<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Depends on what software and plugins you are using doesn't it?  It's all dependent on your network. <br><br>--<div>Joel Esler</div><div>Sent from my iPhone</div></div><div><br>On Apr 5, 2014, at 4:25, "<a href="mailto:ped@...16771...">ped@...16771...</a>" <<a href="mailto:ped@...16771...">ped@...16771...</a>> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><span style="font-family:Verdana"><span style="font-size:12px">Thanks Joel, the issues was with the disabled rule. Once I enabled it, Snort started to alert using VRT ruleset.<br><br>I know the selection of ruleset is subjective to the environment, is there any best practice for a set of rule that should be enabled when you want to monitor a single Internet facing webserver and ssh server?<br><br>Thanks,<br>Ped<br><br><br>On Sat, Apr 5, 2014 at 1:14 AM, Joel Esler (jesler) <span dir="ltr"><<a href="mailto:jesler@...589..." target="_blank">jesler@...589...</a>></span> wrote:<br><br>Have you tried:<div> </div><div><a href="https://github.com/vrtadmin/snort-faq/blob/master/FAQ/Im-not-receiving-alerts-in-Snort.md" target="_blank">https://github.com/vrtadmin/<wbr>snort-faq/blob/master/FAQ/Im-<wbr>not-receiving-alerts-in-Snort.<wbr>md</a></div><div> </div><div>Rule 2100498 is a copy of the VRT rule sid:498.  It’s disabled by default in the ruleset, so you may have to enable it (notice that we don’t enable everything by default)</div><div> </div><div><span style="font-family:'Lucida Grande'">--</span><br><span style="font-family:'Lucida Grande'"><b>Joel Esler</b></span><br><span style="font-family:'Lucida Grande'">Open Source Manager</span><br><span style="font-family:'Lucida Grande'">Threat Intelligence Team Lead</span><br><span style="font-family:'Lucida Grande'">Vulnerability Research Team</span></div><p style="margin:0px; padding:0px;"> </p><br><span id="editor_signature"><span style="font-family:Verdana; font-size:12px"> </span></span></span></span>
</div></blockquote><blockquote type="cite"><div><span>------------------------------------------------------------------------------</span><br></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Snort-users mailing list</span><br><span><a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a></span><br><span>Go to this URL to change user options or unsubscribe:</span><br><span><a href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a></span><br><span>Snort-users list archive:</span><br><span><a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a></span><br><span></span><br><span>Please visit <a href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!</span></div></blockquote></body></html>