From d1ac7c69656bc4460b1a316f0bfcdc0e0c41dfcc Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Mon, 6 Apr 2026 20:51:22 +0100
Subject: [PATCH] Disable Modbus Suricata rules that fail to parse

Modbus protocol detection is disabled in the NixOS build; the 5 Modbus
SIDs (2250005-2250009) cause the config test to fail and crash-loop the
service. Disable them alongside the existing DNP3 exclusions.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 services/suricata.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/services/suricata.nix b/services/suricata.nix
index acb7162..4b6fa5f 100644
--- a/services/suricata.nix
+++ b/services/suricata.nix
@@ -5,6 +5,13 @@
     services.suricata = {
       enable = true;
 
+      # Default disabledRules covers DNP3 (2270000-2270004); add Modbus rules
+      # which also fail to parse because those protocols are disabled in the build
+      disabledRules = [
+        "2270000" "2270001" "2270002" "2270003" "2270004"
+        "2250005" "2250006" "2250007" "2250008" "2250009"
+      ];
+
       settings = {
         vars.address-groups = {
           # Your local networks — Suricata won't alert on traffic within these