pfSense » pfSense Packages

We had traditionally disabled stream-events.rules because of false positives. I have noticed a couple times lately it's been enabled. I found that my backup just before (made as I start) an upgrade from 23.05.1 to 23.09.1 does not have it but the one I made just after the upgrade it does, around 20 minutes later. From the forum it seems others have run into this as well. I am not sure when it started. I pulled up a few client routers on 23.05.1 and it is enabled on them so likely predates 23.05.

before:
<rulesets>
GPLv2_community.rules||app-layer-events.rules||decoder-events.rules||emerging-activex.rules||dhcp-events.rules||dnp3-events.rules||emerging-attack_response.rules||dns-events.rules||emerging-botcc.portgrouped.rules||files.rules||emerging-botcc.rules||http-events.rules||emerging-chat.rules||http2-events.rules||ipsec-events.rules||kerberos-events.rules||modbus-events.rules||emerging-current_events.rules||mqtt-events.rules||nfs-events.rules||ntp-events.rules||emerging-dos.rules||smb-events.rules||smtp-events.rules||ssh-events.rules||emerging-exploit.rules||tls-events.rules||emerging-games.rules||emerging-inappropriate.rules||emerging-malware.rules||emerging-misc.rules||emerging-mobile_malware.rules||emerging-p2p.rules||emerging-scada.rules||emerging-scan.rules||emerging-shellcode.rules||emerging-user_agents.rules||emerging-web_client.rules||emerging-web_server.rules||emerging-worm.rules
</rulesets>

after:
<rulesets>
GPLv2_community.rules||app-layer-events.rules||decoder-events.rules||emerging-activex.rules||dhcp-events.rules||dnp3-events.rules||emerging-attack_response.rules||dns-events.rules||emerging-botcc.portgrouped.rules||files.rules||emerging-botcc.rules||http-events.rules||emerging-chat.rules||http2-events.rules||ipsec-events.rules||kerberos-events.rules||modbus-events.rules||emerging-current_events.rules||mqtt-events.rules||nfs-events.rules||ntp-events.rules||emerging-dos.rules||smb-events.rules||smtp-events.rules||ssh-events.rules||emerging-exploit.rules||tls-events.rules||emerging-games.rules||emerging-inappropriate.rules||emerging-malware.rules||emerging-misc.rules||emerging-mobile_malware.rules||emerging-p2p.rules||emerging-scada.rules||emerging-scan.rules||emerging-shellcode.rules||emerging-user_agents.rules||emerging-web_client.rules||emerging-web_server.rules||emerging-worm.rules||ftp-events.rules||quic-events.rules||rfb-events.rules||stream-events.rules
</rulesets>
(the last four have been added)

My process for upgrading is simply:

uninstall Suricata (and pfBlocker etc.)
    upgrade pfSense
    install Suricata

"Send notifications when new rule categories appear" is checked on this particular router but we haven't received any emails about that.

forum thread: https://forum.netgate.com/topic/185055/suricata-upgrade-install-adds-default-rulesets
mentioned: https://forum.netgate.com/topic/185037/upgrade-to-2-7-2-from-2-7-0-failed-install-no-space-left-on-device/7