I have a newbie question to ask about the logic of how a ruleset works.
Why are some rules commented out by default? Eg. on ET MALWARE there are a lot which are commented thus not used. Is there a reason for it or is it best practice to enable all of them using enable.conf?
Whether the rules are disabled (commented) or enabled depends on a few settings:
enable.conf
disable.conf
suricata.yaml
flowbit dependencies
Do you perhaps have certain protocols disabled in your suricata.yaml?
Or loading a [enable|disable].conf unknowingly?
Or there are flowbits leading to enabling/disabling of those rules?
These are the places you should start.
Note: I may be missing other settings that can cause this but these are what come to mind at once.
I am using ET PRO ruleset which has multiple rules commented out on several groups by default. The etpro.rules.tar.gz is not parsed yet by suricata-update. I have just untared it and explored the several groups in order to see which ones apply to my environment. Then I saw that several hundreds of rules where disabled (commented) by default.
I hope it’s more clear now.
Let me know shall you need further more clarification.
No worries! Thanks for the info, it makes sense now. I have globally enabled most of the groups but maybe it’s better to keep the by-default disabled one as is for the beginning.
There are multiple ways to skin that animal.
I prefer to turn everything on and remove things along the way. Documenting why etc.
It might seems daunting at first and a SIEM will help with proper sorting.