Actions
Bug #8440
closedSuricata 4.0.4_1 disablesid.conf does not disable rule?
Start date:
04/06/2018
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
2.4.3
Affected Plus Version:
Affected Architecture:
amd64
Description
I'm not sure if this started in Suricata 4.0.4_1, but I recently found a rule in my disablesid.conf which was still triggering an alert/block of the traffic with the GID:SID 1:2018959. This may not be limited to that specific GID:SID but that is the one I have triggering on my network when it should not be. Adding the rule to the suppress list seems to be an alternate solution in the meantime.
Files
Updated by Raffi T over 6 years ago
This is not a bug. The rule being triggered was a flowbit rule. Therefore, the disablesid.conf could not disable the rule. The solution was to suppress the rule.
Actions