Enable or Log all rules

[dcbour]

To try and understand how to import a set of snort rules of my own (namely the emergingthreats.net basis), I started doing a lot of reading...

After reading many postings here about snort rules and why there's 11k plus snort rules vs just under 3000 here...and further comments on the why are not all the rules active...are the untangle staff smarter, etc...
At the end of it, I understand two things...
1. this is a layer 7 filter so 75% of the snort rules are not applicable.
2. lots of people want all the logging and maybe enable them, regardless of the 100 pages you need to manually parse to activate them if you wish.

I can't help on my quest yet...give me another day or two... nor improve the 75% you may think have been dropped...

That said, if you want to turn all logging for all the rules, this little bit of code run from the terminal will do that for you... you can verify from the gui easily enough...

su postgres
psql uvm
update n_ips_rule set log = 't';
\q
exit


If you instead want to activate them all (no going back to their prechosen options easily except a reload (or backup restore which you're on your own for)


su postgres
psql uvm
update n_ips_rule set live = 't';
\q
exit


Hope that helps....
And with any luck, I hope to get some instructions up on how to bulk import a set of snort rules such as those from www.emergingthreats.net
Dave

[dmorris]

that should work for the settings, you may need to restart the untangle-vm via

Code:

/etc/init.d/untangle-vm restart

to get it to re-read setting

[dcbour]

I guess I got lucky since my box was reloaded a few times as mine were picked up when I analyzing the log the following day...
Thanks
D.