Snort and Rules options



  • When creating the interface for either wan or vlan/lans the rules sets. Has anyone had any issues where "selecting all" of the rules has made it not function?



  • @ESWBitto:

    When creating the interface for either wan or vlan/lans the rules sets. Has anyone had any issues where "selecting all" of the rules has made it not function?

    It is possible you are hitting a missing preprocessor dependency doing that.  I found a situation in the current 2.5.7 package where it will still miss disabling some rules with preprocessor dependencies.  A fix for that is coming in the 2.5.8 package due out soon.  In the meantime, go to the Preprocessors tab and click to enable every preprocessor on the page, including the SCADA ones.  Then see if Snort will start.  If not, post back with the exact rule set or sets you are using and I will try to duplicate.  By rule sets I mean Snort VRT, Emerging Threats and/or Snort GPLv2 Community.

    There really is no good to reason to "select all" rules, though.  That will cause some duplicated effort (as in duplicate rules between the categories).  I assume you maybe have more than one rule set enabled such as Snort VRT and Emerging Threats?  Or maybe you just mean selecting all the rules in a particular set (for instance, all the Emerging Threats rules).  Personally I prefer to use the Snort VRT IPS Policy selection box, and then supplement that with a handful of ET rules like CIARMY and the RBN rules.

    Bill



  • Bill,

    I completely forgot I even made this thread….To answer this issue so that you can have full completeness and resolution in your life I will let you know the outcome. :P In short yes it was something that wasn't being selected in the preprocessors. I have since then fixed that....I also have done what you do. I set the Policy to Secure (or whatever the third one is) and then selected all the ET rules. So its going good now....carry on with life :)


Locked