how to disable default suricata rules on specific interface

jpgpi250 · May 31, 2023, 9:59 AM

running suricata 6.0.4_1 (highest available on pfsense 2.6.0)
don't want to install pfsense 2.7.0, it still has 63 open bugs, according to the roadmap - looks like the number of bugs is increasing, checking daily)

I have WAN + multiple LAN adapters on my system, so my rules are applied on WAN.

I need to apply custom rules on a specific LAN adapter, so I added the interface and unchecked all rules in "DNS categories", including flow bits.

When I check the rules (active rules) on the LAN interface, my custom rules are listed, but also a bunch of rules I don't want / need on this interface, all with the message "SURICATA ..."

I've tried to create a "SID Mgmt" file (disablesid-DNS.conf), content:

# disable suricata default rules for this interface (DNS)
1:2200000-2299999

and applied it.

I checked the rebuild checkbox and saved.

Unfortunately, the rules are still listed in the active rules.

Is it possible to remove these rules, only for that interface (must remain active on the WAN interface)?

Thanks for your time and effort.

NollipfSense · May 31, 2023, 1:53 PM

@jpgpi250 I usually turn off rules here...see arrow in Emerging DNS...