Actions
Bug #16386
open
pfSense upgrade re-enables Suricata rulesets that were previously deactivated
Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
Suricata
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
Description
Steps to Reproduce
- Install and enable Suricata on one or more interfaces.
- In the Suricata settings, manually deactivate specific rulesets, e.g., app-layer-events.rules - decoder-events.rules - stream-events.rules - tls-events.rules
- Perform a firmware upgrade of pfSense to a new release. tested on (25.07 to 25.07.1)
- After reboot, check if the deactivated rules are active.
Actual Result
- Rulesets that the administrator explicitly deactivated are re-enabled automatically after the firmware upgrade.
- This results in unwanted rules being applied, additional CPU load, and possible traffic blocking.
Expected Result
- Suricata should preserve the administrator’s configuration across firmware upgrades.
- Deactivated rulesets should remain deactivated after upgrade, with no unexpected changes.
Files
Updated by 
Actions