Showing results for 
Search instead for 
Did you mean: 

Snort Signatures not firing. I am running Sourcefire and NSP side by side.

I am running NSP and Sourcefire side by side in production.  With the same traffic flows.  Snort signatures fired as expected, but NSP does not.  Even after importing the Snort signatures, and according to NSP it was successful.  I am just running a few snort rules, and without (any any) syntax. What is wrong? 

1 Reply

Re: Snort Signatures not firing. I am running Sourcefire and NSP side by side.

Hey there Edgard,

I'm not sure I'm the best to help you but I'll there are a few things you'll want to check.  And I don't mean to be so remedial but I'll start with the simple stuff you've probably already done just to make sure we're on the same page. 

1. First thing to check is the response on the signature that was imported.  To do this go to the Policy Tab and double click the policy that has been applied to the interface you are testing.  Once that opens go to the "Attack Definitions" tab and then filter your results to show only your Snort signatures.  Once you have your Snort Signatures displayed double click to open the "Attack Editor" it should look like this

attack editor.JPG

Check to see what the behavior is any time this alert is triggered, you can even adjust the severity level.  For testing purposes I'd recommend setting it to "High" and also enable blocking (not smart blocking).  This will make it easier to see when you run the test again.

2.  Once the policy has been updated, which is just a matter of saving the snort signature in the attack editor, then you still have to "deploy pending changes" or push the new sig set out to your sensor.

Once all the changes have been applied to the sensor open the Real-time threat analyzer and run the test again.  You should see an alert pop up with the severity level that you set in the attack editor.

If that still doesn't work you might need to open a ticket and get some help.  But before you do this go to your Sourcefire appliance and figure out if there was a specific string or event that caused that signature to "fire".  This will help support troubleshoot the signature that was imported onto the NSP.

Hopefully that will get you pointed in the right direction.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community