Skip to content

snort: disabled rules are not applied until next rule download #1165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
filippocarletti opened this issue Apr 9, 2025 · 2 comments
Open

snort: disabled rules are not applied until next rule download #1165

filippocarletti opened this issue Apr 9, 2025 · 2 comments
Assignees
@filippocarletti
Labels
testing Packages are available from testing repositories
Milestone
NethSecurity 8.6

Comments

@filippocarletti
Copy link
Member

After disabling a rule, it continues to alert.

Steps to reproduce

  • Disable a rule
  • Trigger an alert for the disabled rule
  • Or check if the rule is in /var/ns-snort/rules/snort.rules

Expected behavior

No alert

Actual behavior

The rule is still in enabled

Components

NethSecurity 8-24.10.0-ns.1.5.0 r28427-6df0e3d02a
snort3 - 3.6.2.0-r1

See also

root@firewall:~# uci show snort | grep disabled
snort.snort.ns_disabled_rules='1,54577,SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt'
root@firewall:~# grep 54577 /var/ns-snort/rules/snort.rules 
block tcp $EXTERNAL_NET 53 -> $HOME_NET any ( msg:"SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt"; flow:to_client,established; content:"|FF|",depth 1; byte_test:1,=,0,4,bitmask 0x78; content:"|00 18|",depth 40,offset 22; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:dns; reference:cve,2020-1350; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1350; classtype:attempted-user; sid:54577; rev:4; )
root@firewall:~# ls -l /etc/config/snort 
-rw-------    1 root     root           791 Apr  9 12:17 /etc/config/snort
root@firewall:~# ls -l /var/ns-snort/rules/snort.rules 
-rw-r--r--    1 root     root      10576428 Apr  9 09:48 /var/ns-snort/rules/snort.rules
@github-project-automation github-project-automation bot moved this to ToDo 🕐 in NethSecurity Apr 9, 2025
@filippocarletti
Copy link
Member Author

Workaround: /usr/bin/ns-snort-rules --download --restart
Can't we adjust rules without downloading them again?

@Tbaile Tbaile moved this from ToDo 🕐 to In Progress 🛠 in NethSecurity Apr 10, 2025
@Tbaile Tbaile added this to the NethSecurity 8.6 milestone Apr 10, 2025
@Tbaile Tbaile self-assigned this Apr 10, 2025
@Tbaile Tbaile mentioned this issue Apr 10, 2025
Merged
@Tbaile Tbaile changed the title snort: disabled rules not disabled snort: disabled rules are not applied until next rule download Apr 11, 2025
@Tbaile
Copy link
Collaborator

Tbaile commented Apr 16, 2025

QA Image: 24.10.0-ns.1.5.1-6-gb3f3e7e7
Check issue does not reproduce
Also, check testing mode following the new README.

@Tbaile Tbaile added the testing Packages are available from testing repositories label Apr 16, 2025
@Tbaile Tbaile assigned filippocarletti and unassigned Tbaile Apr 16, 2025
@Tbaile Tbaile moved this from In Progress 🛠 to Testing in NethSecurity Apr 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@filippocarletti filippocarletti

Labels
testing Packages are available from testing repositories
Projects
NethSecurity
Status: Testing
Milestone
NethSecurity 8.6
Development

No branches or pull requests
2 participants
@filippocarletti @Tbaile