Disable/list a suricata rules?

Yass · June 11, 2024, 8:33am

Hello, I need help understanding how Suricata rules work. I’m trying to disable all the rules using the disable.conf file, but some rules are still active. Is this normal, or is there a problem? Is there a command to list Suricata rules? I haven’t added any external rules, just my disable.conf with these groups:

https://docs.suricata.io/en/latest/rule-management/suricata-update.html

group:app-layer-events.rules
group:files.rules
group:kerberos-events.rules
group:quic-events.rules
group:stream-events.rules
group:decoder-events.rules
group:ftp-events.rules
group:modbus-events.rules
group:rfb-events.rules
group:tls-events.rules
group:dhcp-events.rules
group:mqtt-events.rules
group:smb-events.rules
group:dnp3-events.rules
group:http-events.rules
group:nfs-events.rules
group:smtp-events.rules
group:dns-events.rules
group:ipsec-events.rules
group:ntp-events.rules
group:ssh-events.rules

I’m not sure if the rules are disabled because many are commented out, but a large part remains active. I want to keep certain rules like FTP and SSH, and also create my own rules (I’ve found how to do this in the documentation).

Is there another method if this doesn’t work, maybe by commenting out in suricata.yaml and copying the FTP, SSH, etc. rules from Suricata and creating my own rules in the /etc/suricata/rules/local.rules file:

rule-files:

- suricata.rules

Thanks in advance for the responses.

ish · June 12, 2024, 3:42pm

This likely won’t get all the rules as ET/open rules are also downloaded by default.

When I want to disable all rules I’ll use a modify.conf that looks like:

re: .

As disable is done after enable, this will disable all rules.

However, in some cases where you only want to run a small number of hand-maintained or written rules its just easier to not use Suricata-Update. Instead I’d modify suricata.yaml and just point it at my rule file, say /etc/suricata/local.rules or something.

Hope that helps.

Yass · June 12, 2024, 4:49pm

Hello, thank you for your response.

I’ve tried several methods and managed to get it working, though I’m not sure if it’s the correct way. As long as it works, that’s what matters.

Disabling Rules

First, I managed to disable all groups in the disable.conf file using this method, which I find quite effective. It disabled all the rules:

group:*

Activating Specific Rules

Next, I wanted to activate the groups I was interested in by adding them to the activate.conf file. The only problem is that the suricata-update command compiles/generates the suricata.rules file, but it’s empty due to an issue.

I’m not sure if this method exists or if the documentation is outdated, but I couldn’t find anything. It might be useful to read both files (disable and enable) and compare them to avoid errors. This could simplify things.

Improvement Suggestions

I also recommend adding a command to display all rules, sorted by color or by state (enabled/disabled), as I found nothing in the documentation or forums.

My Solution

Here’s the solution I found for disabling all the rules using the documentation and the suricata-update -v command, which provided the locations of most rules as well as the zip file containing all the rule files.

Groups of Rules Found with `suricata-update -v`

#Pack base rules local 
group:app-layer-events.rules
group:decoder-events.rules
group:dhcp-events.rules
group:dnp3-events.rules
group:dns-events.rules
group:ssh-events.rules
group:files.rules
group:ftp-events.rules
group:http-events.rules
group:http2-events.rules
group:ipsec-events.rules
group:kerberos-events.rules
group:modbus-events.rules
group:nfs-events.rules
group:ntp-events.rules
group:smb-events.rules
group:smtp-events.rules
group:stream-events.rules
group:tls-events.rules
group:3coresec.rules
group:botcc.portgrouped.rules
group:botcc.rules
group:ciarmy.rules
group:compromised.rules
group:drop.rules
group:dshield.rules
group:mqtt-events.rules
group:quic-events.rules
group:rfb-events.rules

# Pack download rules
group:threatview_CS_c2.rules
group:tor.rules
group:emerging-activex.rules
group:emerging-adware_pup.rules
group:emerging-attack_response.rules
group:emerging-chat.rules
group:emerging-coinminer.rules
group:emerging-current_events.rules
group:emerging-deleted.rules
group:emerging-dns.rules
group:emerging-dos.rules
group:emerging-exploit.rules
group:emerging-exploit_kit.rules
group:emerging-ftp.rules
group:emerging-games.rules
group:emerging-hunting.rules
group:emerging-icmp.rules
group:emerging-icmp_info.rules
group:emerging-imap.rules
group:emerging-inappropriate.rules
group:emerging-info.rules
group:emerging-ja3.rules
group:emerging-malware.rules
group:emerging-misc.rules
group:emerging-mobile_malware.rules
group:emerging-netbios.rules
group:emerging-p2p.rules
group:emerging-phishing.rules
group:emerging-policy.rules
group:emerging-rpc.rules
group:emerging-scada.rules
group:emerging-scan.rules
group:emerging-shellcode.rules
group:emerging-smtp.rules
group:emerging-snmp.rules
group:emerging-sql.rules
group:emerging-telnet.rules
group:emerging-tftp.rules
group:emerging-user_agents.rules
group:emerging-voip.rules
group:emerging-web_client.rules
group:emerging-web_server.rules
group:emerging-web_specific_apps.rules
group:emerging-worm.rules
group:emerging-pop3.rules

Topic		Replies	Views
Suricata-update: some questions about the rules settings Rules suricata-update	4	698	October 8, 2023
Disable rules by SID not working	5	400	March 15, 2024
Unable to find disable.conf, enable.confi,etc Help	1	787	February 9, 2022
Couple of questions about suricata-update suricata-update	1	161	April 9, 2024
Unable to supress SURICATA STREAM alerts Rules rules , suricata	3	616	October 25, 2023