Disabling all child rules via local_rules.xml

[eSupportSquirrel]

I'm new to both SecurityOnion and understanding how these rules flow so please bear with me.
I am trying to easily tune out a lot of stuff for my home network. I know exactly what products I don't have (like I don't have Symantec AV) and I've looked at all the rule xml files "/opt/so/rules/HIDS" so I know what is there.
I've also looked over the documentation, which covers the disabling of the specific rule IDs (the ones that contain the if_sid tag) but my question is this:

• If I want to disable, say the entire "symantec-av" rule file can I just disable the "top level" () rule through the local ruleset file or do I need to disable ALL of the rules in that specific file?
• Alternatively, can I comment out everything in that symantec-av rules file (and rules in other files) without breaking anything?

Revision control is not an issue here - I have an in-house Gitlab server I handle all that through AND have VM snapshots.

[InfosecGoon]

Have you deployed the OSSEC/Wazuh agent to endpoints in your home network? The rules that you're looking at under HIDS are related to parsing and alerting on endpoint logs that have been forwarded into SO using Wazuh - if you're not doing that, then tuning the rules will have no impact.

[eSupportSquirrel]

I have, actually. I just didn't want to copy-paste basically almost every single files' contents into the local rules file (I don't have a lot of this equipment/software and never will).

[InfosecGoon]

In that case, try this:

• Copy the ossec.conf file from /opt/so/saltstack/default/salt/wazuh/files/server/ossec.conf to /opt/so/saltstack/local/salt/wazuh/files/server/ossec.conf

• Add rule_exclude directives (as in line 212) for any of those rule files from /opt/so/rules/hids/ruleset/rules that you don't want the server to alert on.

• Restart the Wazuh server with so-wazuh-restart.