Hello, I realise this bug report is one and a half years old, but since I've just experienced the same thing, it might be useful to share here what I found.
I do not believe this is a bug. It is just how oinkmaster works. Oinkmaster is only going to process the rule files that are part of the archive to download as per the 'url' variable in 'oinkmaster.conf'. This means that the default suricata rules at '/etc/suricata/rules' are not going to be touched. The way I worked around this, and to allow the default suricata rules to be processed by oinkmaster and honor 'disablesid' directives was to supply an additional 'url' variable pointing to '/etc/suricata/rules' and have oinkmaster's 'outdir' be another directory, e.g. 'processed-rules'. oinkmaster.conf would have something like: url = dir:///etc/suricata/rules > > url = > https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz So oinkmaster would be run like: oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/processed-rules Also make sure to update suricata.yml with 'default-rule-path' to point to the correct 'outdir' (processed-rules) so suricata loads the correct rules. Hope that helps someone. Cheers, José Santos
