Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question on SID management, default disabled rules & dropsid.conf

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    2
    134
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eightfold
      last edited by eightfold

      I've searched and read a few topics, but there's something that I'm not quite clear on as my question wasn't addressed in any of them.

      Say for example I add emerging-malware.rules into the dropsid.conf section of the SID management, it will, by default drop all traffic that matches the SIDs in that ruleset. What's not clear to me is if this also applies to rules that are default disabled. This is assuming I have not performed a force enable of any of the individual rules in the ruleset.

      When I look in the rules list it does show that several of the rules are default disabled, but it has the yellow icon next to it to indicate "Action/content modified by SID Mgmt". Does this mean that the rule is no longer disabled and the SID management force enables the rule?

      I don't have an enablesid.conf applied on the interface, so I'm assuming the default disabled rules stay as they are, but I'd like to be sure.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        The yellow icon simply indicates the rule matched a SID MGMT condition such as SID or category name, for example. The dropsid.conf logic only modifies the action of a rule, it does not change the enabled or disabled state of the rule. So, default disabled rules remain disabled unless that is overridden in the enablesid.conf logic.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post