03-17-2016 07:23 PM
I enabled a few DNS blacklist snort rules along with creating my own. None of them will trigger an alert/intrusion event. I verifed that the rules are enabled and everything. I took these same rules and applied them to open source snort and they do trigger. Is there something missing out of the default sourcefire firesight config?
03-18-2016 04:17 PM
Follow up. Out of all the blacklist rules in the sourcefire ruleset 1 single rule triggers an alert out of all of them.
03-19-2016 10:59 AM
Nevermind. I figured it out. It has to do with global thresholding. It also doesn't seem to like 4 letter domain name to test with.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide