Exclude file detected in Suricata rule

[nc171]

I was wondering if there is a way to suppress a specific rule based on the file that it's detecting. For example, this rule, ET POLICY SMB2 NT Create AndX Request For a .bat File is detecting a file in the sysvol folder of a DC. I want to exclude detection on that file specifically but detect on any other .bat files executed from the sysvol folder. If that is possible, there is another .dll file being executed from that folder as well that I would want to exclude as well.

[dougburks]

You might be able to modify that rule with your additional criteria OR disable that rule and create your own local rules with your additional criteria:
https://docs.securityonion.net/en/2.3/managing-alerts.html

[nc171]

I have been struggling to get my custom rule to work. I have read the documentation and watched the tutorial and am still missing something in regards to making this custom rule. I have created the custom rule below and added it to the local.rules in Suricata. Then disabled the original rule but it's not reporting generating the alerts like I wanted it to. The idea is to create this rule to ignore a specific .bat file but alert when other's are initiated from the sysvol folder.

alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a nameof.bat File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|b|00|a|00|t|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025707; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)