• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Suricata Resetting Default Rule Selection After Upgrade/Reboot

Scheduled Pinned Locked Moved IDS/IPS
5 Posts 2 Posters 773 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    Lurick LAYER 8
    last edited by Apr 24, 2024, 6:53 PM

    I noticed that I had certain default rules unselected and every time I reboot pfSense those rules come back selected once pfsense comes back up. I've not checked a non-upgrade reboot lately but whenever I upgrade and Suricata is reinstalled as part of that upgrade the default settings are all rechecked but not anything else that was unchecked prior such as ET Open Rules.
    Before:
    25bc1360-64e9-4b28-b577-e37058860423-image.png
    After an update to pfsense:
    89d4429c-fdd5-4938-8e73-d6b1f30c3da7-image.png

    PfSense 24.03 beta updates I noticed this and after upgrading to GA I saw it too and now just noticed a 24.03_1 update and it did it again.

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by Apr 25, 2024, 1:43 AM

      This is expected behavior when the Suricata package is updated (or reinstalled). This logic is utilized to be sure any new Suricata built-in (or default) rules are included and enabled in each install.

      L 1 Reply Last reply Apr 25, 2024, 11:11 AM Reply Quote 1
      • L
        Lurick LAYER 8 @bmeeks
        last edited by Apr 25, 2024, 11:11 AM

        @bmeeks Interesting, good to know! Thanks!

        B 1 Reply Last reply Apr 25, 2024, 12:03 PM Reply Quote 0
        • B
          bmeeks @Lurick
          last edited by bmeeks Apr 25, 2024, 12:05 PM Apr 25, 2024, 12:03 PM

          @Lurick said in Suricata Resetting Default Rule Selection After Upgrade/Reboot:

          @bmeeks Interesting, good to know! Thanks!

          If you want certain categories of those rules to remain disabled, then you can use the SID MGMT tab features to accomplish that. Simply create a disablesid.conf file of your own and place the rules category name of each category you want to disable on a line.

          You can open and read through the sample conf files on that tab to see how the syntax works.

          I also created a Sticky Post describing the rules processing logic here: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata.

          L 1 Reply Last reply Apr 25, 2024, 6:46 PM Reply Quote 1
          • L
            Lurick LAYER 8 @bmeeks
            last edited by Apr 25, 2024, 6:46 PM

            @bmeeks Aha, thank you, I knew I was forgetting something. I'd setup the drop rules a while back and forgot there were disable sid rules I could use too :)

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received