How to see the rules I disabled?
rutman286 last edited by
I am using Suricata on PFSense 2.4.4. It is a recent install and I am just learning Suricata. I have set up some snort categories on my LAN interface. I have tested a few things I knew would generate alerts, and have force-disabled three rules using the red X on the GID:SID. The system tells me the rule has been force-disabled. The icon in alerts turns yellow, and restarting the interface makes that alert not come back if I run the tests again. However, I would like to know how to get a list of the rules I have force disabled now? I thought it would be under "Interface LAN: Rules: User Forced Disabled Rules", but there is only one of the three rules I disabled listed in there. Can someone help me know where else to look?
bmeeks last edited by bmeeks
All of them should be showing there, but it is possible the Suricata GUI code for displaying that tab option has the same bug I fixed earlier in the Snort GUI. I will need to check it out and see. The two packages share a ton of the same PHP GUI code.
This was indeed the same bug as existed in the Snort code. I have submitted a fix for the pfSense developer team to approve and merge. Look for a new Suricata GUI package update to version 4.0.13_9 in the near future.