Please include the following information with your help request:
- Suricata version: 7.0.4
- Operating system and/or Linux distribution: debian
- How you installed Suricata (from source, packages, something else): packages. can’t remember which
Hello,
I’d like to disable some alerts and keep them disabled after running suricata-update, but i don’t seem to have a disable.conf file. Not sure what to do now. I ran a system search for disable.conf with no luck. Any suggestions? Do I just make one?
Yes, just make one. Usually /etc/suricata/disable.conf, but if your suricata.yaml is somewhere else, put it in that directory instead.
thanks for the quick reply!
Is this still how the file should look?
# suricata-update - disable.conf
# Example of disabling a rule by signature ID (gid is optional).
# 1:2019401
# 2019401
# Example of disabling a rule by regular expression.
# - All regular expression matches are case insensitive.
# re:heartbleed
# re:MS(0[7-9]|10)-\d+
# Examples of disabling a group of rules.
# group:emerging-icmp.rules
# group:emerging-dos
# group:emerging*
It can simply be empty, those are all commented out example lines, as they start with #.
More examples here: suricata-update - Update — suricata-update 1.3.2 documentation
also found this, which is handy
suricata-update --dump-sample-configs