rules shipped with Suricata.

                        Check all of your other files carefully. I think you have something non-standard going on in your conf files for SID Management. I still am unable to reproduce the problem on my test virtual machine.

                        And just to be clear, it is not "redirecting" anything. It simply is showing Custom Rules because your SID Management conf file (or files) is telling the code to remove categories, so the only one left to load into the drop-down selector is Custom Rules as that one is a default that cannot be removed.

                        D 1 Reply Last reply Reply Quote 0
                        • D
                          digdug3 @bmeeks
                          last edited by

                          @bmeeks That's strange, i've disabled:

                          app-layer-events
                          stream-events
                          files

                          since 2015 (using jflsakfja's list)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.