Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata and odd behavior when changing certain rules

    Scheduled Pinned Locked Moved IDS/IPS
    5 Posts 2 Posters 576 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drewsaur
      last edited by

      Hello,

      Occasionally, when I disable a rule's "drop" parameter or disable rules using my SID files in Suricata, the rule still blocks traffic for a while, even for rules that have no flowbits set. It's as if the complex underlying calculated rules take several minutes to update accordingly, even though the updates show in the UI (e.g., they are changed to "Alert Only" or show as disabled in the UI).

      Again, these are for rules with no flowbit involvement.

      There are occasionally times when I do something that causes rules to completely reload, and then the behavior finally catches up and the blocks for those rules stop. I sometimes try running the "reset all" feature on the rules portion of the Interface tabs, but that doesn't always do the trick.

      Is there something that I should be doing to force an under-the-hood ruleset recalculation after I make SID file changes to ensure that the system catches up more quickly?

      FWIW, a reboot of my box did NOT help! I also verified that I have only one Suricata instance running (saw that in another post).

      FYI I had this most egregiously when I toyed around with drops in the the four Snort "Indicator" rulesets. Even when I commented the four rulesets out completely in my drops SID file (I really want alerts only with these rules anyway), the rules kept doing drops, and the rules in question had NO flowbit involvement.  I eventually just disabled the rules altogether, but I STILL got some blocks after completely disabling the rules (again, no flowbits). After a while, things caught up and settled down, but, wow…

      Anyway, that for any help anyone can provide with a way to mitigate this. It seems that I am missing something, and cannot wait to be enlightened. Thanks again.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        When you are making changes on the SID MGMT tab, if you want those changes to be seen by the running IDS (Snort or Suricata) without a restart, you must check the checkbox at the bottom of the page on the left that says "Rebuild" (or something like that, can't remember the exact wording off the top of my head).  That will force the IDS to live-reload the entire ruleset.

        Depending on how many rules you have enabled, this may take some time.  The less RAM you have or the slower your CPU, the longer it may take.  On a powerhouse  server box it might take 10 - 20 seconds, but on a less capable small footprint device it could be a couple of minutes potentially.

        Bill

        1 Reply Last reply Reply Quote 0
        • D
          drewsaur
          last edited by

          @bmeeks:

          When you are making changes on the SID MGMT tab, if you want those changes to be seen by the running IDS (Snort or Suricata) without a restart, you must check the checkbox at the bottom of the page on the left that says "Rebuild" (or something like that, can't remember the exact wording off the top of my head).  That will force the IDS to live-reload the entire ruleset.

          Depending on how many rules you have enabled, this may take some time.  The less RAM you have or the slower your CPU, the longer it may take.  On a powerhouse  server box it might take 10 - 20 seconds, but on a less capable small footprint device it could be a couple of minutes potentially.

          Bill

          THANK YOU! I completely missed that. That key point is hidden via the "i" icon. I think they should leave that information visible by default!

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @drewsaur:

            THANK YOU! I completely missed that. That key point is hidden via the "i" icon. I think they should leave that information visible by default!

            Yeah, the default state of those "Information" icons is collapsed.  I think that was state was chosen in order to reduce clutter.

            Bill

            1 Reply Last reply Reply Quote 0
            • D
              drewsaur
              last edited by

              @bmeeks:

              @drewsaur:

              THANK YOU! I completely missed that. That key point is hidden via the "i" icon. I think they should leave that information visible by default!

              Yeah, the default state of those "Information" icons is collapsed.  I think that was state was chosen in order to reduce clutter.

              Bill

              May I suggest that the text "Check the box beside an interface to immediately apply new auto-SID management changes and signal Suricata to live-load the new rules for the interface when clicking Save; otherwise only the new file assignments will be saved" be outside of the "info" icon? It seems essential to the UI and is non-obvious.

              The remainder of the text is certainly a candidate for the "i" icon :)

              Cheers!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.