Snort GPLv2 Community Rules Disabled



  • Hi ,

    Snort 2.9.7.6 is running on my APU pfSense 2.2.6

    I see that the most rules in the GPLv2 Community Rules are Disabled

    The policie is set om security .

    Why are almost al the rules disabled in the GPLv2 Community ? and do i have to turn them on by hand? ore is it not necessary

    tnx



  • That is the way the GPLv2 rules are shipped by the vendor.  That is not uncommon.  If you look through all the rules in any of the rules packages, you will find quite a number of disabled rules.  They are disabled for many reasons.  The vulnerability is old and most users are patched now, so the maintainers disable the rule to prevent needlessly consuming resources.  Some rules are prone to false positives, so the maintainers disable them by default and let individual admins choose to enable them on a case-by-case basis.

    The IPS Policy setting keys off of specific metadata that the Snort VRT includes in their rules package only.  So Emerging Threats and GPLv2 rules do not have the IPS Policy metadata in them.

    Bill



  • You can use the features on the SID MGMT tab to help automate "turning on" many of the GPLv2 rules.  Go to that tab, enable SID MGMT, then read through the comments in the sample enablesid.conf file.  Click the edit icon beside the file to open it for viewing.  It has comments to show you how to use the feature.  Should you decide to use the feature, create your own enableside.conf file and name it something besides "sample".  That's because those sample files are overwritten on each package reinstall, so if you make changes to the sample files they will get lost on the next update.

    Bill