Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort logging

    IDS/IPS
    2
    2
    605
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Slab
      last edited by

      I have enabled the 'Snort Community Ruleset' in my pfSense configuration, along with the 'Balanced' IPS Policy. Are alerts related to these rules supposed to get logged? The only Snort alerts currently logged are related to the various 'ET Open Rules' that I have selected (all alerts that are logged are prefixed with 'ET'), and I haven't found a configuration setting specifically related to logging for the Snort Community Ruleset. Thanks…

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        All rules are logged exactly the same way in the same places (ALERTS tab and also the system log if you have that option enabled).  If you don't have alerts from your Snort VRT Community rules, then either none of the those rules have yet been triggered, or you don't have them actually enabled.  The Community set ships with the vast majority of the rules disabled.  You must enable the ones you want to use.  You do this on the RULES tab by selecting the Community rules in the CATEGORY drop-down and then enabling the rules you want to use.

        The IPS Policy rules do not false positive very often, so it is normal for them to be quiet.

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post