Modification rules Snort
-
Hello everyone,
I have a question regarding Snort rules.
I have enabled the "Security" IPS Policy Selection on a VLAN, and after looking into it, I noticed that many rules are disabled by default.
When I enable one of them, there is still a "#" symbol in front of it, which, from what I understand, means that the rule is not being applied despite being enabled.
How can I remove this "#" symbol? Is it possible to access a file that contains all the rules so I can count how many are not activated (i.e., have a "#" in front of them) compared to the total number of rules?
Thank you for your answers
-
If you want to specifically enable rules that are "default disabled" by the rule authors, then you can do that on the RULES tab by selecting the appropriate category, finding the rule by SID in the list, and clicking the "Force Enable" option for that specific rule.
You can also use the SID MGMT tab features to do this. Examples are provided in the sample conf files on that tab.
The rule authors will disable a number of rules in their rulesets. This is something many users do not realize. Rules that are prone to false positives in many environments or rules that address very old threats are frequently provided in a "default disabled" state.
Also, when using IPS Policy for rule selection, you should be aware that ONLY the Snort VRT ruleset contains the IPS Policy metadata required to automatically select rules by policy. The Emerging Threats rules do not contain IPS Policy metadata and thus are excluded from IPS Policy management.
