How to see the rules I disabled?



  • I am using Suricata on PFSense 2.4.4. It is a recent install and I am just learning Suricata. I have set up some snort categories on my LAN interface. I have tested a few things I knew would generate alerts, and have force-disabled three rules using the red X on the GID:SID. The system tells me the rule has been force-disabled. The icon in alerts turns yellow, and restarting the interface makes that alert not come back if I run the tests again. However, I would like to know how to get a list of the rules I have force disabled now? I thought it would be under "Interface LAN: Rules: User Forced Disabled Rules", but there is only one of the three rules I disabled listed in there. Can someone help me know where else to look?



  • All of them should be showing there, but it is possible the Suricata GUI code for displaying that tab option has the same bug I fixed earlier in the Snort GUI. I will need to check it out and see. The two packages share a ton of the same PHP GUI code.

    UPDATE:
    This was indeed the same bug as existed in the Snort code. I have submitted a fix for the pfSense developer team to approve and merge. Look for a new Suricata GUI package update to version 4.0.13_9 in the near future.