Project

General

Profile

Actions
Copy link

Bug #15120

closed

Suricata upgrade/install adds default rulesets

Added by Steve Y 4 months ago. Updated 4 months ago.

Status:
Not a Bug
Priority:
Low
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

We had traditionally disabled stream-events.rules because of false positives. I have noticed a couple times lately it's been enabled. I found that my backup just before (made as I start) an upgrade from 23.05.1 to 23.09.1 does not have it but the one I made just after the upgrade it does, around 20 minutes later. From the forum it seems others have run into this as well. I am not sure when it started. I pulled up a few client routers on 23.05.1 and it is enabled on them so likely predates 23.05.

before:
<rulesets>
GPLv2_community.rules||app-layer-events.rules||decoder-events.rules||emerging-activex.rules||dhcp-events.rules||dnp3-events.rules||emerging-attack_response.rules||dns-events.rules||emerging-botcc.portgrouped.rules||files.rules||emerging-botcc.rules||http-events.rules||emerging-chat.rules||http2-events.rules||ipsec-events.rules||kerberos-events.rules||modbus-events.rules||emerging-current_events.rules||mqtt-events.rules||nfs-events.rules||ntp-events.rules||emerging-dos.rules||smb-events.rules||smtp-events.rules||ssh-events.rules||emerging-exploit.rules||tls-events.rules||emerging-games.rules||emerging-inappropriate.rules||emerging-malware.rules||emerging-misc.rules||emerging-mobile_malware.rules||emerging-p2p.rules||emerging-scada.rules||emerging-scan.rules||emerging-shellcode.rules||emerging-user_agents.rules||emerging-web_client.rules||emerging-web_server.rules||emerging-worm.rules
</rulesets>

after:
<rulesets>
GPLv2_community.rules||app-layer-events.rules||decoder-events.rules||emerging-activex.rules||dhcp-events.rules||dnp3-events.rules||emerging-attack_response.rules||dns-events.rules||emerging-botcc.portgrouped.rules||files.rules||emerging-botcc.rules||http-events.rules||emerging-chat.rules||http2-events.rules||ipsec-events.rules||kerberos-events.rules||modbus-events.rules||emerging-current_events.rules||mqtt-events.rules||nfs-events.rules||ntp-events.rules||emerging-dos.rules||smb-events.rules||smtp-events.rules||ssh-events.rules||emerging-exploit.rules||tls-events.rules||emerging-games.rules||emerging-inappropriate.rules||emerging-malware.rules||emerging-misc.rules||emerging-mobile_malware.rules||emerging-p2p.rules||emerging-scada.rules||emerging-scan.rules||emerging-shellcode.rules||emerging-user_agents.rules||emerging-web_client.rules||emerging-web_server.rules||emerging-worm.rules||ftp-events.rules||quic-events.rules||rfb-events.rules||stream-events.rules
</rulesets>
(the last four have been added)

My process for upgrading is simply:

uninstall Suricata (and pfBlocker etc.)
    upgrade pfSense
    install Suricata

"Send notifications when new rule categories appear" is checked on this particular router but we haven't received any emails about that.

forum thread: https://forum.netgate.com/topic/185055/suricata-upgrade-install-adds-default-rulesets
mentioned: https://forum.netgate.com/topic/185037/upgrade-to-2-7-2-from-2-7-0-failed-install-no-space-left-on-device/7

Actions
Copy link

Also available in: Atom PDF