Commented rules explanation

Hello everyone,

I have a newbie question to ask about the logic of how a ruleset works.

Why are some rules commented out by default? Eg. on ET MALWARE there are a lot which are commented thus not used. Is there a reason for it or is it best practice to enable all of them using enable.conf?

Thanks,

Chris

Hi, @bchris21 !
Welcome to our forum. :slight_smile:

Whether the rules are disabled (commented) or enabled depends on a few settings:

  • enable.conf
  • disable.conf
  • suricata.yaml
  • flowbit dependencies

Do you perhaps have certain protocols disabled in your suricata.yaml?
Or loading a [enable|disable].conf unknowingly?
Or there are flowbits leading to enabling/disabling of those rules?

These are the places you should start.
Note: I may be missing other settings that can cause this :thinking: but these are what come to mind at once.

Hi @sbhardwaj,

thanks a lot!

I am using ET PRO ruleset which has multiple rules commented out on several groups by default. The etpro.rules.tar.gz is not parsed yet by suricata-update. I have just untared it and explored the several groups in order to see which ones apply to my environment. Then I saw that several hundreds of rules where disabled (commented) by default.

I hope it’s more clear now.

Let me know shall you need further more clarification.

Regards,

Chris

Ah! Sorry about misunderstanding. So that comes from ET, I think. I could find this question on their FAQ answering that. I hope this helps.

1 Like

No worries! Thanks for the info, it makes sense now. I have globally enabled most of the groups but maybe it’s better to keep the by-default disabled one as is for the beginning.

Thanks again,

Chris

There are multiple ways to skin that animal.
I prefer to turn everything on and remove things along the way. Documenting why etc.
It might seems daunting at first and a SIEM will help with proper sorting.