Hello. I’m using suricata 6.0.9. Is it possible to disable all of sources for suricata-update? I need disable config, but I don’t need new rules because there are so much false-positives for our network. And I can’t use disable.conf without suricata-update.
Without any configured sources suricata-update uses emerging threats by default. Can I change this behaviour to none?
Unfortunately this is a little harder than it should be.
One option is to just uncomment the rule section in suricata.yaml, that will disable loading of all rules. Or just disable the rule file suricata.rules which is the output of suricata-update.
If you really want suricata-update to process no rules, add an empty rule source, something like this should do:
touch /etc/suricata/empty.rules
suricata-update add-source empty /etc/suricata/empty.rules
this will leave you with 0 rules, or just the engine provided rules.