Block Suricata Rules

[Sundial]

I just installed a fresh copy of 16.7.r1 in a small production environment.  I'm testing out the Suricata Intrusion Detection feature.  I currently have it setup to alert and not drop anything so that I can gather some information for tuning before I drop.  However, when I disable a rule in the "Rules" tab by unchecking the "Enabled" box for the rule, I still keep getting alerts.  Even after a reboot, the rule is still unchecked but the alert for that rules keeps happening.  Any advice would be appreciated.

[Sundial]

I'm not sure what was happening the first time, but since the last Rule download and update everything appears to work as I would expect.  I can now manually disable a rule and it actually appears to disable.

[franco]

If that should happen again, please let us know.

[Julien]

Hi Sundial,
i just have tested this and its seems to be ok on my VM OPNSENSE.
Just to double check, after changing the rules from drop to alert, , you have to download the rules again and apply them.

[Sundial]

Not any more.  I downloaded the rules initially and then after getting lots of alerts, I tried to disable them (including clicking Apply on the Rules tab).  The rules never seemed to "Apply".  Then I manually downloaded the rules again.  After the second manual download everything is working liked I'd expect and I can't repeat the "bad" behavior or explain it.  During the bad times, I was having some random, intermittent web interface issues (..it would freeze or have extra long pauses and sometimes require restarting...and yes, I was very patient waiting several minutes...and the machine is a quad core i3 with 4GB RAM and SSD).  Perhaps the web interface issues are the real culprit.  However, almost all of those issues are gone now even though I haven't really changed anything but did reboot a few times.  I'm sorry I can't provide real diagnostic information, but everything has been working as I'd expect for over a day now.