2.3.260 not disabling rule 2018959

[rosswakelin]

Hi there

We are having difficulty disabling a specific rule in suricata - 2018959.
We use the command line tools to add 2018959 to the disabled list, and the command runs ok. If I look in the manager config file under idstools, I can see the rule SID added to the list in the correct format, along with all the other rules we have explicitly disabled. HOWEVER... if I grep the rule file looking for that SID, I can see that it has not been commented out, and alerts are still generated for that rule. If I manually comment out that line in the rule file, and then perform a grid update, the alerts stop UNTIL the next rule update (either a scheduled update, or I make another change to the list of disabled rules) at which point the rule is no longer commented out, and the alerts start again.
I can remove the SID from the disabled list, and add it again ok, and the SID goes out of the manager file and back in, but it never gets commented out in the rules file.
I can disable additional SIDs after this one, and they get commented out ok. I can manually edit the manager file and move the SID anywhere in the list of disabled SIDs and it makes no difference - this particular SID does not get disabled.

Any ideas??
Ross

[dougburks]

Here's the full rule for SID 2018959:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; classtype:policy-violation; sid:2018959; rev:4; metadata:created_at 2014_08_19, former_category POLICY, updated_at 2017_02_01;)

Notice that it sets a flowbit:

flowbits:set,ET.http.binary

Please see https://docs.securityonion.net/en/2.3/managing-alerts.html#flowbits for a full explanation of flowbits.

[rosswakelin]

Aha thanks.

I can't disable all the rules that use that flowbit (there are 86 of them) so I have decided to suppress alerts on the rule that sets the flowbit (the one that was causing all the issues - 2018959) but that should still set the flowbit so the other 85 rules that reference the flowbit will still work properly.

Much appreciated.