| You Are Here : Forums
|
Sunday, September 07, 2008
|
|
 |
|
|
|
|
|
 | SearchForum Home | |
| | |
| | |
| | |
 | | |
|
|
|
| Meaning of Rule Groups little red block? |
|
|
When you expand out Rule Groups, some of them have a little red block instead of a green check mark. When I look at those, all of the rules in the right-hand pane are disabled.
When I manually disable all of a group's rules in the right-hand pane, a little red block does not appear in the left hand pane. What is the little red block supposed to indicate? I thought that it was that all rules in that group were disabled.
If I enable all rules in a group that has the little red block, like chat, it does not change the little red block.
Also, Shift-click multiple select does not work when the number of rules exceeds the visible window. It does let you select all rules between two shift-clicks, but only if they are all visible in the window.
Take care,
Ray |
|
|
|
| |
|
|
| Re: Meaning of Rule Groups little red block? |
|
|
This red block means the group is disabled in snort.conf. You can enable/disable all the rules you want on the right panel, but snort will think they are disabled. In the default snort.conf there are lots of groups that are disabled, but all the individual rules are enabled. we wanted to keep this same format.
If you would like to enable or disable all the rules in the right panel.. Press ctrl-a, then click the enable/disable button.
Cheers,
Jeff |
|
|
|
| |
|
|
| Re: Meaning of Rule Groups little red block? |
|
|
Jeff wrote
This red block means the group is disabled in snort.conf. You can enable/disable all the rules you want on the right panel, but snort will think they are disabled.
|
In the default snort.conf there are lots of groups that are disabled, but all the individual rules are enabled. we wanted to keep this same format. |
I'm confused. The two statements feel contradictory. Yes, I am fairly new to Snort. :-)
I think you're saying that if the group is disabled in snort.conf down at the bottom, I will see the red block. If so, then it doesn't matter if the rules are enabled in the right-hand pane of IDSPM. They are still "off" for real, despite the right-hand pane showing they are enabled. Is that correct?
If so, it makes more sense to me to see the right-hand pane dimmed out or something when a group is disabled. When using IDSPM, I cannot manually edit the snort.conf file or the rules files because my manual changes on the sensor wil get overwritten on the next upload, won't they?
Changing the icon so it shows a big red X instead of a little red box would also be easier on my half-century year-old eyes as well. :-)
Thanks for your time and efforts,
Ray
|
|
|
|
| |
|
|
| Re: Meaning of Rule Groups little red block? |
|
|
rpesek wrote
I think you're saying that if the group is disabled in snort.conf down at the bottom, I will see the red block. If so, then it doesn't matter if the rules are enabled in the right-hand pane of IDSPM. They are still "off" for real, despite the right-hand pane showing they are enabled. Is that correct?
|
This is correct.
rpesek wrote
If so, it makes more sense to me to see the right-hand pane dimmed out or something when a group is disabled. When using IDSPM, I cannot manually edit the snort.conf file or the rules files because my manual changes on the sensor wil get overwritten on the next upload, won't they?
|
This is correct.. when I talk about editing the snort.conf. I mean if you didn't have IDSPM. How snort reads the snort.conf is really how IDSPM works. We tried to keep as much of the original configuration options as possible. Another way to easily see which group is enabled and which group is disabled is to click on "Rule Groups" tree node. Instead of a little red box, it will have a big red button and say False in the Enabled column. As for dimming out the right hand pane.. I agree, that sounds like a great idea.
| rpesek wrote
Changing the icon so it shows a big red X instead of a little red box would also be easier on my half-century year-old eyes as well. :-)
|
Your not giving your eye's enough credit.. you saw that red box just fine. :)
Thanks for all the feedback, it really helps make IDSPM better for everyone.
Cheers,
Jeff
|
|
|
|
| |
|
|
| Re: Meaning of Rule Groups little red block? |
|
|
| You're not giving your eyes enough credit.. you saw that red box just fine. :) |
You don't know how long I've been looking at it before I saw it. :-)
| Another way to easily see which
group is enabled and which group is disabled is to click on "Rule
Groups" tree node. Instead of a little red box, it will have a big red
button and say False in the Enabled column. |
And to think I was just about to ask you how to re-enable a group in snort.conf from IDSPM, and now I know. :-)
Have you noticed that the left-hand pane does not refresh itself when a change occurs, you have to collapse it and re-expand it? I've noticed this when I've added a new policy and I just noticed it again when I enabled the backdoor group. The little red block still showed in the left pane until I collapsed it and expanded it.
Also, after I enabled that group, my sensor with that policy still shows as "Status: Current" in Snort Sensors. I would have thought it would show as out of date because its policy just had a bunch of rules added via the backdoor group getting enabled. There's only one sensor listed, so I could not try the collapse & expand trick.
Ray
|
|
|
|
| |
|
|
| Re: Meaning of Rule Groups little red block? |
|
|
rpesek wrote
Have you noticed that the left-hand pane does not refresh itself when a change occurs, you have to collapse it and re-expand it? I've noticed this when I've added a new policy and I just noticed it again when I enabled the backdoor group. The little red block still showed in the left pane until I collapsed it and expanded it.
|
I guess it would be nice to have it refresh. I will add this to my todo list.
rpesek wrote
Also, after I enabled that group, my sensor with that policy still shows as "Status: Current" in Snort Sensors. I would have thought it would show as out of date because its policy just had a bunch of rules added via the backdoor group getting enabled. There's only one sensor listed, so I could not try the collapse & expand trick.
|
This is a known bug and will be fixed when the new build comes out on Friday. On a side note, a feature to dim the right hand pane when the group is disabled has been added as well as a few other things to make it easier when working with disabled groups.
Cheers,
Jeff
|
|
|
|
| |
|
|
| Re: Meaning of Rule Groups little red block? |
|
|
Hi Jeff,
If it's after Friday, I won't be ignoring it, I'll be on vacation without a computer. :-)
I cannot wait to see how this thing integrates with Activeworx 4.0. We're planning the upgrade now. It will be nice to allow multiple people to work with the sensors instead of just one.
Thanks for all of your work and especially for your responsiveness. I wish activeworx.com had forums like this.
Take care,
Ray
|
|
|
|
| |
| | |
| | |
| | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
| All trademarks and copyrights on this page are owned by their respective owners. |
|
|
|
|
|