Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort GPLv2 Community Rules Disabled

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Soonie
      last edited by

      Hi ,

      Snort 2.9.7.6 is running on my APU pfSense 2.2.6

      I see that the most rules in the GPLv2 Community Rules are Disabled

      The policie is set om security .

      Why are almost al the rules disabled in the GPLv2 Community ? and do i have to turn them on by hand? ore is it not necessary

      tnx

      pfSense Community edition  APU1D4 AMD G-T40E Processor 2 / 4 GB DDR3-1066 DRAM 16GB m-SATA SSD / IDS Snort

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        That is the way the GPLv2 rules are shipped by the vendor.  That is not uncommon.  If you look through all the rules in any of the rules packages, you will find quite a number of disabled rules.  They are disabled for many reasons.  The vulnerability is old and most users are patched now, so the maintainers disable the rule to prevent needlessly consuming resources.  Some rules are prone to false positives, so the maintainers disable them by default and let individual admins choose to enable them on a case-by-case basis.

        The IPS Policy setting keys off of specific metadata that the Snort VRT includes in their rules package only.  So Emerging Threats and GPLv2 rules do not have the IPS Policy metadata in them.

        Bill

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          You can use the features on the SID MGMT tab to help automate "turning on" many of the GPLv2 rules.  Go to that tab, enable SID MGMT, then read through the comments in the sample enablesid.conf file.  Click the edit icon beside the file to open it for viewing.  It has comments to show you how to use the feature.  Should you decide to use the feature, create your own enableside.conf file and name it something besides "sample".  That's because those sample files are overwritten on each package reinstall, so if you make changes to the sample files they will get lost on the next update.

          Bill

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.