Disabled rule still applied even after service restart ?



  • I disabled teh ET- Policy ruleset on my interface and restarted snort on the interface and cleaed the log but i still see new messages regarding ET - Policy.

    Have i missed something, is there a way to find out what is causing this :

    1:2020565
      ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use

    also: is there a way to search for which ruleset a given sid is a part of (in this case 1:2020565) ?  On the categories of the interface  i can only search within one ruleset at a time.