Snort Subscriber Implementation



  • Hey Yall,

    I have set the IPS to "Resolve Flowbits" and IPS Policy "Security" because I do not want to manage the enabling of individual rulesets. "IPS Policy Mode" is set to Policy rather than Alert. I've seen little to no Alerts in the past three days and that's on all Interfaces LAN/OPT1. Is that normal?

    Starting rules update... Time: 2020-10-17 00:12:32
    Downloading Snort Subscriber rules md5 file snortrules-snapshot-29161.tar.gz.md5...
    Checking Snort Subscriber rules md5 file...
    Snort Subscriber rules are up to date.
    Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    Checking Snort OpenAppID detectors md5 file...
    Snort OpenAppID detectors are up to date.
    Downloading Snort AppID Open Text Rules md5 file appid_rules.tar.gz.md5...
    Checking Snort AppID Open Text Rules md5 file...
    There is a new set of Snort AppID Open Text Rules posted.
    Downloading file 'appid_rules.tar.gz'...
    Done downloading rules file.
    Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    Checking Emerging Threats Open rules md5 file...
    There is a new set of Emerging Threats Open rules posted.
    Downloading file 'emerging.rules.tar.gz'...
    Done downloading rules file.
    Extracting and installing Snort AppID Open Text Rules...
    Installation of Snort AppID Open Text Rules completed.
    Extracting and installing Emerging Threats Open rules...
    Installation of Emerging Threats Open rules completed.
    Copying new config and map files...
    Updating rules configuration for: LAN ...
    Updating rules configuration for: JUNKDEVICES ...
    Restarting Snort to activate the new set of rules...
    Snort has restarted with your new set of rules.
    The Rules update has finished. Time: 2020-10-17 00:13:26



  • I have not seen a snort rule alert since the snort package was updated to take into consideration
    for long interface name's.
    I have gotten alert's for appid but that is all.

    I just use the subscriber rule's and appid with the same configuration you have.



  • @Impatient thank you for the feedback.


Log in to reply