Suricata default rules (suricata.rules) not loading all rules

Please include the following information with your help request:

  • Suricata version : latest
  • Operating system and/or Linux distribution : Ubuntu 22.04

Hi,
I am a new to suricata and I installed the latest suricata. I have enable 3 rule sources and it loaded 50499 rules. When I was updating the suricata rules using suricata-update, I noticed that it saying:

  • Loaded 50499 rules
  • Disabled 14 rules
  • Writing rules to /var/lib/suricata/rules/suricata.rules: total: 50485; enabled: 38496; added: 47; r emoved 7; modified: 1569

This give me some confusions. Also I went to check /var/lib/suricata/rules/suricata.rules file and noticed that some rules are hashed out.
What is the reason of hashing those rules by default?
Why the 50485 rules are not enabled by default?
Please help me on this

The rules are not loaded because the upstream rule provider (for example, Emerging Threats/Proofpoint) ships these rules as disabled (“commented out” with #) by default. There could be various reasons to do this, for instance

  • the threat vector described by the rule is no longer relevant,
  • the rule may be too expensive performance-wise to be enabled permanently and must be enabled manually,
  • the rule might still be experimental and prone to false positives,
  • …

Only the rule provider knows why. Hence it might also be a good idea to ask in the Emerging Threats forum (https://community.emergingthreats.net/) in case you are using their rules and have noticed this phenomenon there.

1 Like

Thank you for the information. It was really helpful.