cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 11 of 24

Re: Snort Rule creation

Thanks. I found the rules on another thread.

I tested it and the rules show fine on my master attack policy.

I would suggest you check the ems.log & emsout.log file after you save the snort rules on the custom attack editor. Maybe you can see an error that explains why they aren't showing on your policies.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 12 of 24

Re: Snort Rule creation

These SNORT signatures are set to informational and will not be included in a normal IPS policy unless you add them to the rule set that you are using. If you happen to be using a default rule set you will need to copy this to a new rule set and add the SNORT signatures. If you need me to I will give you a break down of how to add these to the rule set.

You might also try clearing the manager policy cache and see if that yields any results. Sometimes the cache can become stale and fail to update.

Highlighted

Re: Snort Rule creation

hi Dear ,

Yes Please I will Appreciate that .

Thanks A lot .

SA
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 14 of 24

Re: Snort Rule creation

Ahmed

You can clear the cache from Manage\troubleshooting\manager policy cache - let us know if that helps

@mjesmar - even though the snort rules are information, they should be visible on the master policy, and Ahmed confirmed they don't show there. Good point on the policy cache, hopefully it is just dad.

Regards

David

Highlighted

Re: Snort Rule creation

Dears ,

is there any effect may happened to the manager during the cash clear ? since i am working on an very critical environment and no interruption accepted without maintenance window >>>>??

SA
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 16 of 24

Re: Snort Rule creation

Hi Ahmed

Nothing should happen to the manager when you clear the cache. It is not touching the policies on the database, just clearing the NSM application cache.

Regards

David

Highlighted

Re: Snort Rule creation

dears ,

i have performed the cache clear with no result .

SA
Highlighted

Re: Snort Rule creation

Dears Finally the Rules appeared on the Default Testing Policy (not used ) but not on the intended inline policy (Jawwal OUtside inline )

SA
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 19 of 24

Re: Snort Rule creation

So basically it was clearing the cache (kudos to mjesmer) that resolved it right?

Not all signatures will show on all policies. Because the snort rules you imported are only informational, they won't show on higher security/blocking policies.

If you set priority:3 on a snort rule, it will have a severity 7/8/9 (high), and will show on all policies.

Checking the master policy will tell you what attacks are available for other policies, so better to check in there first.

Good to know the problem is resolved though

Highlighted

Re: Snort Rule creation

hi ,

i have changed the Severity of the Signature from the Master policy , but nothing changed , so is there any way to create the Snort rule with high severity from the beginning ?

SA
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community