Suricata Disabled by user rule, in blocked hosts again



  • Hello,

    I am using pfsense in a little office and I enabled suricata both in LAN and WAN interface. I have been testing with some categories and I thing now it's working pretty good.

    The thing is, I marked the rule named ET POLICY exe download via HTTP as "disabled by user" but this rule appers again in the Block list of Suricata.

    Could someone help me with that?

    Thanks so much in advance!



  • @lluisclava said in Suricata Disabled by user rule, in blocked hosts again:

    Hello,

    I am using pfsense in a little office and I enabled suricata both in LAN and WAN interface. I have been testing with some categories and I thing now it's working pretty good.

    The thing is, I marked the rule named ET POLICY exe download via HTTP as "disabled by user" but this rule appers again in the Block list of Suricata.

    Could someone help me with that?

    Thanks so much in advance!

    Did you clear the original block either on the BLOCKS tab or by using the appropriate icon on the ALERTS tab? Just because you disable a rule, that does not mean Suricata automatically removes any existing blocks. Blocks remain until cleared by the user, until cleared by the "Remove Blocked Hosts Interval" cron task or by a firewall reboot.

    And if you are running the same rules on the WAN and LAN, then did you disable the rule in both setups? There really is no reason on Earth to run the same rules on WAN and LAN, but I've seen people post here before that are doing just that; so that's why I mention it.



  • Dear bmeeks,

    Thanks for your answer.

    Yes, I cleared all the blocked hosts and checked the rule is disabled on WAN and LAN side. And keeps blocking again and again....
    Any idea?

    What kind of rules do you think it's important to enable on WAN and what's in LAN??

    Thanks again!



  • @lluisclava said in Suricata Disabled by user rule, in blocked hosts again:

    Dear bmeeks,

    Thanks for your answer.

    Yes, I cleared all the blocked hosts and checked the rule is disabled on WAN and LAN side. And keeps blocking again and again....
    Any idea?

    What kind of rules do you think it's important to enable on WAN and what's in LAN??

    Thanks again!

    If you are a home user, enable zero rules on the WAN. Do not even put Suricata (or Snort) on the WAN if you are a home user. Nothing but useless noise alerts/blocks on your WAN so long as you leave pfSense configured with the default "deny all inbound" rule intact. And by the way, it is extremely wasteful of firewall resources to run the same rules on the WAN and LAN. What would be the point of that?

    If you have a disable rule still blocking, then the most likely cause of that is you have multiple instances of Suricata running on the same interface. When that happens, one of the instances will not respond to any GUI changes.

    Execute this command from a CLI session on the firewall:

    ps -ax | grep suricata
    

    You should not see any duplicate output lines. You should see only one unique line per configured instance (for you, likely one for LAN and one for WAN). If you see duplicates, then go to the GUI INTERFACES tab for Suricata and stop all the configured interfaces. Return to the CLI session and repeat the command above and see if any Suricata processes remain. If you see any, kill them with this command:

    kill -9 <pid>
    

    where <pid> is the process ID of each still running instance.

    Now go back to the INTERFACES tab and manually start your configured instances.


Log in to reply