Feature #6131
Updated by Jason Ish over 1 year ago
Sometimes, Suricata will issue warnings for sids that used to exist, before.
8/6/2023 -- 08:23:27 - <Warning> - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2044749, gid 1: unknown rule
It would be useful if it was possible to automatically true up what sids have been deleted from a threshold file, since suricata-update
is aware of the status of rules.
Currently, to achieve that, one would probably need to have a list of active/enabled sids and run that against their threshold contents.
This feature request arose from the discussion in:
https://forum.suricata.io/t/truing-up-deleted-rules-with-threshold-file/3578/4
[Edit by jish]
The idea here is Suricata-Update could be the owner of threshold.config, and modify as needed to provide a clean threshold.config to Suricata.