Project

General

Profile

Actions

Bug #8440

closed

Suricata 4.0.4_1 disablesid.conf does not disable rule?

Added by Raffi T over 6 years ago. Updated over 6 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
Category:
Suricata
Target version:
-
Start date:
04/06/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.4.3
Affected Plus Version:
Affected Architecture:
amd64

Description

I'm not sure if this started in Suricata 4.0.4_1, but I recently found a rule in my disablesid.conf which was still triggering an alert/block of the traffic with the GID:SID 1:2018959. This may not be limited to that specific GID:SID but that is the one I have triggering on my network when it should not be. Adding the rule to the suppress list seems to be an alternate solution in the meantime.


Files

Active Rules.JPG (18.2 KB) Active Rules.JPG auto disabled by sid mgmt Raffi T, 04/06/2018 10:14 AM
disablesid.JPG (108 KB) disablesid.JPG disablesid file showing the rule Raffi T, 04/06/2018 10:14 AM
SID log.JPG (59.2 KB) SID log.JPG SID log showing the disablesid is applied Raffi T, 04/06/2018 10:15 AM
Actions #1

Updated by Raffi T over 6 years ago

This is not a bug. The rule being triggered was a flowbit rule. Therefore, the disablesid.conf could not disable the rule. The solution was to suppress the rule.

Actions #2

Updated by Jim Pingle over 6 years ago

  • Status changed from New to Not a Bug
Actions

Also available in: Atom PDF