Can't disable rules with disable.conf

behr · December 10, 2024, 11:21am

Hi!

I’m trying to disable some rules by IDs.

My disable.conf looks like this:

2027766
2035466
2035465
2027397
2014939
2027757

I can see the rules being disabled in the output of suricata-update -v.
10/12/2024 – 12:15:36 - – Disabling: [1:2270000] SURICATA DNP3 Request flood detected
10/12/2024 – 12:15:36 - – Disabling: [1:2270001] SURICATA DNP3 Length too small
10/12/2024 – 12:15:36 - – Disabling: [1:2270002] SURICATA DNP3 Bad link CRC
10/12/2024 – 12:15:36 - – Disabling: [1:2270003] SURICATA DNP3 Bad transport CRC
10/12/2024 – 12:15:36 - – Disabling: [1:2270004] SURICATA DNP3 Unknown object
10/12/2024 – 12:15:36 - – Disabling: [1:2250001] SURICATA Modbus invalid Protocol version
10/12/2024 – 12:15:36 - – Disabling: [1:2250002] SURICATA Modbus unsolicited response
10/12/2024 – 12:15:36 - – Disabling: [1:2250003] SURICATA Modbus invalid Length
10/12/2024 – 12:15:36 - – Disabling: [1:2250004] SURICATA Modbus invalid Unit Identifier
10/12/2024 – 12:15:36 - – Disabling: [1:2250005] SURICATA Modbus invalid Function code
10/12/2024 – 12:15:36 - – Disabling: [1:2250006] SURICATA Modbus invalid Value
10/12/2024 – 12:15:36 - – Disabling: [1:2250007] SURICATA Modbus Exception code invalid
10/12/2024 – 12:15:36 - – Disabling: [1:2250008] SURICATA Modbus Data mismatch
10/12/2024 – 12:15:36 - – Disabling: [1:2250009] SURICATA Modbus Request flood detected
10/12/2024 – 12:15:36 - – Disabling: [1:2027757] ET DNS Query for .to TLD
10/12/2024 – 12:15:36 - – Disabling: [1:2035465] ET INFO Observed Discord Domain in DNS Lookup (discord .com)
10/12/2024 – 12:15:36 - – Disabling: [1:2035466] ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
10/12/2024 – 12:15:36 - – Disabling: [1:2027397] ET POLICY Spotify P2P Client
10/12/2024 – 12:15:36 - – Disabling: [1:2027766] ET POLICY Windows Update P2P Activity
10/12/2024 – 12:15:36 - – Disabling: [1:2014939] ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR

suricata -c /etc/suricata/suricata.yaml --dump-config|grep -e default-rule-path -e rule-files
default-rule-path = /etc/suricata/rules
rule-files = (null)
rule-files.0 = *.rules

I even checked that the given rules are commented out in /var/lib/suricata/rules/suricata.rules. Tried to comment out a rule in disable.conf → suricata-update → checked suricata.rules and it was commented out and vice versa.

I don’t have enable.conf.

cat /etc/suricata/
classification.config rules/
disable.conf suricata.yaml
reference.config threshold.config

Despite this I’m still getting alerts about the rules I disabled.

What am I doing wrong?

ish · December 10, 2024, 4:13pm

Check your default-rule-path in suricata.yaml, it looks like its use the older variation of this, instead you’ll want something like:

default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules

Topic		Replies	Views
Disable.conf not work Rules	7	13862	August 4, 2021
Disable rules by SID not working	5	433	March 15, 2024
Suricata - disable.conf seems not working Rules	2	943	July 8, 2021
Unable to find disable.conf, enable.confi,etc Help	1	794	February 9, 2022
What to do with no disable.conf Help	5	517	March 26, 2024

Can't disable rules with disable.conf

Related topics