I am running NSP and Sourcefire side by side in production. With the same traffic flows. Snort signatures fired as expected, but NSP does not. Even after importing the Snort signatures, and according to NSP it was successful. I am just running a few snort rules, and without (any any) syntax. What is wrong?
Hey there Edgard,
I'm not sure I'm the best to help you but I'll there are a few things you'll want to check. And I don't mean to be so remedial but I'll start with the simple stuff you've probably already done just to make sure we're on the same page.
1. First thing to check is the response on the signature that was imported. To do this go to the Policy Tab and double click the policy that has been applied to the interface you are testing. Once that opens go to the "Attack Definitions" tab and then filter your results to show only your Snort signatures. Once you have your Snort Signatures displayed double click to open the "Attack Editor" it should look like this
Check to see what the behavior is any time this alert is triggered, you can even adjust the severity level. For testing purposes I'd recommend setting it to "High" and also enable blocking (not smart blocking). This will make it easier to see when you run the test again.
2. Once the policy has been updated, which is just a matter of saving the snort signature in the attack editor, then you still have to "deploy pending changes" or push the new sig set out to your sensor.
Once all the changes have been applied to the sensor open the Real-time threat analyzer and run the test again. You should see an alert pop up with the severity level that you set in the attack editor.
If that still doesn't work you might need to open a ticket and get some help. But before you do this go to your Sourcefire appliance and figure out if there was a specific string or event that caused that signature to "fire". This will help support troubleshoot the signature that was imported onto the NSP.
Hopefully that will get you pointed in the right direction.