Help with flowbits

[defaultroot1]

I'm really struggling with flowbits in Security Onion 2.3, and can't get rules to disable properly with 'so-rule disabled add'.

For example, I want to disable "ET POLICY PE EXE or DLL Windows file download HTTP", with a rule uuid of 2018959.

I disable this with 'so-rule disabled add 2018959', and hit Yes to apply rules. I confirm it's in the disabled list with 'so-rule disabled list'.

I grep for "2018959" in /opt/so/rules/nids/all.rules and the entry for this rule is not commented. I manually comment it, run 'so-rule-update', grep again, and it's uncommented. The uuid is still in the so-rule disabled list.

When I run so-rule-update, it says "Enabled 134 rules for flowbit dependencies". I'm presuming that the above rule is included in these 134 enabled rules, and that some other rule is dependent on 2018959, and so is being re-enabled by so-rule-update?

I'm struggling to find anything that makes sense to me online. The official documentation mentions disabling rules in "disablesid.conf", but I don't have this file on my system (as far as I'm aware!). I also don't see any mention of the mentioned "Setting Flowbit State" when I run so-rule-update. Elsewhere online, I see a lot of references to PulledPork, but again I don't seem to have this on my system, so I'm guessing this is from a previous version of Security Onion? The link in the official documentation for an explanation of flowbits also mentions PulledPork.

Below is the full rule for uuid 2018959, could somebody please help me identify what I'm looking for in relation to flowbits and how I can get this rule disabled? How do I track the related rules?

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2018959; classtype:policy-violation; sid:2018959; rev:4; metadata:created_at 2014_08_19, former_category POLICY, updated_at 2017_02_01;)

[TOoSmOotH]

You should use suppress instead.

https://docs.securityonion.net/en/2.3/managing-alerts.html?highlight=threshold#threshold

[defaultroot1]

Thanks, this helped, though it was my own stupidity in the end too; after dozens of correct suppress entries, I for some reason started writing 'track: src_ip' instead of 'track: by_src' in the most recent entries. All sorted now!