Hello, I’ve noticed that Suricata by default deactivates some rules, so I got interested in activating all rules to have better responses to attacks. Then I wrote re:sid:.+ in enable.conf to activate all rules, but I found errors related to some specif rules, which I tried to deactivate without sucess. My question is: How to activate all rules of Suricata, with some exceptions, defined by the sid? I succeeded to do this a time ago, writing a set of rules to be activated in enable.conf with execptions (something similar to re:sid:([0-3000000]?!28|29|30)-\d+). However, I’ve lost the configuration I created due to the recent Suricata update. Any help in this sense would be greatly appreciated.
I don’t have a direct answer to your question, but I’d be interested in knowing what some the errors are when they are all enabled, if there are some common issues that can be fixed up in rules, that seems like a problem worth solving.
I should have made it clearer on the first post, but I would like to know how to activate and deactivate rules by sid not only to solve the errors found, but also to be able to choose which rules to use and how to apply specific exceptions. However, I am also interested in solving these errors.
Initially, I noticed errors related to the protocols dnp3, modbus,enip,pgsql, but I managed to deal with this issue by activating these protocols on suricata.yaml file.
However, I’ve also encountered some errors related to the rules that have the sid’s 28,29 and 30, that you can see on the image. I am using Suricata 7.0.4 in ubuntu 22.04.
You should be able to put the sids in your disable.conf:
https://suricata-update.readthedocs.io/en/latest/update.html#example-configuration-to-disable-rules-disable-conf
I understand that the files enable.conf and disable.conf are files used to manage which rules are used, however, it seems that enable.conf has a greater priority over disable.conf. I wrote re:sid:.+ in enable.conf, activating all of the rules, and then I executed a test after writing the numbers 28,29 and 30 in disable.conf, yet the rules with these sid’s were activated.
I performed other tests which showed me that these files are correctly working to enable and disable rules, however, in this specific case mentioned, i believe that there is an issue of priority of files.
Considering that, I would like to know whether it is possible to manage the activation and deactivation of rules only using the enable.conf file.
Can you provide your enable.conf and disable.conf so we could try to reproduce it?