disableRegex seemingly not working

[jimhranicky]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

8

RAM

64g

Storage for /

80g

Storage for /nsm

2T

Network Traffic Collection

tap

Network Traffic Speeds

more than 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I have

ET.PHISHING.

added

under

soc > config > server > modules > suricataengine > disableRegex

However, it seems the rules aren't getting commented out?

From one of our sensors:

egrep '^alert.*ET PHISH' /opt/so/conf/suricata/rules/all.rules | wc -l
238

Did I miss a step?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

Have you tried using the regex syntax shown at https://docs.securityonion.net/en/2.4/nids.html#enabling-and-disabling-with-regex?

[jimhranicky]

Yes, added this:

ET PHISHING\s

but still:

% egrep '^alert.*ET PHISH' /opt/so/conf/suricata/rules/all.rules | wc -l
238

on one of our sensors

[defensivedepth]

@jimhranicky Have you seen alerts from these rules?

[jimhranicky]

I'm primarily trying to reduce load on the suricata engine - does the disableregex only suppress alerts, or is it supposed to disable the rules entirely?

[defensivedepth]

It disables them entirely. For rules with flowbit dependencies, they are still enabled but set to noalert. Those are the rules you are seeing.