1) It will update any rulesets that you've previously downloaded, not just the currently selected one. (It looks at the rulefiles in /etc/snort/rules - community.rules is the community rules, emerging-*.rules is Emerging Threats, anything else is Talos VRT). This means that any rules listed in the Intrusion Detection WUI will be kept up to date.
2) For new rules the updater will choose to enable or disable the rule based on the selected default policy. Rules you've previously checked or unchecked in the Intrusion Detection WUI will be left in the checked or unchecked state you selected unless:
- You've checked 'Apply policy changes' and
- An updated version of the rule has a different policy.
The policies Connectivity -> Balanced -> Security -> Max-Detect have increasing numbers of rules enabled, with 'Connectivity' having the least and 'Max-Detect' the most. Each policy includes all the rules from the lower policies. The updater works out which policy a rule belongs to based on information in the rule. If you just use the WUI to manually download an update it implicitly uses the 'Balanced' policy.
3) Enable live update affects how the updated rules are applied. The default (and the method used by a manual update) is to stop all the instances on Snort and then to re-start them with the new rules. The problem with this is that your network will not be protected by the Intrusion Detection rules during this period, which will probably be a few minutes.
If you select 'Enable live update' the updater will tell Snort to re-read the rules without stopping, which means you will be protected throughout the update, however to do this the process is similar to starting up another instance of Snort to read the new rules, and then swapping it with the existing instance; this means that this method uses quite a bit more memory. If you run out of memory, the system will kill a process (this will change under core update 125).
If you're short on memory and you don't have reason to expect your network to be deliberately targeted, it should be OK not to check this option.
For an estimate of the extra memory, look at how much memory your Snort processes are using under 'Status > Services' in the WUI - you'll use about as much extra memory as one of the Snort processes is using. This is in addition to the memory used by the updater itself - which could be up to 140MB, depending on the selected rulesets.
4) If you have 'Apply policy changes' checked and you change the default policy it will not make any changes to the already existing rules unless, at some point in the future, the rule is changed. In this case the rule will be enabled or disabled according to the selected default policy and the policy of the rule. If you have 'Apply policy changes' unchecked the updater will not make changes to the state of existing rules, but only to new rules.
Unfortunately there's no list of which rules belong in which policy (or at least I can't find one). The Snort FAQ gives the information as to how Talos VRT assign policies, but I doubt you'll find it very helpful. The updater attempts to synthesise the policy from the data included in the rule.
The updater applies the following algorithm to work out the policy:
- If there's metadata in the rule giving the policy, use it.
- otherwise use the priority of the rule with a priority of one corresponding to 'Connectivity' and four to 'Max-Detect'.
- make sure the resulting policy is either 'Connectivity' or 'Balanced' if the rule is distributed uncommented and 'Security' or 'Max-Detect' if it's commented (this corresponds to the process that the rule source uses to decide whether they're going to distribute the rule commented or uncommented).
The end result is a policy that should be a good approximation to the policy as decided by the supplier.
The most important outcomes of this process is that each policy has more rules included than the next lower policy and that selecting the 'Balanced' policy will select the same rules as just applying the update without any processing.
If you select 'Balanced' as your default policy you will get the same rules enabled or disabled as you would using a manual download of the rules, with only the changes you've made from the WUI.
5) You need to check or uncheck the rule categories that you want in the Intrusion Detection WUI; this controls whether Snort reads the rules from the corresponding rulefile. If a category is not checked, none of the rules in that category will be seen by Snort, no matter whether they're enabled or disabled or whether it's done manually or automatically from the updater. Note that the updater will still update the rules in the disabled categories - it's just that the rules won't be used.
For the individual rules under the top level categories, their state shown reflects the state of the rule. Any changes made by the updater will be shown here and any changes made manually will be taken into account the next time that an update is downloaded. this means that in most cases you can leave the state of individual rules to the updater, but you can still change the state of rules manually if you want.
I hope this answers all your questions adequately. Unfortunately some of the answers are a little completed.