pfSense » pfSense Packages

Thank you for workaround and detailed example (and I'm aware that only certain entries in the "disablesid.conf" file related to this), but in my situation, I don't believe that will work.

"SID management" is a global level control, affecting all Interfaces. So for handling rule "Categories", that would be fine if there is only one interface, or if one doesn't want certain rule categories in any interface.

In my case, I have two interfaces, one interface configured for blocking (with threat-type rule categories), the other configured for informational purposes (with informational-type rule categories, mostly the suricata "Ruleset: Default Rules"). So I need the categories in that ruleset disabled in my blocking interface, and enabled in my informational interface - I presume that is why suricata has an interface-level "Categories" tab within each interface, so we can specify which interface uses (ideally uniquely) each rule category from the globally available rulesets.

For me, the only workaround is to hopefully remember, after an update, to go into the interface I used for blocking, and manually disable those categories again, with the other interface being fine as they are meant to be enabled there anyway. The enabled/disabled settings for all other rulesets and categories are remembered (after an update).

I would suggest/request that suricata be modified to do the same for it's own "Ruleset: Default Rules", as having an update change a users configuration without warning is not generally a good thing.

Thanks for the reply/help