When I set rules category to “block”, these rules are added to /etc/pulledpork/dropsid.conf via the template system. If I set a category to “disable”, neither the file /etc/pulledpork/disablesid.conf nor /etc/pulledpork/enablesid.conf is changed. How does Suricata know about the disabled rule categories?
Only blocked ones are in
/etc/pulledpork/dropsid.conf, alert and blocked ones are defined in
/etc/suricata/suricata.yaml, disabled ones are left out.