Hello,
I’m an undergraduate student in South Korea currently working on a malware detection system using Suricata.
While reviewing the ET Open Ruleset, I noticed that some rules are commented out (i.e., disabled with #) in the rule files. I was wondering if there is a specific reason or policy behind which rules are commented out — for example, due to false positives, deprecation, or performance concerns.
Is there any documentation, guideline, or general principle you follow when deciding to comment out certain rules?
Your clarification would be greatly appreciated, and it would be a great help for my research.
Thank you very much for your time and support.
2 Likes
Hello @BOBIBOO - Welcome to the ET Community!
Your examples are correct, rules are disabled due to:
- Duplicate detection logic
- False positives
- Performance issues
- Age
- Relevance
- Moved from the ETPRO ruleset to ET OPEN
You can find the deprecation reason for each signature in the sid descriptions file found here (available for snort 2.9, Suricata 5.0, and Suricata 7.0.3) https://rules.emergingthreats.net/open/suricata-7.0.3/SID-Descriptions-ETOpen.json.gz
In our Wiki we have some documentation on signature lifecycles which may be helpful to you Rule States and Support Tiers.
We also have additional documentation on the rule metadata that we use: Signature Metadata
While we do our best to make sure metadata is complete there are likely many rules which are disabled that do not have the deprecation_reason field populated.
Hopefully this helps, please let us know if you have other questions and we’re happy to help 
!
Thanks,
Isaac
1 Like
Welcome @BOBIBOO! I hope you enjoy using Suricata to explore malicious traffic. If you’d like help with your research, we are here to chat with you.
Cheers,
2 Likes