OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: rabievdm on January 14, 2019, 09:59:53 am

Title: 18.7.10 Suricata remove rules
Post by: rabievdm on January 14, 2019, 09:59:53 am
I'm on 18.7.10 and took PT Research for a spin a while back on a non-commercial box (home :) )
Recently I stated having issues with one of my internal server that runs certbot (LetsEncrypt) and all my certificate renewal are being detected as MALWARE.
As I change a rule another one pops up.

I have tried first going to the Download tab, selecting PT Research and changing it from Drop to Alert seems to not have made any changes (when checking the Rules tab and the Alerts tab it is still set to and gets dropped). Going to the Rules tab and list the all and selecting them and then clicking on the little unselect button on the bottom left seem to make no change.
Then removing the PT Research via the System>Firmware>plugins and I remove the PT Research it uninstalls, but the rules are still in the rulebase.

So the primary question is how to remove the rules (not just disable them? But then why does the options to bulk update not work either.
Title: Re: 18.7.10 Suricata remove rules
Post by: MakesSense on January 14, 2019, 10:08:08 am
Hi,

I found that to remove the rules you have to delete them manually in:

/usr/local/etc/suricata/opnsense.rules/

When I remove them through the web GUI it only removes the copy of rules inside /usr/local/etc/suricata/rules/.

Then restart suricata and the deleted rules should be gone from the list in the web GUI .
Title: Re: 18.7.10 Suricata remove rules
Post by: guest19757 on January 14, 2019, 03:45:28 pm
Hello there,

Out of curiosity, while I haven't tested this, did you click 'Apply' on the settings page? I know, this doesn't seem intuitive but I find changes aren't applied until you click 'Apply' so appropriate files could be regenerated?

Regards
Title: Re: 18.7.10 Suricata remove rules
Post by: rabievdm on January 14, 2019, 08:42:44 pm
Hi,

Yes I did try reply, but in the end I did exactly that I deleted the rules file from:
/usr/local/etc/suricata/opnsense.rules/
/usr/local/etc/suricata/rules/
AND for good measure I also saw that it was referenced in:
/usr/local/etc/suricata/installed_rules.yaml
So edited the entry, restart suricata and they where gone!

Thanks for the feedback!