Suricata Resetting Default Rule Selection After Upgrade/Reboot
-
I noticed that I had certain default rules unselected and every time I reboot pfSense those rules come back selected once pfsense comes back up. I've not checked a non-upgrade reboot lately but whenever I upgrade and Suricata is reinstalled as part of that upgrade the default settings are all rechecked but not anything else that was unchecked prior such as ET Open Rules.
Before:
After an update to pfsense:
PfSense 24.03 beta updates I noticed this and after upgrading to GA I saw it too and now just noticed a 24.03_1 update and it did it again.
-
This is expected behavior when the Suricata package is updated (or reinstalled). This logic is utilized to be sure any new Suricata built-in (or default) rules are included and enabled in each install.
-
@bmeeks Interesting, good to know! Thanks!
-
@Lurick said in Suricata Resetting Default Rule Selection After Upgrade/Reboot:
@bmeeks Interesting, good to know! Thanks!
If you want certain categories of those rules to remain disabled, then you can use the SID MGMT tab features to accomplish that. Simply create a
disablesid.conffile of your own and place the rules category name of each category you want to disable on a line.You can open and read through the sample conf files on that tab to see how the syntax works.
I also created a Sticky Post describing the rules processing logic here: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata.
-
@bmeeks Aha, thank you, I knew I was forgetting something. I'd setup the drop rules a while back and forgot there were disable sid rules I could use too :)