Snort 'IPS Policy' rules duplicated?

  • Hi guys,

    I have used Snort in the past but am configuring it again now & going through the process of disabling rules that trigger false positives.

    I have a question….

    I am using one of the 3 built in policy levels, in my case the 'Security' one. When I am editing the active rules, I notice that their is a category for the IPS Security policy itself as well as the 'real rulesets'.

    The IPS Policy category simply contains the same rules from the GPL set, Preprocessors etc....

    Where should I be disabling the rules?

    ![snort rules.png](/public/imported_attachments/1/snort rules.png)
    ![snort rules.png_thumb](/public/imported_attachments/1/snort rules.png_thumb)

  • The IPS Policy selection is shown on the RULES tab so you can see which exact rules have been auto-selected by the chosen policy.  You may already know this, but I will repeat it for the benefit of others who may read this thread.  The Snort VRT tags each of their rules with policy keywords (connectivity, balance or security).  Some rules may have all the keywords associated with them, or just one or two.  The IPS Policy option in the Snort package on pfSense examines all the Snort VRT rules and pulls out only the rules marked with the policy keyword you select.  So it is true that the rules in IPS Policy are actually in all of the other category files.

    Now on to your question.  You can disable the rules in either place (in the actual Category or when viewing the IPS Policy option).  Rules are recorded for user-defined enable/disable states by their GID:SID number, and those are stored in the config.xml of the firewall.  The last thing Snort processes when building the final rules package for an interface is the list of manual user rule state overrides.  So when you click on the rule icons on the RULES tab to force enable or force disable a rule, that rule's GID:SID is recorded in the firewall's Snort configuration along with the state you toggled it to (enabled or disabled).  Snort will then honor your setting for that rule when building the final rules package file (which by the way, is called snort.rules).  The snort.rules file is built by the Snort GUI package code, and will contain only the rules actually being used for the interface.  Rules you have disabled will not be in the snort.rules file.  Conversely, rules you have explicitly enabled will be in the snort.rules file.

    I will also mention that not all rules are enabled in a given category.  This is the way the Snort VRT ships them.  Some rules are commented out (disabled) by default.  Those are displayed in gray on the RULES tab.  You can leave them default disabled, or you can click the toggle icon to force them to the enabled state if you want to use them.  Now here is the tricky part:  when you choose to use the IPS Policy option, any rule tagged with a matching policy keyword (connectivity, balanced or security) is going to be sucked into the final snort.rules file and will get enabled even if it was default disabled in the category file it was pulled from.  So when using IPS Policy, all rules shown will be enabled and used unless you explicitly click the toggle icon to disable one or more of them.


Log in to reply