We are using “suricata-update” to keep the rules up to date. We are using the disable option to ensure that previously disabled rules are not enabled. However we have had to modify a number of existing rules and the update overwrites our changes… I believe the solution is to use the modify.conf option but I have been unsuccessful in getting this to work.
Can anyone provide an example of using the modify.conf file to exclude an IP address from a rule… so for example changing:
alert ip any any → any any
to
alert ip any any → [any,!192.168.1.2] any
Thanks, and we are running version 6.0.0