Why do I disable the rules, but I still see the rules in Rules activity and generate so many alerts?

[Linn1]

I enable all rules in web page, and found that there are a few rules are not useful. So I want to stop them generating more alerts. Because it has generated so many usefuless alerts. I clicked the sid and disabled these rules. But it still work and generated a lot of alerts. How can I stop these rules? By the way, all opration was done on the web page and the Rules activity is a table and it shows the top 20 rules which generate the most alerts.

[pevma]

You can disable a specific rule from the Home tab, click on any sig, then left hand side under Action, click the desired action. Or use the the Hunting view to threshold or suppress a rule after selecting a signature (from the policy actions menu, right upper corner)

[Linn1]

You can disable a specific rule from the Home tab, click on any sig, then left hand side under Action, click the desired action. Or use the the Hunting view to threshold or suppress a rule after selecting a signature (from the policy actions menu, right upper corner)

I have clicked the disable rule button and the status of these rules are inactive. It still generate a lot of alerts! One of them even generated 702,789 alerts! I try to threshold and supperess these rules,but I don't know what threshold and supperess mean.

[Linn1]

For example: I supress a rule by source IP and the net is 0.0.0.0/32. So the generated alerts are supressed, but how about the newly generated alerts?

[Linn1]

I want to let these rules stop working so that won't generate more alerts.. I don't need to delete the generated alerts every day. I delete them because these alerts are false positives. I tried to disable these rules but it didn't work. So what can I do to reduce the numer of false positives. Thanks for your patience very much.

[pevma]

After disabling the rule you need to go to the Suricata tab , select Ruleset actions all check boxes and hit Apply.

[derritter88]

@pevma Thanks I was also searchign for this thing as I simply disabled the rule without further doing anything. Maybe you could update the logic or at least the documentation if someones disables something then you need to also hit the apply button?