Bug #10292
closed
Suricata not respecting SID Mgmt list
0%
Description
I am running pfSense 2.4.4-RELEASE-p3 (amd64) with Suricata VERSION 4.1.6_3 on an SG-2440.
Suricata is inspecting WAN traffic, Inline blocking, with all categories and rules managed with conf files in the SID Mgmt tab.
SID State Order set to Enable,Disable (as I enable entire categories then selectively disable SIDs).
On version 4.1.6_2 all changes to SID Mgmt files reflected in the rules and would enable/disable/block based on how they were configured.
Once I updated to 4.1.6_3 Suricata stopped respecting the "Disabled" conf file selected in the Disable SID List dropdown for the WAN interface.
Updated by Bill Meeks about 5 years ago
There were zero changes to that part of the Suricata code in version 4.1.6_3. In fact, both updates to 4.1.6_2 and 4.1.6_3 were totally about fixes to the GeoIP database download routine. They did not touch the suricata.inc file where all of the SID MGMT functionality logic resides.
So I would suggest closely checking your configuration to see if something is malformed in your disablesid.conf file perhaps. Because if something in SID MGMT was working in 4.1.6_2, then there is no reason for the same thing to not work in 4.1.6_3. Nothing in that part of the code was touched in either of those two updates.
Updated by