Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort VRT Rules not firing

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    2
    812
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wiz561
      last edited by

      I've been running Snort now for almost a year and subscribed to the Emerging Threat Open Rules and the Snort VRT Rules.  My Snort subscription just expired so I am now on the community rules for Snort.

      Ever since running Snort on pfsense, I have not seen one snort signature fire or alert.  Every single alert is an "ET" type alert.  In my configs, I have the "Use IPS Policy" checked and the selection is "Security".  All the ET rules are manually checked and none of the snort rules are checked or can even be checked.

      I have a hard time believing that none of the snort rules are being matched over almost a year time period, and we are heavy internet users.  Is there something that I'm not doing that is causing them to not work?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        You can always create some traffic of your own to trigger some of the Snort VRT rules as a test.

        You can see what rules are actually being enforced if you look in this file /usr/pbi/snort-amd64/etc/snort/snort__{uuid}__{if}/rules/snort.rules where {uuid} is a random number and {if} is the physical interface Snort is running on.

        The choices are grayed out when you choose a policy because the chosen policy dictates the rules selected.  If you want to overrule that, you can do so on the SID MGMT tab using the features there.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post