I have stream-events group in disable.conf . I also have this cron job set up to run nightly:
30 23 * * * /bin/suricata-update update-sources && /bin/suricata-update && /bin/suricatasc -c reload-rules
It seems that whenever this job runs, the STREAM rules are no longer commented out and they start piling up in the eve.json file. I don’t even have an enable.conf file in /etc/suricata/, so not sure where/how the STREAM rules keep getting re-enabled…my guess is something to do with the cron job, but hoping someone can point out for me what might be causing this behavior.