Shortly (2 -10 minutes) after viewing or turning off rules in IPS, the IPS system stops, and the firewall stops passing traffic.
I can still get in on our Management interface, and when I turn off IPS the firewall passes traffic again. The logs had this to say-
2006:02:20-23:20:52 localhost snort[2870]: FATAL ERROR: /etc/snort/rules/astaro.rules(2712) => No argument passed to keyword " threshold" Make sure you didn't forget a ':' or the argument to this keyword!
Now it sounds pretty obvious-- there's a snort rule written incorrectly that causes the IPS to not work correctly. BUT I never edited the rules themselves, and only turned rules off that were on (not vice versa). So I'm confused as to why it would simply cease to work.
The weirdest part is that it doesn't happen as soon as I turn a rule off... in fact it happens just a few minutes later.
I heard a rumor that updating the IPS rules re-writes them and takes care of a problem like this-- but I don't want to wait for the next update to be able to turn IPS back on... and I can't turn it back on or it will stop passing traffic again.
help much appreciated.
This thread was automatically locked due to age.
