Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1038
Views
0
Helpful
2
Replies

DNS rule intrusion events never alert with firepower module

babiojd01
Beginner
Beginner

‎03-17-2016 07:23 PM

I enabled a few DNS blacklist snort rules along with creating my own. None of them will trigger an alert/intrusion event. I verifed that the rules are enabled and everything. I took these same rules and applied them to open source snort and they do trigger. Is there something missing out of the default sourcefire firesight config?

Labels:
0 Helpful
2 Replies 2

babiojd01
Beginner
Beginner

‎03-18-2016 04:17 PM

Follow up. Out of all the blacklist rules in the sourcefire ruleset 1 single rule triggers an alert out of all of them.

0 Helpful

babiojd01
Beginner
Beginner
In response to babiojd01

‎03-19-2016 10:59 AM

Nevermind. I figured it out. It has to do with global thresholding. It also doesn't seem to like 4 letter domain name to test with.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents