From 43ce6b046f18e435f3e91f6151c3d0ef74251ef3 Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Mon, 6 Apr 2026 20:55:44 +0100
Subject: [PATCH] Fix Suricata: disable all DNP3/Modbus rules via regex pattern
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Individual SID exclusions weren't enough — there are many more rules for
these industrial SCADA protocols than initially identified. Switch to
regex-based disable patterns (re:modbus, re:dnp3) so suricata-update
strips all of them from the generated rules file.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/suricata.nix | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/services/suricata.nix b/services/suricata.nix
index 4b6fa5f..34dcfd7 100644
--- a/services/suricata.nix
+++ b/services/suricata.nix
@@ -5,11 +5,12 @@
     services.suricata = {
       enable = true;
 
-      # Default disabledRules covers DNP3 (2270000-2270004); add Modbus rules
-      # which also fail to parse because those protocols are disabled in the build
+      # DNP3 and Modbus are industrial SCADA protocols disabled in this build.
+      # Use regex patterns to suppress all rules for both protocols so the
+      # config test does not fail with parse errors.
       disabledRules = [
-        "2270000" "2270001" "2270002" "2270003" "2270004"
-        "2250005" "2250006" "2250007" "2250008" "2250009"
+        "re:modbus"
+        "re:dnp3"
       ];
 
       settings = {