Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Newbie Question : How do I know I am using the Snort VRT Subscriber rules

    IDS/IPS
    2
    2
    724
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      StuBoy
      last edited by

      Just setup pfSense, then added Snort and trying to get my head around it.

      I initially used the Snort VRT FREE Registered User rules.

      I've just paid the $29 Subscription, to get the latest rules moving forward.

      How can I tell that the Subscriber Snort rules are being used, as opposed to the Free 30 day old Registered User rules ?

      When I paid the subscription, I regenerated the oinkcode and did a rule update  … so hoping I'm getting the latest rules.

      Would be nice to be able to see & confirm what rules are being used.

      Stuart.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        If you pasted in your Oinkcode and are not getting errors, then you are getting the subscriber rules.  The Snort web site picks the rules based on the Oinkcode supplied as part of the rules download URL.  The Snort package on pfSense generates that URL for you behind the scenes using the Oinkcode you provide on the GLOBAL SETTINGS tab.

        Other than trusting that, you could manually verify by looking at the Snort VRT rule update release notes and verifying that any newly posted or modified rules show up that way on your box.  You can examine the text of individual rules on the RULES tab for an interface (only the rules from the categories you have selected will display, though).

        Bill

        1 Reply Last reply Reply Quote 0
        • First post
          Last post