Snort not applying threshold.conf settings



  • Since it's been quite difficult to disable rules, I edited the file "/usr/local/etc/snort/threshold.conf" from Diagnostics-Edit File and then Restarted the SNORT service (from Status - Services) and then went into the interface and stopped and re-started the monitoring.  Even with multiple "suppress" statements in the file, the alerts are still popping into my system.  This is making SNORT unusable for anything but a viewer of alerts.

    Since Barnyard2 is not working (I'll make another thread on that), I can't do much with SNORT.  :(  Anything I'm missing to get the threshold file working?  Here is a sample of my suppress statement(s):

    suppress gen_id 1, sig_id 882

    Any help would be GREATLY appreciated!  Thank you!



  • @jaysonr:

    Since it's been quite difficult to disable rules, I edited the file "/usr/local/etc/snort/threshold.conf" from Diagnostics-Edit File and then Restarted the SNORT service (from Status - Services) and then went into the interface and stopped and re-started the monitoring.  Even with multiple "suppress" statements in the file, the alerts are still popping into my system.  This is making SNORT unusable for anything but a viewer of alerts.

    Since Barnyard2 is not working (I'll make another thread on that), I can't do much with SNORT.  :(  Anything I'm missing to get the threshold file working?  Here is a sample of my suppress statement(s):

    suppress gen_id 1, sig_id 882

    Any help would be GREATLY appreciated!  Thank you!

    Snort.org made changes on how snort uses threshold. I cant use the old code, I have to redo it.
    Threshold gets redone on every snort start so your changes are being lost

    Read up on how suppression is done now. Then add pass through command that points to a new file.
    Example include /usr/local/etc/snort/snort_38330_vr1/threshold2.conf
    Do this untill I add code in the next release.

    James



  • Sorry about not having the version numbers, here they are:
    pfSense: 1.2.3-RELEASE
    Snort: 2.8.5.3 pkg v. 1.19

    I tried to add the "pass through" variable to the snort.conf file located in my /usr/local/etc/snort/snort_38330_vr1 directory and pointed to the threshold2.conf file, but it seems to overwrite that file with every restart, so it overwrites my pass through variables.  Is there any other place I can put this so that it loads?



  • Ok, I went ahead and updated to the newest version (lost all my settings again) and now I see the pass through settings.

    I will start rebuilding my settings and post the results :)



  • @jaysonr:

    Ok, I went ahead and updated to the newest version (lost all my settings again) and now I see the pass through settings.

    I will start rebuilding my settings and post the results :)

    You can save your setting using the pfsense backup config thing.


Log in to reply