Can´t disable SID Rule 2034812

[ByteAndBits]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

128

RAM

1TB

Storage for /

30TB

Storage for /nsm

60TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,

two questions:
1.
I can´t disable SID Rule 2034812 via GUI. I set this value to disabled field in gui. But no change in all.rules. Other values in field
works.
2.
Is it normal that around 11.500 rules are disabled by default?

[som suri]$ cat all.rules | grep -c ^#
11514

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

1. That SID has flowbits set. You would need to modify the rule, not disable it, using something like this:

2034812 “flowbits:set,ET.LDAPBindRequest;” “flowbits:set,ET.LDAPBindRequest; flowbits:noalert;”'

2. Yes, ET OPEN ships with many rules disabled by default; if there's something disabled that you would like to enable, you can do that through the idstools configuration interface.