LPIC-3 Exam 303 (Security) — Question 3

Which of the following methods can be used to deactivate a rule in Snort? (Choose TWO correct answers.)

Answer options

• A. By placing a # in front of the rule and restarting Snort.
• B. By placing a pass rule in local.rules and restarting Snort.
• C. By deleting the rule and waiting for Snort to reload its rules files automatically.
• D. By adding a pass rule to /etc/snort/rules.deactivated and waiting for Snort to reload its rules files automatically.

Correct answer: B, C

Explanation

The correct answers are B and C because adding a pass rule in local.rules allows the specified traffic to be ignored, effectively deactivating the rule. Simply removing the rule and letting Snort reload its rules files also achieves this. Options A and D are incorrect because placing a # in front of a rule does not deactivate it in a standard way, and rules in /etc/snort/rules.deactivated require specific configurations that may not apply.