Make sure that noalert is set in newly enabled rules
Suricata-update comes with the function that rules that depend on flowbits will get enabled recursively until all flowbit dependencies/conflicts are resolved. This leads to the following problem: Rules that have been previously disabled (e.g. in disable.conf) will get enabled and could produce a lot of noise (e.g. ET INFO rules that match on vulnerable Java versions). I would suggest to add the option "flowbit-no-alert" to enable flowbit dependencies "silently" and no alerts gets triggered for those rules.
Updated by Konstantin Klinger over 4 years ago
Jason Ish wrote:
I think its worth discussing if this should be the default behaviour rather than a flag. I had meant to do this in the initial version, and either forgot, or thought I did it already (which I obviously have not).
Yes, I would vote for default behavior. But it is also worth a discussion, because in this way we are "manipulating" the original rule in some way by adding "flowbits:noalert;".