All of a sudden new entries in disable.conf being ignored

Hello,

Here’s a brief explanation of my problem:
It appears that ever since I created a custom rule file yesterday, any new rules I put in my ‘disable.conf’ file seem to be ignored - I still receive alerts for the new rules I put in there.

Here’s a more detailed explanation:
I’ve been happily running what I’m guessing is a pretty basic/simple Suricata box, in IDS mode for several weeks now. However, I’m brand new to Suricata so I don’t know much. Anyway, I’ve been only using the default ruleset, the Emerging Threats ruleset all this time. There are several different alerts that I did not want to see anymore, so I just put their corresponding signature IDs in the disable.conf file, and run suricata-update, and happily I never see those alerts anymore.

However, a couple of days ago, I set out to create my own rules, so I set up a new file:
/var/lib/suricata/rules/local.rules
I edited my suricata.yaml file to include that new rules file.
At first I thought my new rules weren’t working, and even posted a post here, but then realized that it just took a while for it to take effect it seemed. This was yesterday.
After that (and unrelated), I decided to disable a couple more rules (from the Emerging Threats ruleset still of course), so added those 2 rules to the disable.conf file, and ran suricata-update as I’ve always been doing. However, I still got alerts for those. I thought OK, maybe it’s just going to take a while for it take effect, but I still got the alerts over an hour later. So just for the heck of it I ran suricata-update again. Still got the alerts.

So then I decided to remove the 2 new alerts (2027865 & 2034098 to be exact), run suricata-update, enter them back into disable.conf, then run suricata-update again. Still, I kept getting the alerts.

To my unqualified eye, it appears that Suricata is in fact disabling the rules according to the output of suricata-update. Here is a snippet of the suricata-update without the 2 additional rules in the disable.conf:

19/10/2022 – 11:32:47 - – Loaded 36219 rules.
19/10/2022 – 11:32:49 - – Disabled 49 rules.
19/10/2022 – 11:32:49 - – Enabled 0 rules.
19/10/2022 – 11:32:49 - – Modified 0 rules.
19/10/2022 – 11:32:49 - – Dropped 0 rules.
19/10/2022 – 11:32:49 - – Enabled 131 rules for flowbit dependencies.
19/10/2022 – 11:32:49 - – Backing up current rules.

Note the 49 disabled rules. Then after I put them back in the disable.conf file, here’s a snippet of suricata-update:

19/10/2022 – 11:34:46 - – Loaded 36219 rules.
19/10/2022 – 11:34:48 - – Disabled 51 rules.
19/10/2022 – 11:34:48 - – Enabled 0 rules.
19/10/2022 – 11:34:48 - – Modified 0 rules.
19/10/2022 – 11:34:48 - – Dropped 0 rules.
19/10/2022 – 11:34:48 - – Enabled 131 rules for flowbit dependencies.
19/10/2022 – 11:34:48 - – Backing up current rules.

Note the 51 disabled rules now (looks like my 2 new rules are being seen and counted). So everything seems right, yeah?

So then I just thought OK, maybe my system is slower than I thought, so I’ll just wait overnight and see what happens. But sure enough, this morning I received alerts from 2027865 (again, one of the 2 rules that I just disabled)

Just to be clear, it seems that all of the rules that I had in disable.conf since before yesterday are still seeming to be properly getting ignored (no alerts), but the 2 new ones that I put in disable.conf after setting up the 2nd/local rules file are being ignored - I still receive alerts for them.

So is there some kind of relation to setting up that 2nd rules file and the disable.conf file? Or is it just coincidence? Did I inadvertently goof something up somehow?

Again, being a newbie, maybe it’s a totally simple answer, but I have no idea what to check now, so am hoping someone can help out a bit.

Thank you for reading my long post if you’ve gotten this far!

Jamie

Can you post your config files at least for the rule file parts?

So what could happen is for example, that suricata-update is updating your suricata.rules file but there is no rule-reload trigger for Suricata to reload the actual rule file. But I would grep 2027865 on the written rule file that suricata is actually using, to make sure it got removed. If it was removed, the reload was just missing. If not we would have to debug why it was not written.

Hi Andreas,

Ah yes, I forgot to mention that - I actually did grep /var/lib/suricata/rules/suricata.rules for 2027865 and the rule is indeed in there.

So here is a small section of my suricata.yaml file. I included a little before and after the rules area:

##
## Configure Suricata to load Suricata-Update managed rules.
##

default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules
  - local.rules

##
## Auxiliary configuration files.
##

classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
# threshold-file: /etc/suricata/threshold.config

And just for the heck of it, here’s the last 10 lines of my: /etc/suricata/disable.conf file:

2035463
2221010
2020899
2025883
2029022
2030093
2002878
2027865
2034098

I have a blank line at the bottom, but I’m pretty sure I’ve always had that, and I’ve tried taking it out at one point, but didn’t seem to matter.

So it must be related to suricata-update, which version of suricata-update are you running and how? So there must be something missing that would overwrite the rules file I guess

I just run suricata-update from the command line manually:

sudo suricata-update

Here’s the output from running:
sudo suricata-update -v

21/10/2022 -- 07:48:04 - <Debug> -- This is suricata-update version 1.2.5 (rev: None); Python: 3.10.6 (main, Aug 10 2022, 11:40:04) [GCC 11.3.0]
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value subcommand -> update
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value verbose -> True
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value version -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value force -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value url -> []
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value no-ignore -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value dump-sample-configs -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value etopen -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value no-reload -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value no-merge -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value offline -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value fail -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value now -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value disable -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value enable -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value modify -> False
21/10/2022 -- 07:48:04 - <Debug> -- Setting configuration value drop -> False
21/10/2022 -- 07:48:04 - <Debug> -- Found suricata at /usr/bin/suricata
21/10/2022 -- 07:48:05 - <Info> -- Using data-directory /var/lib/suricata.
21/10/2022 -- 07:48:05 - <Debug> -- Looking for /etc/suricata/disable.conf
21/10/2022 -- 07:48:05 - <Debug> -- Found /etc/suricata/disable.conf
21/10/2022 -- 07:48:05 - <Debug> -- Changing default for disable-conf to /etc/suricata/disable.conf
21/10/2022 -- 07:48:05 - <Debug> -- Looking for /etc/suricata/enable.conf
21/10/2022 -- 07:48:05 - <Debug> -- Looking for /etc/suricata/drop.conf
21/10/2022 -- 07:48:05 - <Debug> -- Looking for /etc/suricata/modify.conf
21/10/2022 -- 07:48:05 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
21/10/2022 -- 07:48:05 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
21/10/2022 -- 07:48:05 - <Info> -- Found Suricata version 6.0.8 at /usr/bin/suricata.
21/10/2022 -- 07:48:05 - <Info> -- Loading /etc/suricata/disable.conf.
21/10/2022 -- 07:48:05 - <Info> -- Loading /etc/suricata/suricata.yaml
21/10/2022 -- 07:48:05 - <Info> -- Disabling rules for protocol http2
21/10/2022 -- 07:48:05 - <Info> -- Disabling rules for protocol modbus
21/10/2022 -- 07:48:05 - <Info> -- Disabling rules for protocol dnp3
21/10/2022 -- 07:48:05 - <Info> -- Disabling rules for protocol enip
21/10/2022 -- 07:48:05 - <Info> -- No sources configured, will use Emerging Threats Open
21/10/2022 -- 07:48:05 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-6.0.8/emerging.rules.tar.gz.
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
21/10/2022 -- 07:48:05 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/app-layer-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/decoder-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/dhcp-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/dnp3-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/dns-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/files.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/http-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/ipsec-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/kerberos-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/modbus-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/nfs-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/ntp-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/smb-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/smtp-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/stream-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing /etc/suricata/rules/tls-events.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/3coresec.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/botcc.portgrouped.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/botcc.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/ciarmy.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/compromised.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/drop.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/dshield.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-activex.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-adware_pup.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-attack_response.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-chat.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-coinminer.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-current_events.rules
21/10/2022 -- 07:48:05 - <Info> -- Ignoring file rules/emerging-deleted.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-dns.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-dos.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-exploit.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-exploit_kit.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-ftp.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-games.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-hunting.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-icmp.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-icmp_info.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-imap.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-inappropriate.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-info.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-ja3.rules
21/10/2022 -- 07:48:05 - <Debug> -- Parsing rules/emerging-malware.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-misc.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-mobile_malware.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-netbios.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-p2p.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-phishing.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-policy.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-pop3.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-rpc.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-scada.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-scan.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-shellcode.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-smtp.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-snmp.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-sql.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-telnet.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-tftp.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-user_agents.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-voip.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-web_client.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-web_server.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-web_specific_apps.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/emerging-worm.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/threatview_CS_c2.rules
21/10/2022 -- 07:48:06 - <Debug> -- Parsing rules/tor.rules
21/10/2022 -- 07:48:07 - <Info> -- Loaded 36286 rules.
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2260000] SURICATA Applayer Mismatch protocol both directions
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2260001] SURICATA Applayer Wrong direction first Data
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2260002] SURICATA Applayer Detect protocol only one direction
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2200036] SURICATA TCP option invalid length
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2200074] SURICATA TCPv4 invalid checksum
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2270000] SURICATA DNP3 Request flood detected
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2270001] SURICATA DNP3 Length too small
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2270002] SURICATA DNP3 Bad link CRC
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2270003] SURICATA DNP3 Bad transport CRC
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2270004] SURICATA DNP3 Unknown object
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2221010] SURICATA HTTP unable to match response to request
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2221021] SURICATA HTTP response header invalid
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2221017] SURICATA HTTP invalid response field folding
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2250001] SURICATA Modbus invalid Protocol version
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2250002] SURICATA Modbus unsolicited response
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2250003] SURICATA Modbus invalid Length
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2250004] SURICATA Modbus invalid Unit Identifier
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2250005] SURICATA Modbus invalid Function code
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2250006] SURICATA Modbus invalid Value
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2250007] SURICATA Modbus Exception code invalid
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2250008] SURICATA Modbus Data mismatch
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2250009] SURICATA Modbus Request flood detected
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2220000] SURICATA SMTP invalid reply
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2210007] SURICATA STREAM 3way handshake SYNACK with wrong ack
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2210016] SURICATA STREAM CLOSEWAIT FIN out of window
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2210038] SURICATA STREAM FIN out of window
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2210042] SURICATA STREAM TIMEWAIT ACK with wrong seq
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2210044] SURICATA STREAM Packet with invalid timestamp
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2210045] SURICATA STREAM Packet with invalid ack
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2210046] SURICATA STREAM SHUTDOWN RST invalid ack
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2210050] SURICATA STREAM reassembly overlap with different data
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2210054] SURICATA STREAM excessive retransmissions
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2020899] ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2025883] ET EXPLOIT MVPower DVR Shell UCE
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2034098] ET HUNTING Observed AutoDesk Domain in TLS SNI (api .autodesk .com)
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2029340] ET INFO TLS Handshake Failure
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2036220] ET INFO Android Device Connectivity Check
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2027865] ET INFO Observed DNS Query to .cloud TLD
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2025275] ET INFO Windows OS Submitting USB Metadata to Microsoft
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2031071] ET INFO Microsoft Connection Test
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2035463] ET INFO Observed Discord Domain (discord .com in TLS SNI)
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2035464] ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2035466] ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2035465] ET INFO Observed Discord Domain in DNS Lookup (discord .com)
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2027397] ET POLICY Spotify P2P Client
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2002878] ET POLICY iTunes User Agent
21/10/2022 -- 07:48:07 - <Debug> -- Disabling: [1:2013504] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
21/10/2022 -- 07:48:08 - <Debug> -- Disabling: [1:2012647] ET POLICY Dropbox.com Offsite File Backup in Use
21/10/2022 -- 07:48:08 - <Debug> -- Disabling: [1:2030093] ET SCAN JAWS Webserver Unauthenticated Shell Command Execution
21/10/2022 -- 07:48:08 - <Debug> -- Disabling: [1:2029022] ET SCAN Mirai Variant User-Agent (Inbound)
21/10/2022 -- 07:48:08 - <Debug> -- Disabling: [1:2027390] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
21/10/2022 -- 07:48:08 - <Info> -- Disabled 51 rules.
21/10/2022 -- 07:48:08 - <Info> -- Enabled 0 rules.
21/10/2022 -- 07:48:08 - <Info> -- Modified 0 rules.
21/10/2022 -- 07:48:08 - <Info> -- Dropped 0 rules.
21/10/2022 -- 07:48:08 - <Debug> -- Found 240 required flowbits.
21/10/2022 -- 07:48:08 - <Debug> -- Found 131 rules to enable to for flowbit requirements
21/10/2022 -- 07:48:08 - <Debug> -- Found 241 required flowbits.
21/10/2022 -- 07:48:08 - <Debug> -- Found 0 rules to enable to for flowbit requirements
21/10/2022 -- 07:48:08 - <Debug> -- All required rules enabled.
21/10/2022 -- 07:48:08 - <Info> -- Enabled 131 rules for flowbit dependencies.
21/10/2022 -- 07:48:08 - <Info> -- Backing up current rules.
21/10/2022 -- 07:48:08 - <Debug> -- Recording existing file /var/lib/suricata/rules/suricata.rules with hash 'f8b4428a8bbf067820415f3b83350773'.
21/10/2022 -- 07:48:10 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 36286; enabled: 28683; added: 0; removed 0; modified: 0
21/10/2022 -- 07:48:11 - <Debug> -- Loading /etc/suricata/classification.config
21/10/2022 -- 07:48:11 - <Debug> -- Loading rules/classification.config
21/10/2022 -- 07:48:11 - <Info> -- Writing /var/lib/suricata/rules/classification.config
21/10/2022 -- 07:48:11 - <Info> -- No changes detected, exiting.

Just to double-check that it’s still happening, I tried going to a couple .cloud websites, and this spit out on the fast.log file:

10/21/2022-07:51:58.861666  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:63128 -> 8.8.8.8:53
10/21/2022-07:51:58.898952  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:63128 -> 8.8.4.4:53
10/21/2022-07:52:01.840485  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:49605 -> [redactedipaddress]:53
10/21/2022-07:52:02.787718  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:62116 -> 204.19.119.1:53
10/21/2022-07:52:02.808266  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:62116 -> 204.26.57.1:53
10/21/2022-07:52:02.821253  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:62116 -> 17.253.207.1:53
10/21/2022-07:52:02.821349  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:62116 -> 17.253.200.1:53
10/21/2022-07:52:02.833306  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:63985 -> 37.209.192.10:53
10/21/2022-07:52:05.849785  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:49605 -> [redactedipaddress]:53
10/21/2022-07:52:06.067820  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:64046 -> 208.67.222.222:53
10/21/2022-07:52:06.099095  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:60241 -> [redactedipaddress]:53
10/21/2022-07:52:06.106067  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:63896 -> 208.67.222.222:53
10/21/2022-07:52:06.143162  [**] [1:2027865:4] ET INFO Observed DNS Query to .cloud TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} [redactedipaddress]:54003 ->[redactedipaddress]:53

So yeah, as you can see the rule number that I tried to disable is not disabled.

Could it have to do with the fact that I have to use ‘sudo’ in order to access anything inside of:
/var/lib/suricata/rules
?

jamie@Suricata1:/var/lib/suricata$ cd rules
-bash: cd: rules: Permission denied
jamie@Suricata1:/var/lib/suricata$ sudo cd rules
sudo: cd: command not found
sudo: "cd" is a shell built-in command, it cannot be run directly.
sudo: the -s option may be used to run a privileged shell.
sudo: the -D option may be used to run a command in a specific directory.

It sounds like you have verifed that Suricata-Updated is disabling the rule. Have you tried restarting Suricata? Suricata-Update does not automatically trigger a rule-reload by default.

Well I feel like a complete idiot! I should have known better! I have disabled so many rules in the past month, I should know the process now!

No, I did not restart Suricata - I totally forgot. Thank you so much Jason Ish. And thank you so much Andreas Herz for your help too, and I’m sorry for wasting both of your guys’ precious time on such a stupid mistake on my part.

Suricata is such an amazing product and you guys are the best. I’ve been having so much fun learning about Suricata and playing with it. The more I learn, the more I see how powerful it is.

I’m sure this won’t be the last you hear from me as I’m still a newbie, but until then, keep up the awesome work!

1 Like