Suricata-Update processes suricata.yaml but not custom.yaml

My custom.yaml file has address-groups that my suricata.yaml does not.

For my environment, I cannot replace/update the ‘suricata.yaml’ file for suricata, but I can update and maintain the ‘custom.yaml’ file for suricata.

What has happened is I have custom rules that use some very custom address-groups and suricata-update doesn’t see the var name in the ‘suricata.yaml’ address-groups and disables those rules.

Could we add the ability to parse/include the custom.yaml file next to the suricata.yaml file, after the suricata.yaml file so the options are correct for reference (address-groups for me would get updated/replaced by my custom.yaml and I would want to use the updated values from custom.yaml)?

Further, I might be lucky and have further realized why my custom.yaml works like it does for me, they have these lines at the end of suricata.yaml:

include:
  - installed_rules.yaml
  - custom.yaml

What I’ve done now is set the suricata config to be ‘custom.yaml’ instead of ‘suricata.yaml’ for the suricata-update run:

suricata-update update --config /root/suricata/update.yaml --suricata-conf /usr/local/etc/suricata/custom.yaml --suricata /usr/local/bin/suricata --data-dir /usr/local/etc/suricata --threshold-in=/root/suricata/threshold.in --threshold-out=/usr/local/etc/suricata/threshold.config --output /usr/local/etc/suricata/opnsense.rules -v --no-test --no-reload

And after some testing, I found this did not fix it

This rule modification does not appear to process correctly:

3300303 "any any -> any" "[any, ![$EXTERNAL_IP, $REVERSE_PROXY_HOSTS, $ODD_HTTP_HOSTS]] any -> [any, ![$EXTERNAL_IP, $REVERSE_PROXY_HOSTS, $ODD_HTTP_HOSTS]]"

The rule normally reads:

any any -> any any ...

Specifically it mentions that the port-group vars did not exist, which I kept thinking was odd. It would seem the issue is actually doing two any replacements on source and destination, and not doing the replacement or matching vars correctly?