Snort Package Request:Remembering Enabled/Disabled Sigs

  • Firstly thanks for a great snort package.

    Currently when you use the GUI to enable and disable signatures for snort to use on the next update it overwrite this. Is it possible for it to remember these changes permanently so that when tuning it will remain. This will allow you to disable older sigs not needed anymore and it is a waste inspecting traffic for, enable you to properly disable FP signatures and also enable stuff you do care about. Doing so would mean people could better tune their boxes to provide better detection and better performance.

    Second is it possible for an upgrade to snort to take advantage of the JavaScript deobfuscation (which many web client attacks use) which is what most PFsense installations will be seeing (aside from maybe malware activity). There are also other fixes and preprocessors which may be useful.

    Thanks again.
    Kind Regards,
    Kevin Ross

  • you can use suppressions

  • I know that which is fine for common false positives. The problem however is:

    a) you don't actually disable the rule so it is still inspecting the traffic with the rules and then not alerting so if it was something that was really heavy load and hitting often - it is actually disabled so you are still getting that load.
    b) you can't enable any rules (well have them stay enabled after your update) that you may want to use
    c) you can't properly tune the sensor to disable what you don't need to improve performance
    d) you don't reduce the false positive risk (i.e you may suppress the FPs you have seen but you don't know if a sig for some 2006 vulnerability is going to block something even though you patched it and it isn't used anymore by attacks).