Rule tuning and management - Exclusions and false positives

I am using suricata-update to manage rules. All my rules go to the default /var/lib/suricata/rules/suricata.rules

I have a need to bypass security scanners and potentially other false positives. Would creating another file in the same directory and adding it to the yaml be the best bet for this.

I am trying to find the best way to manage and tune things. I am relatively new to suricata and will take any advice to tune and manage rules. Exclusions and false positive management does not seem to have good documentation in my opinion. I have found some things about BPF and pass rules however usually it doesn’t say where to put them or suggest best practices.

I just assumed it was another rule file and not something I could manage via the suricata YAML.

Again any advise, guide, or training you can point me to around this would be appreciated.

suricata-update has the ability to disable rules based on sid, filename, rule group or even regular expression matches via the “disable.conf” file.

the format of these options is documented here
https://suricata-update.readthedocs.io/en/latest/update.html#rule-matching

and the use of them within the disable.conf can be seen in the section which mentions “Similarly, to disable rules use /etc/suricata/disable.conf”

https://suricata.readthedocs.io/en/suricata-6.0.0/rule-management/suricata-update.html#controlling-which-rules-are-used

If you are running a single suricata host, you can user IDSTower for free to manage your rules.