cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1168
Views
0
Helpful
2
Replies

DNS rule intrusion events never alert with firepower module

babiojd01
Level 1
Level 1

I enabled a few DNS blacklist snort rules along with creating my own. None of them will trigger an alert/intrusion event. I verifed that the rules are enabled and everything. I took these same rules and applied them to open source snort and they do trigger. Is there something missing out of the default sourcefire firesight config?

2 Replies 2

babiojd01
Level 1
Level 1

Follow up. Out of all the blacklist rules in the sourcefire ruleset 1 single rule triggers an alert out of all of them.

Nevermind. I figured it out. It has to do with global thresholding. It also doesn't seem to like 4 letter domain name to test with.

Review Cisco Networking for a $25 gift card