ET Open Rule comment

I don’t know if it is right to ask a question about ET Rule here, but I ask.

Are the rules commented out in the ET Rule disabled due to false positives?

Is it possible to enable this commented rule in suricata-update?

Yes, I think you want to run with --enable-conf=yourenable.conf

You can enable groups or single rules by SID.

# suricata-update - enable.conf

# Example of enabling a rule by signature ID (gid is optional).
# 1:2019401
# 2019401

# Example of enabling a rule by regular expression.
# - All regular expression matches are case insensitive.
# re:heartbleed
# re:MS(0[7-9]|10)-\d+

# Examples of enabling a group of rules.
# group:emerging-icmp.rules
# group:emerging-dos
# group:emerging*

https://suricata-update.readthedocs.io/en/latest/update.html?highlight=enable-confg#cmdoption-enable-conf

https://suricata-update.readthedocs.io/en/latest/update.html?highlight=enable-confg#example-enable-conf

To answer the question about why rules are disabled, there are several reasons, it could be due to FP’s, it could be due to the activity no longer being relevant/observed in the wild, it could be due to compilation, or when we occasionally move rules from Pro to Open. In the future we are considering having an metadata indicator to provide a reason why.