You Are Here : Forums Sunday, September 07, 2008
     
Activeworx.org Forums
 
  Forum  IDS Policy Mana...  IDS Policy Mana...  BleedingThreats update re-enables disabled rules?
Previous Previous
 
Next Next
New Post 7/17/2007 5:26 PM
  Ray
55 posts
6th Level Poster


BleedingThreats update re-enables disabled rules? 

I just performed a policy update for a v2.6 sensor from BleedingThreats. When I uploaded the policy, Snort failed to restart because all of the rules I had disabled, the ones beginning with "bleeding" and having "BLOCK" in their name, got re-enabled and "fwsam" is not being used. I'm using IDSPM v2.1.0.15.

 

I disabled them all and uploaded the policy again. This time all was well. Any idea why it re-enabled those disabled alerts?

 

Also, I changed the "redalert" Custom Rule Type configuration, which required me to create a new database output and delete the old one. When I went to upload the policy using "fast" nothing happened. I had to change it to "update". It's like "fast" isn't checking to see if the snort.conf file was changed.

 

It also would be very nice if I could double-click the Custom Rule Type output statement and modify the existing one instead of having to create a duplicate, slightly modified, and then delete the original.

 

Thanks,

 

Ray

 

 
 
New Post 7/17/2007 6:36 PM
  Jeff Dell
233 posts
www.activeworx.com
1st Level Poster


Re: BleedingThreats update re-enables disabled rules? 
 rpesek wrote

I just performed a policy update for a v2.6 sensor from BleedingThreats. When I uploaded the policy, Snort failed to restart because all of the rules I had disabled, the ones beginning with "bleeding" and having "BLOCK" in their name, got re-enabled and "fwsam" is not being used. I'm using IDSPM v2.1.0.15.

 

I disabled them all and uploaded the policy again. This time all was well. Any idea why it re-enabled those disabled alerts?



I will look into this. If I could guess.. I would think the rule is being updated and when this happens it isn't taking into account if the rule is enabled or disabled.


 rpesek wrote

Also, I changed the "redalert" Custom Rule Type configuration, which required me to create a new database output and delete the old one. When I went to upload the policy using "fast" nothing happened. I had to change it to "update". It's like "fast" isn't checking to see if the snort.conf file was changed.

 

Fast update should always update the snort.conf no matter if a rule has been enabled or not. I will look into this.

 

 rpesek wrote

It also would be very nice if I could double-click the Custom Rule Type output statement and modify the existing one instead of having to create a duplicate, slightly modified, and then delete the original.

 

I agree it would be nice to have a simple copy for the custom rule types. I will add this to my to-do list.

 

Cheers,

Jeff
 
 Page 1 of 1
Previous Previous
 
Next Next
  Forum  IDS Policy Mana...  IDS Policy Mana...  BleedingThreats update re-enables disabled rules?
 
 
Copyright 2000-2007 by Activeworx, Inc.
All trademarks and copyrights on this page are owned by their respective owners.