Snort blocks IP despite disabled rule!

  • Banned

    I have disabled some PDF rules but Snort keeps blocking them!

  • I'm guessing you forgot to restart the interface.
    Go to Services>snort, click on the red X box (where it says enabled). Wait for it to turn green. Wait a few more seconds. Click the green box and wait for it to turn red. Go into blocked hosts and remove the blocked hosts. Done.

  • Banned

    I restarted it several times…

    Thats why I found it very odd!

  • @Supermule:

    I have disabled some PDF rules but Snort keeps blocking them!


    Are you seeing this behavior with the new experimental Snort code I sent you via e-mail a week ago, or is this with the stock 2.5.7 package?  I am not home now where I can check, but I do remember uncovering a problem in the SID enable/disable code a while back and fixing it.  I just can't remember off the top of my head if I fixed it with the 2.5.7 release, or if it is included in the experimental 2.5.8 release I sent you to test.

    To see if the rule is actually disabled, login to the firewall console via PuTTY or directly, and navigate to the sub-directory containing the rules for the affected interface.  Run "grep SID snort.rules" where you replace SID with the actual Signature ID of the rule you are checking.  It should come back with a "#" in front of the rule text if it is disabled.  No "#" means not disabled.


  • Banned


    I havent had the time to load the 2.5.8 yet since I am fooking busy at work!

    Get back to you soon Bill when I get to do that. But problems are on 2.5.7!