Hello. I’m using suricata 6.0.9. Is it possible to disable all of sources for suricata-update? I need disable config, but I don’t need new rules because there are so much false-positives for our network. And I can’t use disable.conf without suricata-update.
Without any configured sources suricata-update uses emerging threats by default. Can I change this behaviour to none?
Unfortunately this is a little harder than it should be.
One option is to just uncomment the rule section in suricata.yaml
, that will disable loading of all rules. Or just disable the rule file suricata.rules
which is the output of suricata-update
.
If you really want suricata-update
to process no rules, add an empty rule source, something like this should do:
touch /etc/suricata/empty.rules
suricata-update add-source empty /etc/suricata/empty.rules
this will leave you with 0 rules, or just the engine provided rules.