Disabling a rule - the odd way

Hello everyone,

I am trying to disable a rule “the odd way” using modify.conf. Partially motivated by Jason’s tip here.

I am facing a similar situation where a single rule has to be deactivated, while the rest of the category shall be enabled using enabled.conf. The latter configuration reenables the initially disabled rule (using disabled.conf) ending up in a non disabled rule.

Since modify.conf comes last, how can I use it to disable a rule. For example:

alert http any any -> any any (msg:"TGI HUNT PHP magic bytes in HTTP response"; flow:established,to_client; content:"<?php"; nocase; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610133; rev:1;)


I managed to make it work:

2610133 "alert" "#alert" #TGI HUNT PHP magic bytes in HTTP response

Worked like a charm!