The rule files contain disabled rules starting with “#”:
#alert tcp $EXTERNAL_NET …
those are rules usually giving false positive alerts and I prefer not to have them active.
However suricata-update command is adding also those disabled rules in suricata.rules file.
Is there a way that suricata-update will ignore those rules?
Are you able to provide an example of a rule, or the SID if a public rule that this is happening to? Rules may get enabled due to flowbit dependency resolution, however, such rules should also get “noalert” added to them.
For example rule 2100408 - located at emerging-icmp_info.rules with definition:
#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:“GPL ICMP_INFO Echo Reply”; icode:0; itype:0; classtype:misc-activity; sid:2100408; rev:6;metadata:created_at 2010_09_23, updated_at 201
0_09_23;)
In addition, putting 2100408 in the disable.conf does not disable this rule and my logs are flooded with it and there is no way to disable it.
This should stay disabled by default. Do you have any enable.conf settings that might be turning this rule on? When running suricata-update look at the first bit of output. You’ll see something like:
5/1/2021 -- 13:54:02 - <Info> -- Found Suricata version 6.0.1 at /usr/sbin/suricata.
5/1/2021 -- 13:54:02 - <Info> -- Loading /etc/suricata/disable.conf.
5/1/2021 -- 13:54:02 - <Info> -- Loading /etc/suricata/drop.conf.
5/1/2021 -- 13:54:02 - <Info> -- Loading /etc/suricata/suricata.yaml
which can help see what configuriation files its loading.
Yes I have also enable.conf but there is nothing enabled there:
5/1/2021 – 22:07:42 - – Loaded 29020 rules.
5/1/2021 – 22:07:43 - – Disabled 14 rules.
5/1/2021 – 22:07:43 - – Enabled 0 rules.
5/1/2021 – 22:07:43 - – Modified 0 rules.
5/1/2021 – 22:07:43 - – Dropped 0 rules.
5/1/2021 – 22:07:44 - – Enabled 153 rules for flowbit dependencies.
5/1/2021 – 22:07:44 - – Backing up current rules.
However regardless of my empty enable.config file suricata-update is pushing 21592 enabled rules to the suricata.rules file:
5/1/2021 – 22:07:50 - – Writing rules to /var/lib/suricata/rules/suricata.rules: total: 29020; enabled: 21592; added:0; removed 0; modified: 0
Maybe its being picked up from a local file source and already enabled? Add -v to the command line to see what rule files it is loading…
But I just confirmed, suricata-update, as installed with suricata 6.0 and no configuration will not enable rule 2100408.
Yes the rule is loaded from emerging-icmp_info.rules which is ok.
The problem is that it is commented(i.e. starts with
“#alert” and not “alert”) but still suricata-update is enabling it.
Does suricata-update distinguish between commented and not commented rules in the rule files?
What I’m getting at is maybe there is a rule file, perhaps in /etc/suricata/rules or something that is getting picked up where this rule exists in a non-commented out state, so I’m trying to help determine why.
On a fresh install, without any configuration files this is what I get some suricata-update:
5/1/2021 -- 20:30:55 - <Info> -- Using data-directory /var/lib/suricata.
5/1/2021 -- 20:30:55 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
5/1/2021 -- 20:30:55 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
5/1/2021 -- 20:30:55 - <Info> -- Found Suricata version 6.0.1 at /usr/sbin/suricata.
5/1/2021 -- 20:30:55 - <Info> -- Loading /etc/suricata/suricata.yaml
5/1/2021 -- 20:30:55 - <Info> -- Disabling rules for protocol http2
5/1/2021 -- 20:30:55 - <Info> -- Disabling rules for protocol modbus
5/1/2021 -- 20:30:55 - <Info> -- Disabling rules for protocol dnp3
5/1/2021 -- 20:30:55 - <Info> -- Disabling rules for protocol enip
5/1/2021 -- 20:30:55 - <Info> -- No sources configured, will use Emerging Threats Open
5/1/2021 -- 20:30:55 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.1/emerging.rules.tar.gz.
100% - 2801842/2801842
5/1/2021 -- 20:30:56 - <Info> -- Done.
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
5/1/2021 -- 20:30:56 - <Info> -- Ignoring file rules/emerging-deleted.rules
5/1/2021 -- 20:30:58 - <Info> -- Loaded 28654 rules.
5/1/2021 -- 20:30:58 - <Info> -- Disabled 14 rules.
5/1/2021 -- 20:30:58 - <Info> -- Enabled 0 rules.
5/1/2021 -- 20:30:58 - <Info> -- Modified 0 rules.
5/1/2021 -- 20:30:58 - <Info> -- Dropped 0 rules.
5/1/2021 -- 20:30:58 - <Info> -- Enabled 145 rules for flowbit dependencies.
5/1/2021 -- 20:30:58 - <Info> -- Creating directory /var/lib/suricata/rules.
5/1/2021 -- 20:30:58 - <Info> -- Backing up current rules.
5/1/2021 -- 20:30:58 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 28654; enabled: 21233; added: 28654; removed 0; modified: 0
5/1/2021 -- 20:30:58 - <Info> -- Writing /var/lib/suricata/rules/classification.config
5/1/2021 -- 20:30:58 - <Info> -- Testing with suricata -T.
5/1/2021 -- 20:31:21 - <Info> -- Done.
[root@ec66645915d2 /]# grep 2100408 /var/lib/suricata/rules/suricata.rules
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:2100408; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
Yes, you are right, I opened enable.conf on other machine. Now on the correct machine I see it contains group:emerging* which explains everything.
Thank you very much for the fast answers and detailed explanations.