Disable Suricata rule SID, idstools = error

[ghost]

Hello.

SO Version: 2.3.2 SO deployment type: Standalone Editor: Vim

Objective Disable noisy suricata rules while learning Security Onion.

What have I done I have based myself om the official documentation: https://docs.securityonion.net/en/latest/managing-alerts.html#identifying-rule-categories

From the documentation I'm supposed to edit the following file: /opt/so/saltstack/local/pillar/minions/sensorname_standalone.sls

Then edit the idstools part of the configuration file:

idstools:
 config:
    ruleset: 'ETOPEN'
    oinkcode: ''
    urls:
  sids:
    enabled:
    disabled:
    modify:

Which after my edits now looks like this:

idstools:
  config:
    ruleset: 'ETOPEN'
    oinkcode: ''
    urls:
  sids:
    enabled:
    disabled:
    - 2011704
    - 2522388
    - 2011704
    modify:

Then i run the command sudo salt sensorname_standalone state.apply idstools

To which i receive the following error message:

Data failed to compile:
Pillar failed to render with the following messages:
Rendering SLS 'minions.p-sn-so-01_standalone' failed. Please see master log for details.

If i remove my edits from /opt/so/saltstack/local/pillar/minions/sensorname_standalone.sls and run sudo salt sensorname_standalone state.apply idstools It will succeed without problems.

My initial thought was a foreign character or formatting issues within the file, but it looks fine. Any ideas to as to what could be the problem?

EDIT I found the logfile finally which points me in the right direction: salt.exceptions.SaltRenderError: could not find expected ':'

[ghost]

For future reference:

Ok, I was using TAB. TAB is an illigal character in YAML.

I used spaces instead and everything worked as expected.