I am trying to disable the http protocol from the app-layer section, but when executing the suricata-update command I get the following error:
11/16/2023 – 10:35:37 - – app-layer-protocol keyword supplied with unknown protocol “http”
11/16/2023 – 10:35:37 - – error parsing signature “alert tcp $EXTERNAL_NET any → any any (msg:“TGI HUNT MS Copyright Banner Inbound”; flow:established; content:” Copyright |28|C|29|“; content:“Microsoft Corp”; distance:0; app-layer-protocol:!http; threshold:type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2610668; rev:1;)” from file /var/lib/suricata/rules/suricata.rules at line 844
This is just an example, since that mistake is repeated with at least 10 more rules. I have tried disabling those rules in the disable.conf file but I still get the error.
The error, at least in the rule you’ve included, is caused by the negation excluding the signature from alerting on HTTP traffic when the protocol is disabled.
app-layer-protocol:!http;
In order for this negation to work, Suricata has to be able to detect HTTP, therefor the protocol is required to be enabled for this rule to to loaded by the engine.
If you disable the HTTP protocol, no rules that depend on it will be able to load and you’ll get errors on them.
When disabling such a heavily used protocol such as HTTP, these errors are expected, and so long as Sucicata loads the rest of the rules, you’ll be fine, you just won’t be able to use those rules.
May I ask why you’ve opted to disable the HTTP protocol? It’s used very heavily within network traffic and therefore, thousands of rules depend on it.