[Snort-users] Snort 2.9.6 doesn't alert using subscribed VRT ruleset but with ETOpen

ped at ...16771... ped at ...16771...
Sat Apr 5 04:24:20 EDT 2014


Thanks Joel, the issues was with the disabled rule. Once I enabled it, Snort started to alert using VRT ruleset.

I know the selection of ruleset is subjective to the environment, is there any best practice for a set of rule that should be enabled when you want to monitor a single Internet facing webserver and ssh server?

Thanks,
Ped


On Sat, Apr 5, 2014 at 1:14 AM, Joel Esler (jesler) < jesler at ...589... > wrote:

Have you tried:

https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md 

Rule 2100498 is a copy of the VRT rule sid:498. It’s disabled by default in the ruleset, so you may have to enable it (notice that we don’t enable everything by default)

--
 *Joel Esler*
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140405/0e8d247f/attachment.html>


More information about the Snort-users mailing list