Snort pkg v. 1.5 Categories Disable Rules after update

  • Does anyone has the same experience on Snort pkg v. 1.5 in disabling Rules?

    As I am not very good in explaining such cases, so these are my steps:

    For example:
    I go to Snort "Catergories" and select "emergency-scan.rules" then disable one of the rule (SID "2002992" ET SCAN Rapid POP3 Connections - Possible Brute Force Attack) and click "Apply Changes".

    Then run an "Update Rules" and go back to this "emergency-scan.rules" interface, this "SID" rules I last disabled has become activated again.

    Isn't it supposed to stay as disabled?


  • DavC

    Yes, every time you make rule changes they are reset if you do a rule update.

    I working on a solution right now. This is very important to me to.
    I want to have this fixed in the next 2 days.


  • James,

    Many thanks for looking after this issue.

    Look forward to hearing the good news from you.

    Best Regards,


  • James…

    I'm still seeing double error notifications. Any idea why?

  • There not error messages just snort statistics and general info.
    Im going to disable logging to system logs on start-up by editing the snort source code.