Snort :: ET Packages - can't disable them

rnriley93

Hello,

I'm running PFsense version 2.2. I'm using Snort Package version "2.9.7.0 pkg v3.2.3". I recently enabled all of the Emerging Threat (ET) rules. After determining I did not need those rules, I disabled them under the Categories tab on the interface I have them enabled on. Even after rebooting the Snort interface and reloading the Snort service itself, the rules remained. I've tried:

1. Disabling the rules under the Rules tab, leaving them enabled under the Categories tab… to no avail.
2. Disabling the rules under the Categories tab, while they were enabled in the Rules tab... to no avail.
3. Disabling the rules under the Categories tab, while they were disabled in the Rules tab... to no avail.
4. Disabling the rules under the Rules tab, then removing the rules in the Categories tab, then going to Global Configurations and removing the rules from Snort all together... to no avail.

Alerts were still popping up, even with the lowered-opacity yellow "X" symbol (denoting that the rules were disabled by the user) - in every one of the above cases. I've just now rebooted the appliance, though this was my last resort early this morning while no one was around in the office.

Is this a bug, or is this intended behaviour? If it is the latter, where do I submit a bug report or request to revise the code?

Thanks!

bmeeks

My first guess is you have a duplicate Snort instance running.  That can happen in some rare circumstance with rapid package restart commands.

To test this, stop Snort using the icon on the SNORT INTERFACES tab.

Next, open a CLI console session and issue this command:

ps -ax | grep snort

It should show no running Snort processes.  If it does, then you have found the problem.  You would need to kill the duplicate process. If you do not see two processes, report back.

The correct way to disable entire rule categories is to uncheck them on the CATEGORIES tab, then click SAVE.

Bill