Force-disable this rule and remove it from the current rule set



  • I keep having Team Viewer blocked on outbound connections.  Keeping up with the various IPs and ports used makes it a chore to keep using Team Viewer to remotely admin computers around our network.  It seem I'm clicking "add this alert to the suppress list"  every day.

    What would "force-disable this rule and remove it from the current rule set" do?  Would this force Allow or force Deny everything meant for this rule?  And, if it does allow all, is that a bad idea?



  • Do you mean for Snort or Suricata?  If so, the answer is "yes" to click the FORCE DISABLE RULE icon and disable the rule completely if you don't want it firing.

    Bill



  • Snort.  So to disable the rule means to force allow the traffic?



  • @MilesDeep:

    Snort.  So to disable the rule means to force allow the traffic?

    That's one way of looking at it.  The actual effect is that rule is removed from the list that traffic is evaluated against.  Since the rule is not evaluated against traffic, it can't "fire" and trigger an alert.  This is a per-interface setting, so if you run Snort (or Suricata) on multiple interfaces you can have a rule enabled on one and disabled on another.

    Bill