Suricata-update activate commented rule

headfish · November 30, 2020, 1:53am

After downloading the ET rule file, I commented out the unused rules.

After executing suricata-update, suricata.rules file was created, but the rule I commented out was uncommented.

There was also a problem in that the rule registered in disable.conf for the rule with flowbit warning was continuously activated.

Doesn’t suricata-update check the presence or absence of comments when reading the rule file?
In order to disable the rule, is the only way to register in disable.conf?

[warning: sid 2016502]

[sid 2016502 rule is commented]

ish · November 30, 2020, 4:29pm

No it doesn’t. Suricata-Update downloads rules, processes those rules by applying the disables, enables, modifies, etc. The writes out suricata.rules. It is unaware of edits you made directly to the output file.

Topic		Replies	Views
Suricata-update adds commented/disabled rules to the suricata.rules Rules	8	3061	January 5, 2021
Commented rules explanation Rules rules	5	911	August 4, 2021
All of a sudden new entries in disable.conf being ignored Help	8	1758	October 28, 2022
Disable rules by SID not working	5	341	March 15, 2024
Suricata - disable.conf seems not working Rules	2	923	July 8, 2021

Suricata-update activate commented rule

Related Topics