Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort :: ET Packages - can't disable them

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 808 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rnriley93
      last edited by

      Hello,

      I'm running PFsense version 2.2. I'm using Snort Package version "2.9.7.0 pkg v3.2.3". I recently enabled all of the Emerging Threat (ET) rules. After determining I did not need those rules, I disabled them under the Categories tab on the interface I have them enabled on. Even after rebooting the Snort interface and reloading the Snort service itself, the rules remained. I've tried:

      1. Disabling the rules under the Rules tab, leaving them enabled under the Categories tab… to no avail.
      2. Disabling the rules under the Categories tab, while they were enabled in the Rules tab... to no avail.
      3. Disabling the rules under the Categories tab, while they were disabled in the Rules tab... to no avail.
      4. Disabling the rules under the Rules tab, then removing the rules in the Categories tab, then going to Global Configurations and removing the rules from Snort all together... to no avail.

      Alerts were still popping up, even with the lowered-opacity yellow "X" symbol (denoting that the rules were disabled by the user) - in every one of the above cases. I've just now rebooted the appliance, though this was my last resort early this morning while no one was around in the office.

      Is this a bug, or is this intended behaviour? If it is the latter, where do I submit a bug report or request to revise the code?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        My first guess is you have a duplicate Snort instance running.  That can happen in some rare circumstance with rapid package restart commands.

        To test this, stop Snort using the icon on the SNORT INTERFACES tab.

        Next, open a CLI console session and issue this command:

        
        ps -ax | grep snort
        
        

        It should show no running Snort processes.  If it does, then you have found the problem.  You would need to kill the duplicate process. If you do not see two processes, report back.

        The correct way to disable entire rule categories is to uncheck them on the CATEGORIES tab, then click SAVE.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.