4. Suricata and odd behavior when changing certain rules

Suricata and odd behavior when changing certain rules

  • D

    Hello,

    Occasionally, when I disable a rule's "drop" parameter or disable rules using my SID files in Suricata, the rule still blocks traffic for a while, even for rules that have no flowbits set. It's as if the complex underlying calculated rules take several minutes to update accordingly, even though the updates show in the UI (e.g., they are changed to "Alert Only" or show as disabled in the UI).

    Again, these are for rules with no flowbit involvement.

    There are occasionally times when I do something that causes rules to completely reload, and then the behavior finally catches up and the blocks for those rules stop. I sometimes try running the "reset all" feature on the rules portion of the Interface tabs, but that doesn't always do the trick.

    Is there something that I should be doing to force an under-the-hood ruleset recalculation after I make SID file changes to ensure that the system catches up more quickly?

    FWIW, a reboot of my box did NOT help! I also verified that I have only one Suricata instance running (saw that in another post).

    FYI I had this most egregiously when I toyed around with drops in the the four Snort "Indicator" rulesets. Even when I commented the four rulesets out completely in my drops SID file (I really want alerts only with these rules anyway), the rules kept doing drops, and the rules in question had NO flowbit involvement.  I eventually just disabled the rules altogether, but I STILL got some blocks after completely disabling the rules (again, no flowbits). After a while, things caught up and settled down, but, wow…

    Anyway, that for any help anyone can provide with a way to mitigate this. It seems that I am missing something, and cannot wait to be enlightened. Thanks again.

    0

  • When you are making changes on the SID MGMT tab, if you want those changes to be seen by the running IDS (Snort or Suricata) without a restart, you must check the checkbox at the bottom of the page on the left that says "Rebuild" (or something like that, can't remember the exact wording off the top of my head).  That will force the IDS to live-reload the entire ruleset.

    Depending on how many rules you have enabled, this may take some time.  The less RAM you have or the slower your CPU, the longer it may take.  On a powerhouse  server box it might take 10 - 20 seconds, but on a less capable small footprint device it could be a couple of minutes potentially.

    Bill

    0
  • D

    @bmeeks:

    When you are making changes on the SID MGMT tab, if you want those changes to be seen by the running IDS (Snort or Suricata) without a restart, you must check the checkbox at the bottom of the page on the left that says "Rebuild" (or something like that, can't remember the exact wording off the top of my head).  That will force the IDS to live-reload the entire ruleset.

    Depending on how many rules you have enabled, this may take some time.  The less RAM you have or the slower your CPU, the longer it may take.  On a powerhouse  server box it might take 10 - 20 seconds, but on a less capable small footprint device it could be a couple of minutes potentially.

    Bill

    THANK YOU! I completely missed that. That key point is hidden via the "i" icon. I think they should leave that information visible by default!

    0

  • @drewsaur:

    THANK YOU! I completely missed that. That key point is hidden via the "i" icon. I think they should leave that information visible by default!

    Yeah, the default state of those "Information" icons is collapsed.  I think that was state was chosen in order to reduce clutter.

    Bill

    0
  • D

    @bmeeks:

    @drewsaur:

    THANK YOU! I completely missed that. That key point is hidden via the "i" icon. I think they should leave that information visible by default!

    Yeah, the default state of those "Information" icons is collapsed.  I think that was state was chosen in order to reduce clutter.

    Bill

    May I suggest that the text "Check the box beside an interface to immediately apply new auto-SID management changes and signal Suricata to live-load the new rules for the interface when clicking Save; otherwise only the new file assignments will be saved" be outside of the "info" icon? It seems essential to the UI and is non-obvious.

    The remainder of the text is certainly a candidate for the "i" icon :)

    Cheers!

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy