Newbie Question : How do I know I am using the Snort VRT Subscriber rules



  • Just setup pfSense, then added Snort and trying to get my head around it.

    I initially used the Snort VRT FREE Registered User rules.

    I've just paid the $29 Subscription, to get the latest rules moving forward.

    How can I tell that the Subscriber Snort rules are being used, as opposed to the Free 30 day old Registered User rules ?

    When I paid the subscription, I regenerated the oinkcode and did a rule update  … so hoping I'm getting the latest rules.

    Would be nice to be able to see & confirm what rules are being used.

    Stuart.



  • If you pasted in your Oinkcode and are not getting errors, then you are getting the subscriber rules.  The Snort web site picks the rules based on the Oinkcode supplied as part of the rules download URL.  The Snort package on pfSense generates that URL for you behind the scenes using the Oinkcode you provide on the GLOBAL SETTINGS tab.

    Other than trusting that, you could manually verify by looking at the Snort VRT rule update release notes and verifying that any newly posted or modified rules show up that way on your box.  You can examine the text of individual rules on the RULES tab for an interface (only the rules from the categories you have selected will display, though).

    Bill


Log in to reply