Hello,
Here’s a brief explanation of my problem:
It appears that ever since I created a custom rule file yesterday, any new rules I put in my ‘disable.conf’ file seem to be ignored - I still receive alerts for the new rules I put in there.
Here’s a more detailed explanation:
I’ve been happily running what I’m guessing is a pretty basic/simple Suricata box, in IDS mode for several weeks now. However, I’m brand new to Suricata so I don’t know much. Anyway, I’ve been only using the default ruleset, the Emerging Threats ruleset all this time. There are several different alerts that I did not want to see anymore, so I just put their corresponding signature IDs in the disable.conf file, and run suricata-update, and happily I never see those alerts anymore.
However, a couple of days ago, I set out to create my own rules, so I set up a new file:
/var/lib/suricata/rules/local.rules
I edited my suricata.yaml file to include that new rules file.
At first I thought my new rules weren’t working, and even posted a post here, but then realized that it just took a while for it to take effect it seemed. This was yesterday.
After that (and unrelated), I decided to disable a couple more rules (from the Emerging Threats ruleset still of course), so added those 2 rules to the disable.conf file, and ran suricata-update as I’ve always been doing. However, I still got alerts for those. I thought OK, maybe it’s just going to take a while for it take effect, but I still got the alerts over an hour later. So just for the heck of it I ran suricata-update again. Still got the alerts.
So then I decided to remove the 2 new alerts (2027865 & 2034098 to be exact), run suricata-update, enter them back into disable.conf, then run suricata-update again. Still, I kept getting the alerts.
To my unqualified eye, it appears that Suricata is in fact disabling the rules according to the output of suricata-update. Here is a snippet of the suricata-update without the 2 additional rules in the disable.conf:
19/10/2022 – 11:32:47 - – Loaded 36219 rules.
19/10/2022 – 11:32:49 - – Disabled 49 rules.
19/10/2022 – 11:32:49 - – Enabled 0 rules.
19/10/2022 – 11:32:49 - – Modified 0 rules.
19/10/2022 – 11:32:49 - – Dropped 0 rules.
19/10/2022 – 11:32:49 - – Enabled 131 rules for flowbit dependencies.
19/10/2022 – 11:32:49 - – Backing up current rules.
Note the 49 disabled rules. Then after I put them back in the disable.conf file, here’s a snippet of suricata-update:
19/10/2022 – 11:34:46 - – Loaded 36219 rules.
19/10/2022 – 11:34:48 - – Disabled 51 rules.
19/10/2022 – 11:34:48 - – Enabled 0 rules.
19/10/2022 – 11:34:48 - – Modified 0 rules.
19/10/2022 – 11:34:48 - – Dropped 0 rules.
19/10/2022 – 11:34:48 - – Enabled 131 rules for flowbit dependencies.
19/10/2022 – 11:34:48 - – Backing up current rules.
Note the 51 disabled rules now (looks like my 2 new rules are being seen and counted). So everything seems right, yeah?
So then I just thought OK, maybe my system is slower than I thought, so I’ll just wait overnight and see what happens. But sure enough, this morning I received alerts from 2027865 (again, one of the 2 rules that I just disabled)
Just to be clear, it seems that all of the rules that I had in disable.conf since before yesterday are still seeming to be properly getting ignored (no alerts), but the 2 new ones that I put in disable.conf after setting up the 2nd/local rules file are being ignored - I still receive alerts for them.
So is there some kind of relation to setting up that 2nd rules file and the disable.conf file? Or is it just coincidence? Did I inadvertently goof something up somehow?
Again, being a newbie, maybe it’s a totally simple answer, but I have no idea what to check now, so am hoping someone can help out a bit.
Thank you for reading my long post if you’ve gotten this far!
Jamie