Suricata-update activate commented rule

headfish · November 30, 2020, 1:53am

After downloading the ET rule file, I commented out the unused rules.

After executing suricata-update, suricata.rules file was created, but the rule I commented out was uncommented.

There was also a problem in that the rule registered in disable.conf for the rule with flowbit warning was continuously activated.

Doesn’t suricata-update check the presence or absence of comments when reading the rule file?
In order to disable the rule, is the only way to register in disable.conf?

[warning: sid 2016502]

[sid 2016502 rule is commented]

ish · November 30, 2020, 4:29pm

No it doesn’t. Suricata-Update downloads rules, processes those rules by applying the disables, enables, modifies, etc. The writes out suricata.rules. It is unaware of edits you made directly to the output file.

Topic		Replies	Views
Suricata-update adds commented/disabled rules to the suricata.rules Rules	8	2831	January 5, 2021
Commented rules explanation Rules rules	5	712	August 4, 2021
All of a sudden new entries in disable.conf being ignored Help	8	1438	October 28, 2022
Disable rules by SID not working	5	100	March 15, 2024
Suricata - disable.conf seems not working Rules	2	798	July 8, 2021

Suricata-update activate commented rule

Related Topics