Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort - IPS Policy Selection

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    2
    511
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Enso_
      last edited by

      I have a question about the IPS Policy Selection in Snort. Am I correct in assuming that the IPS Policy Selection does not include ET (Emerging Threats) rules nor GPLv2 Community rules nor FEODO Botnet C2 IP Rules.

      The reason I’m asking is that, regardless of which policy is selected, the ET rules, GPLv2 Comm Rules and the FEODO Botnet C2 rules, can all still be manually enabled.
      Whereas the columns for Snort Text Rules and Snort SO Rules become greyed out when activating the policy option.

      Can someone confirm if my understanding is correct? Thank you!

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @Enso_
        last edited by bmeeks

        @Enso_: you are correct. Only the Snort VRT ruleset contains the proper metadata keywords for implementing an IPS Policy.

        IPS Policy logic in the Snort package reads the policy metadata provided in the Snort VRT rules and uses that data to automatically select rules that have metadata tags matching the chosen IPS policy. Neither ET rules nor any other vendor ruleset contain IP policy metadata, therefore they can't be automatically screened and selected. That's why those rules remain "selectable" in the GUI but Snort VRT rules do not, when IPS Policy action is enabled.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.