Me too, usually the cause is that the rules have a missing dependency stopping the snort process from starting. If you in pfsense looking through the logs, I imagine they must also be in the snort logs. Start with less restrictive but obvious rules and then gradually tighten down. Restart the service often to make sure you have not missed a dependency.
On 4 September 2013 09:18, Kyle Spencer <[email protected]> wrote: > Hi Allan, > > I encountered this issue when I attempted to configure Snort on a pfSense > box last year. I ultimately gave up as it wasn't a critical need. What > annoyed me was that I was able to successfully install Snort on a pfSense > box two years prior to that without issue. > > In my case, all the settings indicated that it should be sniffing the WAN > port and logging alerts based on the rules I had enabled. However, it did > nothing; no alerts registered even though I had enabled some pretty > restrictive rules that should have been triggered often. > > I know this is of no help but perhaps it's good to know others faced a > similar challenge :) > > Regards, > Kyle Spencer > > On Sep 4, 2013 11:07 AM, "Kisakye Alex" <[email protected]> wrote: >> >> can you draw a diagram showing where snort is on your network? >> Also are you using port mirroring or bridging? snort has to see all the >> data on your network somehow. >> >> Alex >> >> >> On Wed, Sep 4, 2013 at 10:35 AM, <[email protected]> wrote: >>> >>> Hello Alex, >>> >>> Yes I did select the interface to use and am using the pre configured >>> rules set in snort its self. >>> >>> Allan >>> >>> >>> >>> From: Kisakye Alex <[email protected]> >>> To: Uganda Linux User Group <[email protected]> >>> Date: 09/04/2013 10:20 AM >>> Subject: Re: [LUG] Snort Rules >>> Sent by: [email protected] >>> >>> >>> >>> Have you selected an interface in snort to listen for activity? >>> Also depending on your config, you need to be able to listen through all >>> traffic on the network, one way of doing this is by port mirroring. >>> >>> Alex >>> >>> >>> On Wed, Sep 4, 2013 at 10:07 AM, <[email protected]> wrote: >>> >>> Dear all, >>> >>> >>> i hope this mail finds you well, I installed snort IPS , subscribed to >>> the >>> rules and applied them on to my Oracle Linux box, though this was >>> done, >>> i >>> don't seem to see any activity when i go to monitor or check on the >>> various rules, I wish to know if any one who configured the same could >>> have had a similar experience? if so what did he do to rectify the >>> problem? >>> >>> Looking forward to all your suggestions. >>> >>> >>> Allan >>> >>> >>> _______________________________________________ >>> The Uganda Linux User Group: http://linux.or.ug >>> >>> Send messages to this mailing list by addressing e-mails to: >>> [email protected] >>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>> To unsubscribe: http://kym.net/mailman/options/lug >>> >>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>> http://www.infocom.co.ug/ >>> >>> The above comments and data are owned by whoever posted them (including >>> attachments if any). The mailing list host is not responsible for them >>> in >>> any way. >>> _______________________________________________ >>> The Uganda Linux User Group: http://linux.or.ug >>> >>> Send messages to this mailing list by addressing e-mails to: >>> [email protected] >>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>> To unsubscribe: http://kym.net/mailman/options/lug >>> >>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>> http://www.infocom.co.ug/ >>> >>> The above comments and data are owned by whoever posted them (including >>> attachments if any). The mailing list host is not responsible for them in >>> any way. >>> >>> >>> _______________________________________________ >>> The Uganda Linux User Group: http://linux.or.ug >>> >>> Send messages to this mailing list by addressing e-mails to: >>> [email protected] >>> Mailing list archives: http://www.mail-archive.com/[email protected]/ >>> Mailing list settings: http://kym.net/mailman/listinfo/lug >>> To unsubscribe: http://kym.net/mailman/options/lug >>> >>> The Uganda LUG mailing list is generously hosted by INFOCOM: >>> http://www.infocom.co.ug/ >>> >>> The above comments and data are owned by whoever posted them (including >>> attachments if any). The mailing list host is not responsible for them in >>> any way. >> >> >> >> _______________________________________________ >> The Uganda Linux User Group: http://linux.or.ug >> >> Send messages to this mailing list by addressing e-mails to: >> [email protected] >> Mailing list archives: http://www.mail-archive.com/[email protected]/ >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> To unsubscribe: http://kym.net/mailman/options/lug >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them (including >> attachments if any). The mailing list host is not responsible for them in >> any way. > > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. -- Simon Vass _______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
