I am trying to disable a rule “the odd way” using modify.conf. Partially motivated by Jason’s tip here.
I am facing a similar situation where a single rule has to be deactivated, while the rest of the category shall be enabled using enabled.conf. The latter configuration reenables the initially disabled rule (using disabled.conf) ending up in a non disabled rule.
Since modify.conf comes last, how can I use it to disable a rule. For example:
alert http any any -> any any (msg:"TGI HUNT PHP magic bytes in HTTP response"; flow:established,to_client; content:"<?php"; nocase; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610133; rev:1;)