Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata rule actions

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      Greenhill
      last edited by

      Hello,

      I installed Suricata on pfsense yesterday and clicked all night to set the action rules to drop for the rules I want. Today I was checking the rules again and after the rule update they all got their default action "alert" back … is there a simple fast way to set the rules to "drop" again without having to manually click through all of them again ?

      1 Reply Last reply Reply Quote 0
      • newyork10023N Offline
        newyork10023
        last edited by

        You can use SID Management.

        As I have now learned, the Enabled rules will override any default rules that have been commented out.  Do not enable entire rule categories here, you will enable the entire rule category, including rules commented out.  (New to me!)  Disabled rules will override rules enabled by default (you will want some of these to correct undesireable blocking).  You can choose Disable first then Enable or visa versa.  Finally, the Drop rules will be those rules that will be changed from Alert to Drop (but not rules that are commented out or Disabled).  I tend to blanket the rule categories here.

        [This post was modifed to correct a huge misunderstanding I had.]

        1 Reply Last reply Reply Quote 0
        • bmeeksB Offline
          bmeeks
          last edited by

          When you click the icons on the RULES tab beside individual rules, that puts the SID in a special list for Suricata.  After all other things are processed (SID managment changes and the default states from the rule vendors) then the FORCE ENABLE and FORCE DISABLE rule changes you make on the RULES tab are applied using the SID to identify the rule.  So changes made on the RULES tab are the last thing that happens.  I'm working from memory here, but I think the disabling of rules is the last step (that is, the force enable rules are enabled, then the force disable rules are disabled).

          With the introduction of the SID MGMT tab a few releases back, you really should make your rule customizations there.  You can use the three modification config files there (enablesid, disablesid and modifysid) to make your changes.  The example files are full of sample rule modifications you can follow and learn from.  My advice is to create your own files from those samples (you could just save the samples with a new name and then edit from there).  This is because the sample files come with the package installation and will get overwritten if you upgrade Suricata or remove and reinstall the package.  Files you create with a different name will survive Suricata upgrades and package removal and reinstallation.

          One more warning about customized SID MGMT files you create.  They are stored in /var/db/suricata/sidmgmt on the firewall, but are not part of any configuration backup.  You will need to back them up yourself.  You can do that using the icons on the SID MGMT tab to download and save them to another location off the firewall.  That way, if you have to recover the firewall from scratch, you can upload your saved SID MGMT configuration files and be good to go again.  Otherwise, you would have to recreate them from scratch.

          Bill

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.