Gents and Ladies,
I have zero length IPS log files for the first time in 5 years. It is configured with every single attack and warning pattern switched on and alerting. That is over 9,500 patterns and NOT one is picking up anything to be worried about either for outgoing traffic or incoming traffic.
My questions are
1. Is your IPS quiet as a grave too?
2. Are all your IPS log files in /var/log/ips/2011/04/ all zero lenth when you gunzip them?
3. How do you tell how many patterns are actually loaded in snort, when the gui says 9500 odd?
I am used to many things with Astaro IPS including patterns shutting down my clients' firewalls, but I am not used to zero length log files and feel rather uncomfortable about this.
So, I tried to get IPS to respond by running half a dozen different scans (including PCI scans) using Nessus, nmap and LanSpy. Found out some DNS vulnerabilities, but IDS still stoney quiet. Restarting snort with /var/mdw/scripts/snort restart shows a pile of stuff including about 50 lines of this: "DynamicPlugin: Rule [3:16418] not enabled in configuration, rule will not be used." but googlepedia suggests this is not a problem.
Where are you at with this?
Thanks in advance for your replies.
Best Regards,
Adrien.
This thread was automatically locked due to age.
