Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disabling Snort Rules

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tman222
      last edited by

      Hi all,

      I'm working on fine tuning my Snort rules and part of that would like to disable a larger number of them (i.e. several hundred or so) in a given rule set . I see from this post that one way to do this would be to use SID Management:

      https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions

      Now unfortunately the SID's on the rules I'm interested in disabling aren't necessarily sequential, but the descriptions start out essentially the same way in the "Message" column (e.g. Browser-Android or Server-Apache). Is there an easy way to disable an entire "subcategory" like that for a given rule set or is using individual SID's or SID ranges still the best way to go?

      Thanks in advance for your help.

      NollipfSenseN 1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @tman222
        last edited by

        @tman222 To me, the best way will take some time as one has to go through the list and in doing so, you gain a better understanding especially if you use Google to look up each that's strange to you.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          The SID MGMT tab logic uses Perl Regular Expressions to match, so you can put somewhat complicated regex in the disablesid.conf file. You can also include actual rule category names when that works for your purposes. So if you wanted to say disable all of the ET-Chat rules, you would simply put emerging-chat on a line in the disablesid.conf file. The SID MGMT files are not limited to just individual SIDs or SID ranges.

          1 Reply Last reply Reply Quote 0
          • T
            tman222
            last edited by

            Thanks guys to you both. In fact, I actually looked through the rule sets in more detail over the last couple of days and noticed quite a number of rules that wouldn't be applicable in my particular case, which is just a standard home network. For example, there are number of rules specifically for mail servers which wouldn't be needed (I don't run any mail servers). Since the traffic would be dropped by the firewall anyway there's no need to have it go through the Snort detection engine first and occupy CPU cycles unnecessarily. Anyhow, I was able to grab the relevant rule GID and SID's and add them to the disable list under SID Management. Rebuilt the rule set for the interface(s) and showed up disabled as expected.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.