Suricata » Suricata-Update

Hi,

I’m under trixie and I have just migrated to suricata 8.0.1.
suricata-update version is 1.3.7dev0

I would like to disable rule 3321379 and drop all rules that have a technical mitre id.
For this, I modified these 2 files:

disable.conf
3321379 # Many TLS Client + Server Hello - Possible Active Scanning activity and / or random TLS impersonation - T1595

drop.conf
re:mitre_technique_id # Référentiel MITRE ATT&CK

Unfortunately, as you can see here, this rule is still active.

drop tls any any -> any any (msg:" Many TLS Client + Server Hello - Possible Active Scanning activity and / or random TLS impersonation - T1595"; flow:to_client, stateless; threshold: type threshold, track by_both, count 50, seconds 10; flowbits:set,pptrls.manytlsch; flowbits:isnotset,pptrls.manytlsch; content:"|16 03 03|"; startswith; fast_pattern; content:"|02|"; distance:2; reference:url,https://attack.mitre.org/techniques/T1595/; metadata:attack_target Client_and_Server, signature_severity Major, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1595, mitre_technique_name Active_Scanning, created_at 2024_10_15, updated_at 2024_10_15; noalert; sid:3321379; rev:2; classtype:network-scan;)

I know that the order of processing rules is:
disable.conf -> enable.conf -> drop.conf -> modify.conf

So I added unsuccessfully in the modify.conf file:
3321379 "^alert" "# alert" # Many TLS Client + Server Hello - Possible Active Scanning activity and / or random TLS impersonation - T1595
3321379 "^drop" "# drop" # Many TLS Client + Server Hello - Possible Active Scanning activity and / or random TLS impersonation - T1595

Could-you help me to disable rule 3321379 and drop all rules that have a technical miter id?

Small clarification: I have a lot of lines in these 4 configuration files. Everything works fine except for a few rules that are both in disable.conf and that have a drop.conf condition.

Thank you in advance.
Regards,

François,