[Snort-users] Snort 2.9.6 doesn't alert using subscribed VRT ruleset but with ETOpen

Joel Esler (jesler) jesler at ...589...
Fri Apr 4 13:14:30 EDT 2014

Have you tried:


Rule 2100498 is a copy of the VRT rule sid:498.  It’s disabled by default in the ruleset, so you may have to enable it (notice that we don’t enable everything by default)

Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

On Apr 4, 2014, at 7:42 AM, ped at ...16771...<mailto:ped at ...16771...> wrote:

I have subscribed to Snort VRT and received the latest rule set (snortrules-snapshot-2956.tar.gz), I installed snort from source using (http://www.snort.org/assets/158/snortinstallguide293.pdf) guide for Ubuntu 12.04 LTS.

I found snort does not alert on sample malicious requests i.e. DT to ../../../etc/passwd, curl www.testmyids.com<http://www.testmyids.com>, portscan using VRT ruleset. So then I added ETOpen ruleset and it started to alert on the above requests (curl www.testmyids.com<http://www.testmyids.com>, sample ping in local.rules, DNS attack):

04/03-11:32:47.780946  [**] [1:2100498:8] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} X.X.X.X:80 -> Y.Y.Y.Y:44591
04/03-11:47:28.034106  [**] [1:10000001:0] ICMP test [**] [Priority: 0] {ICMP} X.X.X.X -> Y.Y.Y.Y
04/03-12:01:12.771472  [**] [1:2016016:6] ET CURRENT_EVENTS DNS Amplification Attack Inbound [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} X.X.X.X:39613 -> Y.Y.Y.Y:53

As it is a first time I am using VRT (I used ET before and worked quite well),

[*] is this a normal behavior not to alert on the above events?
[*] if not, is there any configuration I need to set for VRT to work? here is my snort.conf [https://clbin.com/B8Ikl]


Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140404/fc01eee9/attachment.html>

More information about the Snort-users mailing list