Snort doesn't produce any alerts



  • Hello,

    I installed pfsense 2 RC3 and the snort package. After downloading the rules (both snort and emerging threats ones) and enabling some of them (e.g. icmp, scan , web from both families) as well as the stream5 and the http_inspect preprocessors, I tried to "trigger" it using various ways (e.g. port scanning, using nikto, etc.). However, no alerts are produced.

    Any ideas?



  • which pfsense (x86 or amd64?).
      Do you have the pre-processors enabled?  I have all but the performance one enabled.



  • I have installed pfsense x86 in VirtualBox
    I have enabled the "Portscan Detection" (stream5) and the "HTTP Inspect" preprocessors. These should be enough, since I have checked these settings both with the previous version of snort in pfsense, as well as with a clean install (via compilation) of snort in Linux.

    Thanks
    Antonios



  • I seem to be having the same problem.  I'm running:
    2.0-RC3  (amd64)  built on Tue Sep 6 17:46:35 EDT 2011

    Installed snort, configured updates, enabled a WAN interface, enabled all preprocessors, enabled some rules, started it on the interface.  Its been running for about 12 hours now and no alerts.  Not sure how to troubleshoot the issue.  Any suggestions are appreciated.



  • @stvboyle:

    I seem to be having the same problem.  I'm running:
    2.0-RC3  (amd64)  built on Tue Sep 6 17:46:35 EDT 2011

    Installed snort, configured updates, enabled a WAN interface, enabled all preprocessors, enabled some rules, started it on the interface.  Its been running for about 12 hours now and no alerts.  Not sure how to troubleshoot the issue.  Any suggestions are appreciated.

    Have a look at http://forum.pfsense.org/index.php/topic,37557.285/topicseen.html for the cause and the solution of this issue.


Log in to reply