From ce87c2f68c40682c8dba5a047c504d4d4ab91b7e Mon Sep 17 00:00:00 2001
From: Stephan de Wit <stephan.de.wit@deciso.com>
Date: Fri, 2 Feb 2024 15:31:48 +0100
Subject: [PATCH] intrusion detection: behaviour change in suricata 7 [3]

Along with midstream-policy causing issues,
livedev.use-for-tracking=true breaks IPS so disable it here.
ref: https://redmine.openinfosecfoundation.org/issues/6726
---
 src/opnsense/service/templates/OPNsense/IDS/suricata.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
index 7eafa218d..906edf60d 100644
--- a/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
+++ b/src/opnsense/service/templates/OPNsense/IDS/suricata.yaml
@@ -1216,6 +1216,12 @@ flow:
 vlan:
   use-for-tracking: true
 
+# This option controls the use of livedev ids in the flow (and defrag)
+# hashing. This is enabled by default and should be disabled if
+# multiple live devices are used to capture traffic from the same network
+livedev:
+  use-for-tracking: false
+
 # Specific timeouts for flows. Here you can specify the timeouts that the
 # active flows will wait to transit from the current state to another, on each
 # protocol. The value of "new" determine the seconds to wait after a handshake or