Snort reverting to different rule sets
-
I have configured snort for both LAN and WAN. It runs perfectly at first. I have only selected a few rulesets to use, none of which are policy-based rules. After running fine for hours, Snort will suddenly enable all rules on its own, per the logs. I start seeing all kinds of policy related events like downloading exe files, which is not something I am monitoring for. When I go in to look at the individual rules, none of those rulesets are even there, so I don't know how this is reverting or changing to include all rulesets. I have restarted WAN and LAN snort several times, and it works perfectly for hours until this happens again and I start seeing junk (well to me) in my logs again.
-
Something is really hosed up someplace. Snort just should never do that, and I can't imagine any scenario under which that could happen. Snort is not autonomous. Are you sure your firewall is not haunted … ;D.
You can carefully examine the system log to see when (and if) Snort is restarting. Do these "rule changes" coincide with restarts logged in the system log? Is it possible someone else has access to your firewall and is making changes?
I would suggest completely removing the package and then reinstalling it. If that does not do it, then uncheck the box on the GLOBAL SETTINGS tab for saving settings and remove the package again and reinstall it. Of course this second method will cause a loss of all previous settings, but it's possible that may be necessary to wipe out whatever corruption must exist someplace.
Bill