Some Snort Rule categories are empty due to Rule Category Reorganization

  • I recently installed a Snort rules on my pfsense machine (Version 2.4.4-RELEASE-p3) for my Suricata IDS/IPS (version 4.1.4_8). As I was configuring and exploring (I'm a newbie), I realized some rule categories are empty. Since I want them so badly, I tried to find out why they are empty. I stumbled upon this old thread here but with no reply. So in my frustration, I flagged the thread and risked of being banned (sorry - don't know any better).

    Then I did another web search (after so many google attempts to find the answer) and discovered the explanation right from the Snort website itself. I'm posting the answer here to serve as a guide to newbies like me. ☺

    Thank you!

  • Yes, the Snort team reorganized the rule category files. They elected to leave the old files in place but empty so as not to cause "file not found" errors with legacy setups. So the end result is that their rules archive package contains some empty files even up until this day. Hopefully they will eventually remove those "empty" files. But so long as they exist in the downloaded rules archive tarball, the pfSense package will continue to display them on the CATEGORIES tab. Those files will just be empty of actual rules, though.

  • @bmeeks Thanks for summarizing it. Should the link I gave above changes in the future, the answer will be preserved here. Well done! :)

Log in to reply