Support #4160
closedsuricata-update remove comment in rules file
Description
After downloading the ET rule file, I commented out the unused rules.
After executing suricata-update, suricata.rules file was created, but the rule I commented out was uncommented.
There was also a problem in that the rule registered in disable.conf for the rule with flowbit warning was continuously activated.
Doesn't suricata-update check the presence or absence of comments when reading the rule file?
In order to disable the rule, is the only way to register in disable.conf?
Updated by Jason Ish over 3 years ago
The last thing Suricata-Update does is scan for enabled rules that "check" flowbits. It will then unconditionally enable rules that "set" those flowbits, but will also set the "noalert" field so these rules that are enabled only for flowbit dependencies will be silent.
Is this what you are seeing?
Updated by Shivani Bhardwaj over 3 years ago
- Assignee changed from Shivani Bhardwaj to OISF Dev
- Label deleted (
Beginner, Needs backport to 6.0)
Updated by Andreas Herz about 2 years ago
- Status changed from New to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs