Disabling Snort Rules
-
Hi all,
I'm working on fine tuning my Snort rules and part of that would like to disable a larger number of them (i.e. several hundred or so) in a given rule set . I see from this post that one way to do this would be to use SID Management:
https://forum.netgate.com/topic/143812/snort-package-4-0-inline-ips-mode-introduction-and-configuration-instructions
Now unfortunately the SID's on the rules I'm interested in disabling aren't necessarily sequential, but the descriptions start out essentially the same way in the "Message" column (e.g. Browser-Android or Server-Apache). Is there an easy way to disable an entire "subcategory" like that for a given rule set or is using individual SID's or SID ranges still the best way to go?
Thanks in advance for your help.
-
@tman222 To me, the best way will take some time as one has to go through the list and in doing so, you gain a better understanding especially if you use Google to look up each that's strange to you.
-
The SID MGMT tab logic uses Perl Regular Expressions to match, so you can put somewhat complicated regex in the disablesid.conf file. You can also include actual rule category names when that works for your purposes. So if you wanted to say disable all of the ET-Chat rules, you would simply put
emerging-chat
on a line in the disablesid.conf file. The SID MGMT files are not limited to just individual SIDs or SID ranges. -
Thanks guys to you both. In fact, I actually looked through the rule sets in more detail over the last couple of days and noticed quite a number of rules that wouldn't be applicable in my particular case, which is just a standard home network. For example, there are number of rules specifically for mail servers which wouldn't be needed (I don't run any mail servers). Since the traffic would be dropped by the firewall anyway there's no need to have it go through the Snort detection engine first and occupy CPU cycles unnecessarily. Anyhow, I was able to grab the relevant rule GID and SID's and add them to the disable list under SID Management. Rebuilt the rule set for the interface(s) and showed up disabled as expected.