After every snort update, I have to redo all the rules again! Real pain



  • Hi all,

    Every time, I update the rules, I have to go and reconfigure the rules to my liking. The rules which I previously disabled before gets enabled and it is real nightmare to go through it again.

    Secondly, if a page a 217 rules and I disables anyone of them, then the whole page reloads. So in other words, I have to check disabled and then wait for the page to reload.

    Something like an Ajax would be good, where I can disable my rules and then hit the Apply button one time.

    Has anyone has had a similar situation.



  • I have not yet updated my rules, unless it happened automatically, partly because I'm worried about this issue also. Since there have not been any other replies to this question, I'm assuming that GENERALLY when you update the rules it correctly remembers which rules were active and which were not.

    Please, Jamesdean, could you comment AND tell me if I wanted to be extra sure, or if I had to do a full re-install, how do I make a backup record that I could at least refer to manually in that event? Is it just a text file somewhere I could grab?

    Thanks.

    -Casey



  • I feel your pain hdavy2002 and caseystone and I am working on making the rule updates easier to work with.

    Here is the problem right now, we have thousands of rules that are installed on every update, some rules get enabled others get disabled or removed by the rule maintainers.

    How do I track your changes and the rule maintainers changes at the same time ?
    Lucky for us there are snort community pearl scripts that will track rule changes for us. I am going to add this in the next release.

    Rules tab ajax will be something I will add at some point to make rule editing easier.

    James



  • Hello jamesdean,

    is there already a solution for this problem?
    It is also discussed here http://forum.pfsense.org/index.php?topic=5015.msg30534
    We do block offenders with snort, and we have some rules that we have to disable because of false positives… especially in the ET SCAN category.

    If this category is disabled, we loose the protection against ssh bruteforce attacks "ET SCAN Potential SSH Scan", one important reason why snort was installed. How can we solve this?

    Thanks for your help!

    Oh... I use the latest Snort package 2.8.4.1_5 pkg v.1.7, in the faq the problem is solved?

    • Tracking of rule file changes after rule upgrades. (done)... You would not believe how hard this was.


  • Im on it.

    I'll take a look thursday.

    James

    @sepp_huber:

    Hello jamesdean,

    is there already a solution for this problem?
    It is also discussed here http://forum.pfsense.org/index.php?topic=5015.msg30534
    We do block offenders with snort, and we have some rules that we have to disable because of false positives… especially in the ET SCAN category.

    If this category is disabled, we loose the protection against ssh bruteforce attacks "ET SCAN Potential SSH Scan", one important reason why snort was installed. How can we solve this?

    Thanks for your help!

    Oh... I use the latest Snort package 2.8.4.1_5 pkg v.1.7, in the faq the problem is solved?

    • Tracking of rule file changes after rule upgrades. (done)... You would not believe how hard this was.


  • @sepp_huber:

    If this category is disabled, we loose the protection against ssh bruteforce attacks "ET SCAN Potential SSH Scan", one important reason why snort was installed. How can we solve this?

    Hi sepp_huber,

    One thing you could do is to use thresholds to disable somes specific rules. This will survive on rule updates. We are using it, it works well.

    Pierre



  • Helllo jamesdean,

    I have disabled the category ET SCAN now for two weeks.

    Since two days the rule "ET SCAN Unusually Fast 404 Error Messages (Page Not Found), Possible Web Application Scan/Directory Guessing Attack" blocks a server in our dmznet although the category is disabled. What's going on here? ???

    We have defined the whole dmznet as whitelist entry - no effect.

    Because of this problem I have to disable snort at the moment.

    Any ideas?



  • No Ideas?



  • @ppomes:

    Hi sepp_huber,

    One thing you could do is to use thresholds to disable somes specific rules. This will survive on rule updates. We are using it, it works well.

    Pierre

    The solution to use thresholds to supress some specific rules works for us now.
    A good documentation what are thresholds and how do they work can be found here:http://cvs.snort.org/viewcvs.cgi/checkout/snort/doc/README.thresholding?rev=1.5
    Thanks for the hint!

    The behaviour that rules out of disabled categories are used has not occured again … until now.


Log in to reply