Deleted rules still being added

I’m trying to deactivate the DNS Unsolicited Response rule, as it’s giving me a lot of false positives and filling my logs up. My suricata.yaml file is set to read rules from /etc/suricata/rules/. Inside this directory I have the dns-events.rules file from which I have deleted the DNS rule I no longer want. This rule had a SID of 2240001.

I restart Suricata with systemctl restart suricata, however I notice that in fast.log I’m still getting alerts for 2240001:

[**] [1:2240001:2] SURICATA DNS Unsolicited response [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {UDP}

I’ve also searched for this SID in both /var/lib/suricata/suricata.rules and /usr/share/suricata/rules/ however no results are returned.

In my suricata.yaml config the advanced rule configuration set is used instead of the one above, with:

default-rule-path: /etc/suricata/rules

I should also probably say my installation is a bit weird as I initially downloaded an outdated version (v4) with apt but then removed it and built v6 from source leaving me with files left over from the outdated installation.

I know dns-events.rules is being read correctly because I have added some custom rules which work as intended.

How can I stop the DNS rule from being added?


Try running suricata with -vv and look for the Loading rule file: lines. I am sure you will find the rule if you grep all the relevant files for the SID.

I’ve managed to bypass this problem by configuring Suricata to work with suricata-update - I commented out all of the advanced section and uncommented the section above and changed my default rule path to /var/lib/suricata/rules.

The rules I don’t want no longer seem to be present.