Snort VRT Rules not firing

wiz561

I've been running Snort now for almost a year and subscribed to the Emerging Threat Open Rules and the Snort VRT Rules.  My Snort subscription just expired so I am now on the community rules for Snort.

Ever since running Snort on pfsense, I have not seen one snort signature fire or alert.  Every single alert is an "ET" type alert.  In my configs, I have the "Use IPS Policy" checked and the selection is "Security".  All the ET rules are manually checked and none of the snort rules are checked or can even be checked.

I have a hard time believing that none of the snort rules are being matched over almost a year time period, and we are heavy internet users.  Is there something that I'm not doing that is causing them to not work?

bmeeks

You can always create some traffic of your own to trigger some of the Snort VRT rules as a test.

You can see what rules are actually being enforced if you look in this file /usr/pbi/snort-amd64/etc/snort/snort__{uuid}__{if}/rules/snort.rules where {uuid} is a random number and {if} is the physical interface Snort is running on.

The choices are grayed out when you choose a policy because the chosen policy dictates the rules selected.  If you want to overrule that, you can do so on the SID MGMT tab using the features there.

Bill