Automatically activate rules from certain categories and severities

[security-companion]

Hi,
is it possible to automatically activate eg. suricata rules from a certain category and severity of a feed once they are added?
Eg. if I wanted to automatically enable a new rule that was added to ET Free or ET Pro from the Exploit category with a severity of high - how would I do that?
I have some rules from the exploit category that I disabled on purpose. How can I avoid that they are activated again automatically?
Greetings
security-companion

[dougburks]

Have you considered regex?
https://docs.securityonion.net/en/2.4/nids.html#enabling-and-disabling-with-regex

[security-companion]

Hi,
thank you very much for your response.
From the link:
If a detection’s status is changed via the Detections interface but it is currently matched by a regex pattern, the change initiated from the Detections interface is reverted and a message is shown.

So if I disable a rule in detections manually because it triggers too many false positives it then gets activated again later on automatically if it matches the regex.
How could I avoid this? Is there some way to define a tag for a rule like "manually disabled" and include that tag in the regular expression as negation? Also from my understanding I would need to add this tag to the enable-regex as the enable-regex overrules the disable-regex.

Amy advice on how to do this?
Greetings
security-companion

[dougburks]

Have you considered suppressing the individual rule? That way it can be enabled but won't actually generate alerts:
https://docs.securityonion.net/en/2.4/nids.html#managing-existing-nids-rules

[security-companion]

Hi Doug,
thanks for your suggestion.
Does it make a difference related to performance whether I suppress a rule or deactivate it?
Probably with one rule I won't notice a difference but what about several rules?
Thanks
Security-companion

[dougburks]

Deactivating a rule does save a very small amount of RAM and CPU. For a small number of rules, you probably won't notice a difference between deactivating and suppressing. The point at which you would notice depends on several variables like the specs of your system and how much traffic you're monitoring.

[security-companion]

Hi Dough,
an additonal question: is there any performance difference between surpressing or modifying IPs in a rule?
Thanks
security-companion

[dougburks]

If there is a performance difference, it would be a small one compared to disabling the rule altogether.

[security-companion]

Thank you very much @dougburks