ET INFO Go-http-client User-Agent Observed Inbound
Today, I had a go at the ETOPEN Suricata rules in Security Onion 2.4.150. I disabled long ago the rule numbered “2060252” and named “ET INFO Go-http-client User-Agent Observed Inbound.” This one popped up when I hunted for the reason the Suricata rules showed “Rule mismatch.”
I figured I might as well re-enable this rule and run a differential update on the Suricata rules. After a while, the Suricata indicator showed a green OK. Lovely!
Now, what happens if I disable this rule and run another differential update on the Suricata rules? It so happens the Suricata indicator still shows a green OK.
I ran a full update with this rule still disabled. The update finished after a while, and the Suricata indicator still shows a green OK. Mission accomplished!
Could it be that disabled rules don’t get treated the same way enabled rules are during updates?