I fired up an NS instance and installed ips.
There are no rules in the snort rules folder, if that’s the correct directory for the rules for the NS implementation of ips then that’s why no one is getting any alerts, it looks like the rules are not being populated because pulled pork is pointing to a server that doesn’t appear to have any rules when I look with a browser.
Jan 6 13:09:19 server32 esmith::event: #011Error 404 when fetching https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md5 at /usr/bin/pulledpork.pl line 463
Jan 6 13:09:19 server32 esmith::event: #011main::md5file(‘Community’, ‘community-rules.tar.gz’, ‘/tmp/’, ‘https://s3.amazonaws.com/snort-org/www/rules/community/’) called at /usr/bin/pulledpork.pl line 1847
Jan 6 13:09:19 server32 esmith::event: Checking latest MD5 for community-rules.tar.gz…
Jan 6 13:09:19 server32 esmith::event: #011A 404 error occurred, please verify your filenames and urls for your tarball!
Jan 6 13:09:19 server32 esmith::event: Action: /etc/e-smith/events/nethserver-pulledpork-save/S30nethserver-pulledpork-apply FAILED: 255 [3.474154]
I don’t see any rules at that url, the snort site has this url for community;
I tried changing the pulledpork.conf rule url to the above but after restarting snort in the gui the e-smith overwrote my change, since I don’t know where to find the e-smith file to change I’m just going to leave this at this point.
If someone wants to point me to the exact file that I can make the appropriate changes then I will follow up with this more.
That is my biggest struggle with NS, knowing which e-smith file to make permanent changes to for any given service, but it’s probably because I don’t have a couple of days to sit down and work it through.
I do have a new network buildout on my desk with a shiny new install of sophos xg and a 3 pack of unifi ap though.