Suricata upgrade/install adds default rulesets
-
@bmeeks Hi Bill, we had traditionally disabled stream-events.rules because of false positives. I have noticed a few times lately it's been enabled. I found that my backup just before the upgrade from 23.05.1 to 23.09.1 does not have it but after the upgrade it does. Other rulesets as well:
before:
<rulesets>
GPLv2_community.rules||app-layer-events.rules||decoder-events.rules||emerging-activex.rules||dhcp-events.rules||dnp3-events.rules||emerging-attack_response.rules||dns-events.rules||emerging-botcc.portgrouped.rules||files.rules||emerging-botcc.rules||http-events.rules||emerging-chat.rules||http2-events.rules||ipsec-events.rules||kerberos-events.rules||modbus-events.rules||emerging-current_events.rules||mqtt-events.rules||nfs-events.rules||ntp-events.rules||emerging-dos.rules||smb-events.rules||smtp-events.rules||ssh-events.rules||emerging-exploit.rules||tls-events.rules||emerging-games.rules||emerging-inappropriate.rules||emerging-malware.rules||emerging-misc.rules||emerging-mobile_malware.rules||emerging-p2p.rules||emerging-scada.rules||emerging-scan.rules||emerging-shellcode.rules||emerging-user_agents.rules||emerging-web_client.rules||emerging-web_server.rules||emerging-worm.rules
</rulesets>after:
<rulesets>
GPLv2_community.rules||app-layer-events.rules||decoder-events.rules||emerging-activex.rules||dhcp-events.rules||dnp3-events.rules||emerging-attack_response.rules||dns-events.rules||emerging-botcc.portgrouped.rules||files.rules||emerging-botcc.rules||http-events.rules||emerging-chat.rules||http2-events.rules||ipsec-events.rules||kerberos-events.rules||modbus-events.rules||emerging-current_events.rules||mqtt-events.rules||nfs-events.rules||ntp-events.rules||emerging-dos.rules||smb-events.rules||smtp-events.rules||ssh-events.rules||emerging-exploit.rules||tls-events.rules||emerging-games.rules||emerging-inappropriate.rules||emerging-malware.rules||emerging-misc.rules||emerging-mobile_malware.rules||emerging-p2p.rules||emerging-scada.rules||emerging-scan.rules||emerging-shellcode.rules||emerging-user_agents.rules||emerging-web_client.rules||emerging-web_server.rules||emerging-worm.rules||ftp-events.rules||quic-events.rules||rfb-events.rules||stream-events.rules
</rulesets>
(via a copy and CTRL-F it looks like the rest of the list is the same)My process for upgrading is simply:
- uninstall Suricata (and pfBlocker etc.)
- upgrade pfSense
- install Suricata
"Send notifications when new rule categories appear" is checked but we haven't received any emails.
Edit: by "before" I mean "when I start the upgrade"
-
S SteveITS referenced this topic on Dec 22, 2023, 9:45 PM
-
Per https://redmine.pfsense.org/issues/15120 this is expected behavior.
"The simplest way for you to handle disabling them is to use the SID MGMT disable.conf feature. Put the rule categories you want to disable in that file and they will not get overwritten."
-
@SteveITS said in Suricata upgrade/install adds default rulesets:
Per https://redmine.pfsense.org/issues/15120 this is expected behavior.
This code in the post-install routine handles the procedure:
/****************************************************************/ /* Add any new built-in events rules to each configured */ /* interface. */ /****************************************************************/ if (count(config_get_path('installedpackages/suricata/rule', [])) > 0) { // Add default events rules for Suricata. This array constant // is defined in 'suricata_defs.inc' and must be kept in sync // with the content of the '/rules' directory in the Suricata // binary source tarball. $builtin_rules = SURICATA_DEFAULT_RULES; foreach (config_get_path('installedpackages/suricata/rule', []) as $idx => &$suricatacfg) { $iface_rules_upd = false; // Convert delimited string into array and remove any // duplicate ruleset names from earlier bug. $rulesets = array_keys(array_flip(explode("||", $suricatacfg['rulesets']))); foreach ($builtin_rules as $name) { if (in_array($name, $rulesets)) { continue; } else { $rulesets[] = $name; $iface_rules_upd = true; } } // If we updated the rules list, save the change if ($iface_rules_upd) { $suricatacfg['rulesets'] = implode("||", $rulesets); config_set_path("installedpackages/suricata/rule/{$idx}", $suricatacfg); } } // Done with the config array reference, so release it unset($suricatacfg); }The static array of built-in rules is defined in
suricata_defs.inc, and gets updated whenever upstream adds or removes built-in rules. -
@bmeeks OK thanks for confirming all this. And then I suppose the "Send notifications when new rule categories appear" option is only for when that happens between upgrades?
-
@SteveITS said in Suricata upgrade/install adds default rulesets:
And then I suppose the "Send notifications when new rule categories appear" option is only for when that happens between upgrades?
That's an option that was added by a former Netgate developer who has since left their employ. I am not familiar with how it works. I think it may only work for new rules inside certain vendor packages (for example Snort VRT rules or something). I don't think it was ever meant to apply to the built-in rules.
-
Hi All,
i can confirm something similar, for me it's the "quic-events.rules" default category which has got re-enabled after each recent updates (7.0.2_2, 7.0.2_3).
As it contains only two rules I've used the suppress list, probably it won't be a problem after the next upgrade. -
@RobertK-1 We've found the stream events cause a lot of issues so routinely disabled those. The disable.conf file as noted above, is permanent. Otherwise for your case the rule IDs may change and/or they add more.