What to do with no disable.conf

Please include the following information with your help request:

  • Suricata version: 7.0.4
  • Operating system and/or Linux distribution: debian
  • How you installed Suricata (from source, packages, something else): packages. can’t remember which

I’d like to disable some alerts and keep them disabled after running suricata-update, but i don’t seem to have a disable.conf file. Not sure what to do now. I ran a system search for disable.conf with no luck. Any suggestions? Do I just make one?

Yes, just make one. Usually /etc/suricata/disable.conf, but if your suricata.yaml is somewhere else, put it in that directory instead.

thanks for the quick reply!

Is this still how the file should look?

# suricata-update - disable.conf

# Example of disabling a rule by signature ID (gid is optional).
# 1:2019401
# 2019401

# Example of disabling a rule by regular expression.
# - All regular expression matches are case insensitive.
# re:heartbleed
# re:MS(0[7-9]|10)-\d+

# Examples of disabling a group of rules.
# group:emerging-icmp.rules
# group:emerging-dos
# group:emerging*

It can simply be empty, those are all commented out example lines, as they start with #.

More examples here: suricata-update - Update — suricata-update 1.3.2 documentation

1 Like

also found this, which is handy
suricata-update --dump-sample-configs