Question on SID management, default disabled rules & dropsid.conf

eightfold

I've searched and read a few topics, but there's something that I'm not quite clear on as my question wasn't addressed in any of them.

Say for example I add emerging-malware.rules into the dropsid.conf section of the SID management, it will, by default drop all traffic that matches the SIDs in that ruleset. What's not clear to me is if this also applies to rules that are default disabled. This is assuming I have not performed a force enable of any of the individual rules in the ruleset.

When I look in the rules list it does show that several of the rules are default disabled, but it has the yellow icon next to it to indicate "Action/content modified by SID Mgmt". Does this mean that the rule is no longer disabled and the SID management force enables the rule?

I don't have an enablesid.conf applied on the interface, so I'm assuming the default disabled rules stay as they are, but I'd like to be sure.

bmeeks

The yellow icon simply indicates the rule matched a SID MGMT condition such as SID or category name, for example. The dropsid.conf logic only modifies the action of a rule, it does not change the enabled or disabled state of the rule. So, default disabled rules remain disabled unless that is overridden in the enablesid.conf logic.