Netgate SG-1000 microFirewall

Author Topic: Suricata and odd behavior when changing certain rules  (Read 79 times)

0 Members and 1 Guest are viewing this topic.

Offline drewsaur

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Suricata and odd behavior when changing certain rules
« on: November 30, 2017, 09:41:29 am »
Hello,

Occasionally, when I disable a rule's "drop" parameter or disable rules using my SID files in Suricata, the rule still blocks traffic for a while, even for rules that have no flowbits set. It's as if the complex underlying calculated rules take several minutes to update accordingly, even though the updates show in the UI (e.g., they are changed to "Alert Only" or show as disabled in the UI).

Again, these are for rules with no flowbit involvement.

There are occasionally times when I do something that causes rules to completely reload, and then the behavior finally catches up and the blocks for those rules stop. I sometimes try running the "reset all" feature on the rules portion of the Interface tabs, but that doesn't always do the trick.

Is there something that I should be doing to force an under-the-hood ruleset recalculation after I make SID file changes to ensure that the system catches up more quickly?

FWIW, a reboot of my box did NOT help! I also verified that I have only one Suricata instance running (saw that in another post).

FYI I had this most egregiously when I toyed around with drops in the the four Snort "Indicator" rulesets. Even when I commented the four rulesets out completely in my drops SID file (I really want alerts only with these rules anyway), the rules kept doing drops, and the rules in question had NO flowbit involvement.  I eventually just disabled the rules altogether, but I STILL got some blocks after completely disabling the rules (again, no flowbits). After a while, things caught up and settled down, but, wow...

Anyway, that for any help anyone can provide with a way to mitigate this. It seems that I am missing something, and cannot wait to be enlightened. Thanks again.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3148
  • Karma: +815/-0
    • View Profile
Re: Suricata and odd behavior when changing certain rules
« Reply #1 on: November 30, 2017, 05:58:36 pm »
When you are making changes on the SID MGMT tab, if you want those changes to be seen by the running IDS (Snort or Suricata) without a restart, you must check the checkbox at the bottom of the page on the left that says "Rebuild" (or something like that, can't remember the exact wording off the top of my head).  That will force the IDS to live-reload the entire ruleset.

Depending on how many rules you have enabled, this may take some time.  The less RAM you have or the slower your CPU, the longer it may take.  On a powerhouse  server box it might take 10 - 20 seconds, but on a less capable small footprint device it could be a couple of minutes potentially.

Bill

Offline drewsaur

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Re: Suricata and odd behavior when changing certain rules
« Reply #2 on: November 30, 2017, 06:07:39 pm »
When you are making changes on the SID MGMT tab, if you want those changes to be seen by the running IDS (Snort or Suricata) without a restart, you must check the checkbox at the bottom of the page on the left that says "Rebuild" (or something like that, can't remember the exact wording off the top of my head).  That will force the IDS to live-reload the entire ruleset.

Depending on how many rules you have enabled, this may take some time.  The less RAM you have or the slower your CPU, the longer it may take.  On a powerhouse  server box it might take 10 - 20 seconds, but on a less capable small footprint device it could be a couple of minutes potentially.

Bill

THANK YOU! I completely missed that. That key point is hidden via the "i" icon. I think they should leave that information visible by default!
« Last Edit: November 30, 2017, 06:12:47 pm by drewsaur »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3148
  • Karma: +815/-0
    • View Profile
Re: Suricata and odd behavior when changing certain rules
« Reply #3 on: December 02, 2017, 02:31:01 pm »

THANK YOU! I completely missed that. That key point is hidden via the "i" icon. I think they should leave that information visible by default!

Yeah, the default state of those "Information" icons is collapsed.  I think that was state was chosen in order to reduce clutter.

Bill