Actions
Bug #16386
open
pfSense upgrade re-enables Suricata rulesets that were previously deactivated
Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
Description
Steps to Reproduce
- Install and enable Suricata on one or more interfaces.
- In the Suricata settings, manually deactivate specific rulesets, e.g., app-layer-events.rules - decoder-events.rules - stream-events.rules - tls-events.rules
- Perform a firmware upgrade of pfSense to a new release. tested on (25.07 to 25.07.1)
- After reboot, check if the deactivated rules are active.
Actual Result
- Rulesets that the administrator explicitly deactivated are re-enabled automatically after the firmware upgrade.
- This results in unwanted rules being applied, additional CPU load, and possible traffic blocking.
Expected Result
- Suricata should preserve the administrator’s configuration across firmware upgrades.
- Deactivated rulesets should remain deactivated after upgrade, with no unexpected changes.
Files
Updated by Lev Prokofev 23 days ago
- File clipboard-202508201415-hbdmp.png clipboard-202508201415-hbdmp.png added
- File clipboard-202508201416-em0i4.png clipboard-202508201416-em0i4.png added
I can confirm this issue. It also occurs after the reinstallation of the package.
Tested on:
25.11-DEVELOPMENT (amd64) built on Sat Aug 16
25.07.1-RELEASE (amd64) built on Wed Aug 13
Before re-install:
After:
Updated by Lev Prokofev 23 days ago
- Status changed from New to Confirmed
I can confirm this issue. It also occurs after the reinstallation of the package.
Tested on:
25.11-DEVELOPMENT (amd64) built on Sat Aug 16
25.07.1-RELEASE (amd64) built on Wed Aug 13
Before re-install:
After:
Actions