Issue with disabled rule categories that becomes reenabled after uninstall/install of new suricata version

btspce

@bmeeks
Since atleast two versions ago of Suricata (7.0.7 and the one before) rule categories that we have disabled in that version are reenabled after install of the new version. All other settings are saved as they should. This was also the case when we now upgraded to 7.0.8.

I checked the saved config before uninstall of 7.0.7_5 and the rule categories that was disabled are not in the list on the interface so they seems to be added after installation of a new version.

I'm not sure yet but it could be that this issue only applies to the default rules.

bmeeks

It's expected behavior and really unavoidable. That's been the behavior for quite some time. Before the switch to the new behavior, the default rule categories could not be disabled in the GUI. They could only be disabled using SID MGMT features. And today, if you manage your rule categories using the features on the SID MGMT tab, you will not have the issue you describe.

Suricata upstream does, from time to time, add new rules categories to the set of default rules shipped with the binary. The pfSense installation script checks the current list of default rules shipped with the binary and then enables any default categories not already part of the enabled rules packages in config.xml. This is to ensure any new rule categories are available and enabled.

I can see how that is a bit confusing, but it would take a fairly significant restructuring of the code to fix that so truly new rule categories are automatically added while still respecting previous actions by the admin to disable older ones.

If someone wants to tackle that problem and submit a pull request, I will be happy to review it.

btspce

@bmeeks Thanks for the clarification. We have now added a "Disable SID List" conf file on all interfaces with the categories we want disabled which should solve it.