Fix Suricata: disable all DNP3/Modbus rules via regex pattern

Individual SID exclusions weren't enough — there are many more rules for these industrial SCADA protocols than initially identified. Switch to regex-based disable patterns (re:modbus, re:dnp3) so suricata-update strips all of them from the generated rules file. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-06 20:55:44 +01:00 · 2026-04-06 20:55:44 +01:00 · 43ce6b046f
commit 43ce6b046f
parent d1ac7c6965
1 changed files with 5 additions and 4 deletions
--- a/services/suricata.nix
+++ b/services/suricata.nix
@ -5,11 +5,12 @@
    services.suricata = {
      enable = true;

-      # Default disabledRules covers DNP3 (2270000-2270004); add Modbus rules
-      # which also fail to parse because those protocols are disabled in the build
+      # DNP3 and Modbus are industrial SCADA protocols disabled in this build.
+      # Use regex patterns to suppress all rules for both protocols so the
+      # config test does not fail with parse errors.
      disabledRules = [
-        "2270000" "2270001" "2270002" "2270003" "2270004"
-        "2250005" "2250006" "2250007" "2250008" "2250009"
+        "re:modbus"
+        "re:dnp3"
      ];

      settings = {