Snort Rules Update Problem



  • I have a couple of rules that that are enabled by default, but I am never interested in them. Instead of adding all these rules to the suppression list, I tried to disable them. This works up to the next rules update. When I save the system configuration, the disabled rules are listed, i.e. pfSense keeps track of them independent of what is disabled or not in the vendor supplied files. After a restart of the pfSense box the disable rules are still disabled, but not after triggering an update.

    Is this the way it is supposed to be? Of course, I'd prefer that after an update previously disabled rules should still be disabled provided the rule still exists (which might no be the case after an update):



  • I think the problem is, that by downloading new rulesets all of the old rulesets are being replaced by the newer rule-files. For each category you have lots of rules, most of them not activated (if you look into these files). I think in this case, suppressing is the best solution for this problem, because the suppression list is not being replaced by new updates.

    You have the opportunity to uncheck categories you dont care for, i.e. policy, chat, info and others. This selection remains after ruleset updates.

    Hope this could help you



  • Using a suppression list is what I have done so far. To my understanding the rules are processed, but there are no warnings for these lists. If you are running pfSense on a small box it seems to be better to avoid any unnecessary processing.

    When you look at the system configuration backup file you'll find entries like

    
     <snortglobal>...
     <rule>...
     <rule_sid_off>||disablesid 2003469||disablesid 2000571||disablesid 2006380||...</rule_sid_off></rule></snortglobal> 
    

    i.e. independant to what is enabled or disabled in the vendor supplied files, pfSense obviously keeps track of manually disabled rules. pfSense remembers manually enabled categories, but ignores manually disabled rules after updates. I don't see any reason why this is necessary since the required information is somehow available. After any update the set of rules might change and old ids might be gone. Nevertheless it would be useful if the state of still existing rules wouldn't change.

    In my case I need only a few rules from the ET policies rule set, so manually editing about 80 rules after every update is cumbersome.



  • okay, now I understand your problem… and I dont know if there is anything planned to fix this (I havent heard anything from snort developers the last time)...

    but if there are only a few rules, why dont you just copy these rules into your rules.custom file/category where you can add your own rules? I think this file is not being overwritten by updates (I never tried it, but it could work). So you can disable your ET policy - category and add these rules into "custom.rules"  - or - if it doesnt work directly into "advanced user pass through" and insert them there. I hope it works ;)



  • Yes, indeed I could try out the custom.rules. I have overlooked this feature.


Locked