Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 17803 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to disable snort_decoder rules?

DavidWilliams1

How do you disable snort_decoder rules?   Like this:

They don't show up in the Signature lists.


I know how to disable Individual Signatures, but the decoder don't show up.  I've even disabled the entire Misc category and it does not disable these.



This thread was automatically locked due to age.
Parents
  • 0

    Hi David,

    Please provide me sometime to check this and update you.

    Thanks

  • 0 in reply to sachingurung

    Appreciate it, Sachin.

    Check this out.  The "(snort_decoder) WARNING: IPV4 packet to broadcast dest address" is also firing on 1) IPv6 packets  2) Unicast packets. 

  • 0 in reply to DavidWilliams1

    Hi David,

    Navigate through the options 

    • Objects
    • Policies
    • Intrusion Prevention

    Select the IPS policy applied in the firewall rule for intrusion prevention. And allow the snort signatures. PFA screenshots.

    Hope that helps :)

    Thanks

  • 0 in reply to sachingurung

    Nope, no good.   Note that none of the snort signatures in that list match the rule that is firing.   But, I went and selected all of them, with allow,  just to give it a try and it did not help.  I get several thousand of these a day. 

    As in my previous post, it is also triggered by IPv6 traffic and IPv4 unicast TCP/UDP traffic.  Certainly not a rule match for a "IPv4 broadcast".

    FYI, I am in bridge mode, if that helps.

    Thanks!

  • 0 in reply to DavidWilliams1

    Hi... same problem here... as a side effect, my virtual machines running on my macbook (VMWare Fusion or VirtualBox) can not obtain ip address via DHCP if they have nic bridged to airport wifi...

    ((--)) = wifi

    <--> = cable

    guest vm nic in bridge mode with macbook wifi ((--)) ap/switch <--> sophos xg <--> main router with dhcp server (not working, blocked by snort_decoder)

    If I connect my macbook with ethernet, all it's fine

    guest vm nic in bridge mode with macbook ethernet <--> ap/switch <--> sophos xg <--> main router with dhcp server (working)

Reply
  • 0 in reply to DavidWilliams1

    Hi... same problem here... as a side effect, my virtual machines running on my macbook (VMWare Fusion or VirtualBox) can not obtain ip address via DHCP if they have nic bridged to airport wifi...

    ((--)) = wifi

    <--> = cable

    guest vm nic in bridge mode with macbook wifi ((--)) ap/switch <--> sophos xg <--> main router with dhcp server (not working, blocked by snort_decoder)

    If I connect my macbook with ethernet, all it's fine

    guest vm nic in bridge mode with macbook ethernet <--> ap/switch <--> sophos xg <--> main router with dhcp server (working)

Children