Sometimes I’ll see things like: 8/6/2023 -- 08:23:27 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2044749, gid 1: unknown rule
When I create the threshold entry, I have a copy of when it hit, so I know that sig did exist at some point. How can I automatically true up what’s been deleted from my threshold file? Thank you.
It would be interesting to see if it would be possible to have suricata-update handle that in the future since it is aware of the status of rules.
Currently though, as you said, you would need to have a list of active/enabled sids and run that against your threshold contents. I am not sure of any options in the current suricata or related tools that would do it automagically for you.