Project

General

Profile

Actions
Copy link

Bug #12506

closed

Only selected instance is restarted on suppress list change

Added by Viktor Gurov over 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Suricata
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

How to reproduce:

1) Create a Suppress List 'testsupplist'
2) Configure Suricata for the LAN interface and select 'testsupplist' in 'Alert Suppression and Filtering' drop-down menu
3) Configure Suricata for the OPT1 interface and select 'testsupplist' in 'Alert Suppression and Filtering' drop-down menu
4) Now, if you click "Add this alert to the Suppress List" on the Alerts tab for the LAN interface Suricata will be reloaded only for the LAN interface, but not for the OPT1 interface

Another issue with alert suppressing -

after adding an alert to the suppress list there is a message on top of the page:
"An entry for 'suppress gen_id 1, sig_id N' has been added to the Suppress List."
but there is no note about live-reloading
it should be:
"An entry for 'suppress gen_id 1, sig_id N' has been added to the Suppress List. Suricata is 'live-reloading' to apply the new Suppress list. Please wait at least 15 secs for the process to complete before toggling additional rules."

see https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-suricata/files/usr/local/www/suricata/suricata_alerts.php#L571

pfSense-pkg-suricata-6.0.3_3

Actions
Copy link
 #2

Updated by Renato Botelho over 2 years ago

  • Status changed from New to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions
Copy link
 #3

Updated by Danilo Zrenjanin over 1 year ago

  • Status changed from Feedback to Resolved

Tested against:

22.05-RELEASE (amd64)
built on Wed Jun 22 18:56:13 UTC 2022
FreeBSD 12.3-STABLE

suricata 6.0.4_1

After clicking on the "Add this alert to the Suppress List" button, both interfaces were restarted.

Aug 13 18:07:43     php-fpm     20099     [Suricata] Suricata signalled with SIGUSR2 for OPT2 (vtnet1.10)...
Aug 13 18:07:43     php-fpm     20099     [Suricata] Suricata signalled with SIGUSR2 for LAN (vtnet1.20)...

And I got the information about live reloading.

An entry for 'suppress gen_id 1, sig_id 2008581' has been added to the Suppress List. Suricata is 'live-reloading' the new rules list. Please wait at least 15 secs for the process to complete before toggling additional rule actions.

Everything works as expected now. I am marking this ticket resolved.

Actions
Copy link

Also available in: Atom PDF