Disable.conf not work

I’m going to use disable.conf to turn off the rule that causes a lot of false positives.
A total of 16 signature_ids were put in disable.conf and suricata-update was executed.

❯ cat /etc/suricata/disable.conf
# suricata-update - disable.conf

# Example of disabling a rule by signature ID (gid is optional).
# 1:2019401
# 2019401

# Example of disabling a rule by regular expression.
# - All regular expression matches are case insensitive.
# re:heartbleed
# re:MS(0[7-9]|10)-\d+

# Examples of disabling a group of rules.
# group:emerging-icmp.rules
# group:emerging-dos
# group:emerging*
2033078
2027766
2027390
2025275
2018907
2018282
2016150
2016149
2002658
2001377
2001375
2011296
2023048
2003480
2102329

As a result of the execution, 7 rules are disabled and output, and some rules registered in disable.conf are still being detected.

❯ sudo suricata-update&& sudo suricatasc -c ruleset-reload-rules
29/7/2021 -- 19:13:46 - <Info> -- Loading /etc/suricata/update.yaml
29/7/2021 -- 19:13:46 - <Info> -- Using data-directory /var/lib/suricata.
29/7/2021 -- 19:13:46 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
29/7/2021 -- 19:13:46 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
29/7/2021 -- 19:13:46 - <Info> -- Found Suricata version 6.0.2 at /usr/bin/suricata.
29/7/2021 -- 19:13:46 - <Info> -- Loading /etc/suricata/disable.conf.
29/7/2021 -- 19:13:46 - <Info> -- Loading /etc/suricata/enable.conf.
29/7/2021 -- 19:13:46 - <Info> -- Loading /etc/suricata/modify.conf.
29/7/2021 -- 19:13:46 - <Info> -- Loading /etc/suricata/drop.conf.
29/7/2021 -- 19:13:46 - <Info> -- Loading /etc/suricata/suricata.yaml
29/7/2021 -- 19:13:46 - <Info> -- Disabling rules for protocol http2
29/7/2021 -- 19:13:46 - <Info> -- Disabling rules for protocol modbus
29/7/2021 -- 19:13:46 - <Info> -- Disabling rules for protocol dnp3
29/7/2021 -- 19:13:46 - <Info> -- Disabling rules for protocol enip
29/7/2021 -- 19:13:46 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz.
29/7/2021 -- 19:13:46 - <Info> -- Last download less than 15 minutes ago. Not downloading https://feodotracker.abuse.ch/downloads/feodotracker_aggressive.rules.
29/7/2021 -- 19:13:46 - <Info> -- Last download less than 15 minutes ago. Not downloading https://sslbl.abuse.ch/blacklist/sslipblacklist.rules.
29/7/2021 -- 19:13:46 - <Info> -- Ignoring file rules/emerging-deleted.rules
29/7/2021 -- 19:13:48 - <Info> -- Loaded 31190 rules.
29/7/2021 -- 19:13:48 - <Info> -- Disabled 7 rules.
29/7/2021 -- 19:13:48 - <Info> -- Enabled 7423 rules.
29/7/2021 -- 19:13:48 - <Info> -- Modified 0 rules.
29/7/2021 -- 19:13:48 - <Info> -- Dropped 0 rules.
29/7/2021 -- 19:13:48 - <Info> -- Enabled 0 rules for flowbit dependencies.
29/7/2021 -- 19:13:48 - <Info> -- Backing up current rules.
29/7/2021 -- 19:13:50 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 31190; enabled: 31190; added: 0; removed 0; modified: 0
29/7/2021 -- 19:13:50 - <Info> -- Writing /var/lib/suricata/rules/classification.config
29/7/2021 -- 19:13:50 - <Info> -- No changes detected, exiting.
{"message": "done", "return": "OK"}

I did not touch enable.conf, modify.conf, drop.conf, only disable.conf.

What is the problem.

I believe suricata-update's behavior is (enable all) disable, enable, modify.

Have you have reloaded rules with suricatasc or restarted suricata?
Are the active rules still in enable.conf?

https://suricata.readthedocs.io/en/latest/rule-management/rule-reload.html

Trying add -v to the command line for suricata-update. It will output each rule that gets disabled via disable.conf. In theory you should one for each sid you list assuming all those sids exist. A reason why you may only see 7 disabled is that some are disabled by default, so will not be counted as being disabled. But then they’re getting turned on by enable.conf (perhaps a regex matches them)?

After adding sid to disable.conf, the result of running suricata-update is written in the body.
Of course, I also ran suricata’s rule-reaload.

The disabled rule in the result of suricata-update is different from the one added to disable.conf.

❯ sudo suricata-update -v | grep -v Enabling
30/7/2021 -- 10:10:41 - <Debug> -- This is suricata-update version 1.2.0 (rev: 86e530c); Python: 3.8.10 (default, Jun  2 2021, 10:49:15) - [GCC 9.4.0]
30/7/2021 -- 10:10:41 - <Info> -- Loading /etc/suricata/update.yaml
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value subcommand -> update
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value verbose -> True
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value version -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value force -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value url -> []
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value no-ignore -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value dump-sample-configs -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value etopen -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value no-reload -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value no-test -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value no-merge -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value offline -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value now -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value disable -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value enable -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value modify -> False
30/7/2021 -- 10:10:41 - <Debug> -- Setting configuration value drop -> False
30/7/2021 -- 10:10:41 - <Debug> -- Found suricata at /usr/bin/suricata
30/7/2021 -- 10:10:41 - <Info> -- Using data-directory /var/lib/suricata.
30/7/2021 -- 10:10:41 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
30/7/2021 -- 10:10:41 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
30/7/2021 -- 10:10:41 - <Info> -- Found Suricata version 6.0.2 at /usr/bin/suricata.
30/7/2021 -- 10:10:41 - <Info> -- Loading /etc/suricata/disable.conf.
30/7/2021 -- 10:10:41 - <Info> -- Loading /etc/suricata/enable.conf.
30/7/2021 -- 10:10:41 - <Info> -- Loading /etc/suricata/modify.conf.
30/7/2021 -- 10:10:41 - <Info> -- Loading /etc/suricata/drop.conf.
30/7/2021 -- 10:10:41 - <Info> -- Loading /etc/suricata/suricata.yaml
30/7/2021 -- 10:10:41 - <Info> -- Disabling rules for protocol http2
30/7/2021 -- 10:10:41 - <Info> -- Disabling rules for protocol modbus
30/7/2021 -- 10:10:41 - <Info> -- Disabling rules for protocol dnp3
30/7/2021 -- 10:10:41 - <Info> -- Disabling rules for protocol enip
30/7/2021 -- 10:10:41 - <Debug> -- Adding source ('https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz', None, True).
30/7/2021 -- 10:10:41 - <Debug> -- Adding source ('https://sslbl.abuse.ch/blacklist/sslipblacklist.rules', None, True).
30/7/2021 -- 10:10:41 - <Debug> -- Adding source ('https://feodotracker.abuse.ch/downloads/feodotracker_aggressive.rules', None, True).
30/7/2021 -- 10:10:41 - <Info> -- Last download less than 15 minutes ago. Not downloading https://feodotracker.abuse.ch/downloads/feodotracker_aggressive.rules.
30/7/2021 -- 10:10:41 - <Info> -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz.
30/7/2021 -- 10:10:41 - <Info> -- Last download less than 15 minutes ago. Not downloading https://sslbl.abuse.ch/blacklist/sslipblacklist.rules.
30/7/2021 -- 10:10:41 - <Debug> -- Parsing feodotracker_aggressive.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/3coresec.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/botcc.portgrouped.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/botcc.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/ciarmy.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/compromised.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/drop.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/dshield.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-activex.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-adware_pup.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-attack_response.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-chat.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-coinminer.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-current_events.rules
30/7/2021 -- 10:10:41 - <Info> -- Ignoring file rules/emerging-deleted.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-dns.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-dos.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-exploit.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-exploit_kit.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-ftp.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-games.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-hunting.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-icmp.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-icmp_info.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-imap.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-inappropriate.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-info.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-ja3.rules
30/7/2021 -- 10:10:41 - <Debug> -- Parsing rules/emerging-malware.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-misc.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-mobile_malware.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-netbios.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-p2p.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-phishing.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-policy.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-pop3.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-rpc.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-scada.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-scan.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-shellcode.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-smtp.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-snmp.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-sql.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-telnet.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-tftp.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-user_agents.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-voip.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-web_client.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-web_server.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-web_specific_apps.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/emerging-worm.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing rules/tor.rules
30/7/2021 -- 10:10:42 - <Debug> -- Parsing sslipblacklist.rules
30/7/2021 -- 10:10:42 - <Info> -- Loaded 31187 rules.
30/7/2021 -- 10:10:42 - <Debug> -- Disabling: [1:2018907] ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)
30/7/2021 -- 10:10:42 - <Debug> -- Disabling: [1:2016149] ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
30/7/2021 -- 10:10:42 - <Debug> -- Disabling: [1:2016150] ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
30/7/2021 -- 10:10:42 - <Debug> -- Disabling: [1:2025275] ET INFO Windows OS Submitting USB Metadata to Microsoft
30/7/2021 -- 10:10:42 - <Debug> -- Disabling: [1:2033078] ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
30/7/2021 -- 10:10:43 - <Debug> -- Disabling: [1:2027766] ET POLICY Windows Update P2P Activity
30/7/2021 -- 10:10:43 - <Debug> -- Disabling: [1:2027390] ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent
30/7/2021 -- 10:10:43 - <Info> -- Disabled 7 rules.
30/7/2021 -- 10:10:43 - <Info> -- Enabled 7430 rules.
30/7/2021 -- 10:10:43 - <Info> -- Modified 0 rules.
30/7/2021 -- 10:10:43 - <Info> -- Dropped 0 rules.
30/7/2021 -- 10:10:43 - <Debug> -- Found 329 required flowbits.
30/7/2021 -- 10:10:43 - <Debug> -- Found 0 rules to enable to for flowbit requirements
30/7/2021 -- 10:10:43 - <Debug> -- All required rules enabled.
30/7/2021 -- 10:10:43 - <Info> -- Enabled 0 rules for flowbit dependencies.
30/7/2021 -- 10:10:43 - <Info> -- Backing up current rules.
30/7/2021 -- 10:10:43 - <Debug> -- Recording existing file /var/lib/suricata/rules/suricata.rules with hash 'e79ac4a37257f4720bd47f435acfba4a'.
30/7/2021 -- 10:10:45 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 31187; enabled: 31187; added: 0; removed 0; modified: 0
30/7/2021 -- 10:10:45 - <Debug> -- Loading /etc/suricata/classification.config
30/7/2021 -- 10:10:45 - <Debug> -- Loading /usr/share/suricata/classification.config
30/7/2021 -- 10:10:45 - <Debug> -- Loading rules/classification.config
30/7/2021 -- 10:10:45 - <Info> -- Writing /var/lib/suricata/rules/classification.config
30/7/2021 -- 10:10:45 - <Info> -- No changes detected, exiting.

As a result of checking, the disabled rule is the rule I added to disable.conf.
The problem is that only 7 are disabled, not 16 registered.

Basically, I plan to use all of the ET rules, and I want to deactivate only the rules that cause a lot of false positives.

In the document, the .conf file that suricata-update refers to is disable.conf and then enable.conf, so putting * in enable.conf means that disable.conf may not work.

Running myself, it also reports “7” disabled rules. But grep’ing for the rules in disable.conf gives me a line for each that is commented out, so they are all disabled.

cat /tmp/suricata-update/disable.conf | while read sid ; do grep $sid suricata.rules  ; done
# alert udp $HOME_NET any -> $EXTERNAL_NET [!3478,1023:] (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2033078; rev:2; metadata:created_at 2021_06_03, updated_at 2021_06_03;)
# alert tcp $HOME_NET any -> any [!$HTTP_PORTS,1024:] (msg:"ET POLICY Windows Update P2P Activity"; flow:established,to_server; dsize:<100; content:"Swarm|20|protocol"; depth:20; classtype:not-suspicious; sid:2027766; rev:2; metadata:created_at 2019_07_31, updated_at 2019_07_31;)
# alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:unknown; sid:2027390; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
# alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows OS Submitting USB Metadata to Microsoft"; flow:established,to_server; threshold:type limit, seconds 300, count 1, track by_src; http.method; content:"POST"; http.uri; content:"metadata.svc"; endswith; http.header; content:"/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|"; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; fast_pattern; classtype:misc-activity; sid:2025275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
# alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 06|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018907; rev:5; metadata:created_at 2014_08_06, updated_at 2014_08_06;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat S1 (no alert)"; flow:established,from_server; dsize:5; content:"|01 00 00 00 01|"; flowbits:isset,ET.Netwire.HB.1; flowbits:isnotset,ET.Netwire.HB.2; flowbits:unset,ET.Netwire.HB.1; flowbits:set,ET.Netwire.HB.2; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018282; rev:3; metadata:created_at 2014_03_14, former_category TROJAN, updated_at 2017_12_11;)
# alert udp $EXTERNAL_NET 3478 -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016150; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 3478 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016149; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
# alert ip any any -> any any (msg:"ET POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ \d\d-\d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; reference:url,doc.emergingthreats.net/2002658; classtype:policy-violation; sid:2002658; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001377; classtype:policy-violation; sid:2001377; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001375; classtype:policy-violation; sid:2001375; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Butterfly/Mariposa Bot Join Acknowledgment"; dsize:21; content:"|38|"; depth:1; flowbits:isset,ET.ButterflyJoin; classtype:trojan-activity; sid:2011296; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
# alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
# alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid 2003480; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"GPL SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2102329; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

Running with nothing in the disable.conf, rules seem to be disabled except 7, which matches the number of rules disabled with the original config. So they are already disabled.

alert udp $HOME_NET any -> $EXTERNAL_NET [!3478,1023:] (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2033078; rev:2; metadata:created_at 2021_06_03, updated_at 2021_06_03;)
alert tcp $HOME_NET any -> any [!$HTTP_PORTS,1024:] (msg:"ET POLICY Windows Update P2P Activity"; flow:established,to_server; dsize:<100; content:"Swarm|20|protocol"; depth:20; classtype:not-suspicious; sid:2027766; rev:2; metadata:created_at 2019_07_31, updated_at 2019_07_31;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:unknown; sid:2027390; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows OS Submitting USB Metadata to Microsoft"; flow:established,to_server; threshold:type limit, seconds 300, count 1, track by_src; http.method; content:"POST"; http.uri; content:"metadata.svc"; endswith; http.header; content:"/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|"; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; fast_pattern; classtype:misc-activity; sid:2025275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 06|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018907; rev:5; metadata:created_at 2014_08_06, updated_at 2014_08_06;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat S1 (no alert)"; flow:established,from_server; dsize:5; content:"|01 00 00 00 01|"; flowbits:isset,ET.Netwire.HB.1; flowbits:isnotset,ET.Netwire.HB.2; flowbits:unset,ET.Netwire.HB.1; flowbits:set,ET.Netwire.HB.2; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018282; rev:3; metadata:created_at 2014_03_14, former_category TROJAN, updated_at 2017_12_11;)
alert udp $EXTERNAL_NET 3478 -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016150; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
alert udp $HOME_NET any -> $EXTERNAL_NET 3478 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016149; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
# alert ip any any -> any any (msg:"ET POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ \d\d-\d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; reference:url,doc.emergingthreats.net/2002658; classtype:policy-violation; sid:2002658; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001377; classtype:policy-violation; sid:2001377; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001375; classtype:policy-violation; sid:2001375; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Butterfly/Mariposa Bot Join Acknowledgment"; dsize:21; content:"|38|"; depth:1; flowbits:isset,ET.ButterflyJoin; classtype:trojan-activity; sid:2011296; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
# alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
# alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid 2003480; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
# alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"GPL SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2102329; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

i try to reinstall suricata.
then it well work! thank you

Restarting Suricata (killing the process helps also for next time).