Running myself, it also reports “7” disabled rules. But grep’ing for the rules in disable.conf gives me a line for each that is commented out, so they are all disabled.
cat /tmp/suricata-update/disable.conf | while read sid ; do grep $sid suricata.rules ; done
# alert udp $HOME_NET any -> $EXTERNAL_NET [!3478,1023:] (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2033078; rev:2; metadata:created_at 2021_06_03, updated_at 2021_06_03;)
# alert tcp $HOME_NET any -> any [!$HTTP_PORTS,1024:] (msg:"ET POLICY Windows Update P2P Activity"; flow:established,to_server; dsize:<100; content:"Swarm|20|protocol"; depth:20; classtype:not-suspicious; sid:2027766; rev:2; metadata:created_at 2019_07_31, updated_at 2019_07_31;)
# alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:unknown; sid:2027390; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
# alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows OS Submitting USB Metadata to Microsoft"; flow:established,to_server; threshold:type limit, seconds 300, count 1, track by_src; http.method; content:"POST"; http.uri; content:"metadata.svc"; endswith; http.header; content:"/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|"; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; fast_pattern; classtype:misc-activity; sid:2025275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
# alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 06|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018907; rev:5; metadata:created_at 2014_08_06, updated_at 2014_08_06;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat S1 (no alert)"; flow:established,from_server; dsize:5; content:"|01 00 00 00 01|"; flowbits:isset,ET.Netwire.HB.1; flowbits:isnotset,ET.Netwire.HB.2; flowbits:unset,ET.Netwire.HB.1; flowbits:set,ET.Netwire.HB.2; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018282; rev:3; metadata:created_at 2014_03_14, former_category TROJAN, updated_at 2017_12_11;)
# alert udp $EXTERNAL_NET 3478 -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016150; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 3478 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016149; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
# alert ip any any -> any any (msg:"ET POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ \d\d-\d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; reference:url,doc.emergingthreats.net/2002658; classtype:policy-violation; sid:2002658; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001377; classtype:policy-violation; sid:2001377; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001375; classtype:policy-violation; sid:2001375; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Butterfly/Mariposa Bot Join Acknowledgment"; dsize:21; content:"|38|"; depth:1; flowbits:isset,ET.ButterflyJoin; classtype:trojan-activity; sid:2011296; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
# alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
# alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid 2003480; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"GPL SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2102329; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
Running with nothing in the disable.conf, rules seem to be disabled except 7, which matches the number of rules disabled with the original config. So they are already disabled.
alert udp $HOME_NET any -> $EXTERNAL_NET [!3478,1023:] (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2033078; rev:2; metadata:created_at 2021_06_03, updated_at 2021_06_03;)
alert tcp $HOME_NET any -> any [!$HTTP_PORTS,1024:] (msg:"ET POLICY Windows Update P2P Activity"; flow:established,to_server; dsize:<100; content:"Swarm|20|protocol"; depth:20; classtype:not-suspicious; sid:2027766; rev:2; metadata:created_at 2019_07_31, updated_at 2019_07_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:unknown; sid:2027390; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows OS Submitting USB Metadata to Microsoft"; flow:established,to_server; threshold:type limit, seconds 300, count 1, track by_src; http.method; content:"POST"; http.uri; content:"metadata.svc"; endswith; http.header; content:"/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|"; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; fast_pattern; classtype:misc-activity; sid:2025275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 06|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018907; rev:5; metadata:created_at 2014_08_06, updated_at 2014_08_06;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat S1 (no alert)"; flow:established,from_server; dsize:5; content:"|01 00 00 00 01|"; flowbits:isset,ET.Netwire.HB.1; flowbits:isnotset,ET.Netwire.HB.2; flowbits:unset,ET.Netwire.HB.1; flowbits:set,ET.Netwire.HB.2; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018282; rev:3; metadata:created_at 2014_03_14, former_category TROJAN, updated_at 2017_12_11;)
alert udp $EXTERNAL_NET 3478 -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016150; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
alert udp $HOME_NET any -> $EXTERNAL_NET 3478 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016149; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
# alert ip any any -> any any (msg:"ET POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ \d\d-\d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; reference:url,doc.emergingthreats.net/2002658; classtype:policy-violation; sid:2002658; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001377; classtype:policy-violation; sid:2001377; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001375; classtype:policy-violation; sid:2001375; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Butterfly/Mariposa Bot Join Acknowledgment"; dsize:21; content:"|38|"; depth:1; flowbits:isset,ET.ButterflyJoin; classtype:trojan-activity; sid:2011296; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
# alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
# alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid 2003480; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"GPL SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2102329; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)