Suricata » Suricata-Update

Suricata-Update when run without enable/disable configurations will leave the rules as-is in their original source (with the exception of flowbit resolution). So unless an enable statement matches and enables it, it will be left as-is in the source.

I'm not really sure what -R in PulledPork does. Apparently the authors of PulledPork are a little unsure themselves given this in the commit for -R:

+- Bug #47 - This should be used by advanced users only, it can produce results that may
+       not make sense to the typical user.  And frankly, I don't understand it ;-)

Do you have a test case where a rule is not maintaining its enable/disable state from the source?

Hi Risto Vaarandi!
Could you please provide us with a test case as requested by Jason?

What I meant was to disable the rule after it has been enabled by enable-rule, provided that the rule was originally disabled in the rule tarball. Naturally, the rule should be disabled only if it has no flowbit dependency on other rules that remain active (but that is usually the case for rules that their original authors have commented out).

Let me provide an example what I mean -- lets assume I would first like to disable all rules, and then enable a smaller subset according to some criteria.

Here is the content of disable.conf file:

1. disable all rules
   re:.

and here is enable.conf:

1. enable only rules described below
   re:msg:"(ET|ETPRO|GPL).*\sclasstype:\s*(trojan-activity|targeted-activity|exploit-kit|domain-c2|command-and-control)\s*;

Now consider the following rule which has been disabled by authors in the rule tarball:

#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Updatre SSL Certificate cardiffpower"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cardiffpower.com"; distance:1; within:17; content:"|55 04 03|"; distance:0; content:"|10|cardiffpower.com"; distance:1; within:17; classtype:domain-c2; sid:2017977; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_25;)

Given the disable.conf and enable.conf above, suricata-update would enable this rule. So would pulledpork if executed with similar disablesid.conf and enablesid.conf, and without R. However, the presence of -R flag would leave the above rule disabled. My point here is the following - if authors disable their rules, it is usually because of rule producing false positives or being no longer relevant, and it would be nice to have a command line or config file option to leave such rules disabled. If there is already a way to achieve that, I would be thankful for any advise.