I’m trying to deactivate the DNS Unsolicited Response rule, as it’s giving me a lot of false positives and filling my logs up. My suricata.yaml file is set to read rules from /etc/suricata/rules/. Inside this directory I have the dns-events.rules file from which I have deleted the DNS rule I no longer want. This rule had a SID of 2240001.
I restart Suricata with systemctl restart suricata, however I notice that in fast.log I’m still getting alerts for 2240001:
[**] [1:2240001:2] SURICATA DNS Unsolicited response [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP}
I’ve also searched for this SID in both /var/lib/suricata/suricata.rules and /usr/share/suricata/rules/ however no results are returned.
In my suricata.yaml config the advanced rule configuration set is used instead of the one above, with:
default-rule-path: /etc/suricata/rules
I should also probably say my installation is a bit weird as I initially downloaded an outdated version (v4) with apt but then removed it and built v6 from source leaving me with files left over from the outdated installation.
I know dns-events.rules is being read correctly because I have added some custom rules which work as intended.
How can I stop the DNS rule from being added?
Thanks.