Support #2120
closed
Disable rule-set emerging-chat.rules.
Added by Roman Karpyuk over 7 years ago.
Updated almost 6 years ago.
Description
Hi guys,
I have some stupid problem, I want to disable emerging-chat.rules. But when I comment line with this rule-set in suricata.yaml and reload suricata it doesn't help. I still see that rules(like Skype VOIP or Google Talk etc.) in SIEM. So how can I fix this what I have missed?
For managing rules, I use Oinkmaster.
Thanks.
Files
- Assignee set to Anonymous
- Priority changed from High to Normal
- Target version set to Support
Can you provide us with more details? Especially the `rule-files` section of your config where you include the rules. This could also be an issue with your oinkmaster configuration.
I think, that isn't problem with oinkmaster, because all another rules have been modified excellent.
What do you mean when say "rule-files section"? In suricata.yaml in section when we should add/disable rules, I have commented emerging-chat.rules for disable this rules. I've attached file with part of suricta.yaml config.
In oinkmaster.conf I only change priority for rules, like this - modifysid 2012648, ..., "classtype:" | "priority:3; classtype:".
So, problem is that I can't disable/switch off chat-rules.
I think maybe this rules have dependents with flowbits, but NO.
Thanks
If you start suricata with "-vvv" what do you see in the "<Config> - Loading rule file:" outpout? is emerging-chat.rules shown? Then you need to check what oinkmaster is doing with your config. Something external seems to change your rule-files settings then.
- Subject changed from Disable rule-set emerging-char.rules. to Disable rule-set emerging-chat.rules.
- Status changed from New to Closed
- Assignee deleted (
Anonymous)
- Target version deleted (
Support)
Also available in: Atom
PDF