Today, I had a go at the ETOPEN Suricata rules in Security Onion 2.4.150. I disabled long ago the rule numbered “2060252” and named “ET INFO Go-http-client User-Agent Observed Inbound.” This one popped up when I hunted for the reason the Suricata rules showed “Rule mismatch.”

I figured I might as well re-enable this rule and run a differential update on the Suricata rules. After a while, the Suricata indicator showed a green OK. Lovely!

Now, what happens if I disable this rule and run another differential update on the Suricata rules? It so happens the Suricata indicator still shows a green OK.

I ran a full update with this rule still disabled. The update finished after a while, and the Suricata indicator still shows a green OK. Mission accomplished!

Could it be that disabled rules don’t get treated the same way enabled rules are during updates?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>