Hello everyone,
I have a newbie question to ask about the logic of how a ruleset works.
Why are some rules commented out by default? Eg. on ET MALWARE there are a lot which are commented thus not used. Is there a reason for it or is it best practice to enable all of them using enable.conf?
Thanks,
Chris
Hi, @bchris21 !
Welcome to our forum. 
Whether the rules are disabled (commented) or enabled depends on a few settings:
enable.confdisable.confsuricata.yamlDo you perhaps have certain protocols disabled in your suricata.yaml?
Or loading a [enable|disable].conf unknowingly?
Or there are flowbits leading to enabling/disabling of those rules?
These are the places you should start.
Note: I may be missing other settings that can cause this 
but these are what come to mind at once.
Hi @sbhardwaj,
thanks a lot!
I am using ET PRO ruleset which has multiple rules commented out on several groups by default. The etpro.rules.tar.gz is not parsed yet by suricata-update. I have just untared it and explored the several groups in order to see which ones apply to my environment. Then I saw that several hundreds of rules where disabled (commented) by default.
I hope it’s more clear now.
Let me know shall you need further more clarification.
Regards,
Chris
Ah! Sorry about misunderstanding. So that comes from ET, I think. I could find this question on their FAQ answering that. I hope this helps.
No worries! Thanks for the info, it makes sense now. I have globally enabled most of the groups but maybe it’s better to keep the by-default disabled one as is for the beginning.
Thanks again,
Chris
There are multiple ways to skin that animal.
I prefer to turn everything on and remove things along the way. Documenting why etc.
It might seems daunting at first and a SIEM will help with proper sorting.