Project

General

Profile

Bug #10292

Suricata not respecting SID Mgmt list

Added by Mike Janczyn 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
02/25/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.4-p3
Affected Architecture:
amd64

Description

I am running pfSense 2.4.4-RELEASE-p3 (amd64) with Suricata VERSION 4.1.6_3 on an SG-2440.

Suricata is inspecting WAN traffic, Inline blocking, with all categories and rules managed with conf files in the SID Mgmt tab.
SID State Order set to Enable,Disable (as I enable entire categories then selectively disable SIDs).

On version 4.1.6_2 all changes to SID Mgmt files reflected in the rules and would enable/disable/block based on how they were configured.

Once I updated to 4.1.6_3 Suricata stopped respecting the "Disabled" conf file selected in the Disable SID List dropdown for the WAN interface.

History

#1 Updated by Bill Meeks 3 months ago

There were zero changes to that part of the Suricata code in version 4.1.6_3. In fact, both updates to 4.1.6_2 and 4.1.6_3 were totally about fixes to the GeoIP database download routine. They did not touch the suricata.inc file where all of the SID MGMT functionality logic resides.

So I would suggest closely checking your configuration to see if something is malformed in your disablesid.conf file perhaps. Because if something in SID MGMT was working in 4.1.6_2, then there is no reason for the same thing to not work in 4.1.6_3. Nothing in that part of the code was touched in either of those two updates.

Also available in: Atom PDF