Suricata - disable.conf seems not working


I am using suricata-update with the --no-merge option.

I opted to enable all emerging-exploit.rules group with enable.conf file. There is a particular rule that is giving me a lot of false positives.

But, when i insert its signature ID into disable.conf file, the rule is still triggering (maybe because is explicity enabled in enable.conf). How can i disable that rule in specific? Maybe supress?

Currently the disables are done, then the enables are done which can revert the disables. Unfortunately there is no way to do what you are trying to do, but it has come up in the past and I have a few ideas.

While pass is an option, note that the modify step happens last. You could add an line to modify.conf to disable this rule as a (slightly non friendly) work-around.

Thanks for the rapid response.

A supress rule seems to be a work-around as well.