I created the disable.conf and placed some sid’s in it that I want to disable.
When I run suricata-update it says that the rules have been disabled and the rules are event commented out in suricata.rules.But still I get alerts with that sid.
Thanks in advance!
My disable.conf looks like the following:
2013929
2013926
2027390
group:app-layer-events.rules
group:decoder-events.rules
group:dhcp-events.rules
group:dnp3-events.rules
group:dns-events.rules
group:files.rules
group:ftp-events.rules
group:http2-events.rules
group:http-events.rules
group:ipsec-events.rules
group:kerberos-events.rules
group:modbus-events.rules
group:mqtt-events.rules
group:nfs-events.rules
group:ntp-events.rules
group:quic-events.rules
group:rfb-events.rules
group:smb-events.rules
group:smtp-events.rules
group:ssh-events.rules
group:stream-events.rules
group:tls-events.rules
The rules identified by the groups are commented out in the suricata.rules file and disabled.
The rules identified by the sid’s are also commented out but not disabled.
Just to confirm – the rules that you wanted to be disabled are commented out in the rules file created by suricata-update?
Can you run and confirm that the rules file used by suricata is the one produced by suricata-update?
$ suricata -c suricata.yaml --dump-config|grep -e default-rule-path -e rule-files
default-rule-path = /var/lib/suricata/rules
rule-files = (null)
rule-files.0 = suricata.rules
This shows that suricata will use /var/lib/suricata/rules/suricata.rules
Yeah Its the same for me.
Its strange because as I said when I grep for the sid in suricata.rules its commented out.
Suricata will ignore lines in the rules file that begin with # so I’m not sure why alerts appear for disabled rules.
Did you restart the engine or reload the rules after modifying them?