Hello, I have what I hope may be a simple question, but I haven’t been able to answer it myself, so I’m turning to the forum.
Simply put, when using a collection of local rules files with suricata-update, how do I ensure that it does not follow the default behavior and use the ET-Open rule set even though I have disabled it?
I am crafting large sets of custom rules for our implementation and want to use suricata-update, but everytime I run it, even with the et/open entry disabled from the source list, it says “No sources configured, will use Emerging Threats Open” and proceeds to try to integrate them.
I have the relevant groups disabled, but it still throws 20k+ disabled rules into the suricata.rules file and I would prefer to avoid that.
What am I doing incorrectly?