Modify.conf preserve existing rules

We are using “suricata-update” to keep the rules up to date. We are using the disable option to ensure that previously disabled rules are not enabled. However we have had to modify a number of existing rules and the update overwrites our changes… I believe the solution is to use the modify.conf option but I have been unsuccessful in getting this to work.

Can anyone provide an example of using the modify.conf file to exclude an IP address from a rule… so for example changing:

alert ip any any → any any
to
alert ip any any → [any,!192.168.1.2] any

Thanks, and we are running version 6.0.0

You could try a modify.conf line like:

re:ET\ MALWARE "-> any any" "-> [any,!1.1.1.1] any"

This will update the destination address field for all rules that have “ET MALWARE” in them.