Question regarding creating rules in Snortcenter ...

["Michael Chapman" <MChapman () ascentmedia com>]

This is on RedHat 9.0, with Snort 2.0.6 and the usual complement of
MySQL and ACID.  The rules I am trying to create using the interface in
Snortcenter don't seem to be active or locatable, for that matter.  Bear
with my ignorance here, but I thought that these rules would normally
get put into the local.rules file, yet no entries appear there when I
create a rule.  I do see them in the Snortcenter interface when I look
at the rules, which leads me to believe that the rules are in the SQL
database.  Is this a correct assumption?  If so, are the Snortcenter
interface and/or direct MySQL intervention the only ways to verify that
a rule is there?  Secondly, if the rule does exist, why am I not seeing
hits for it?

 

For example, I created a rule which just does nothing but alert on TCP
8987 (a port that only I am using for an app.)  I can clearly see other
traffic to and from the host that has that port active, but I do not see
any alerts.  I have activated the rule per the instructions on the
Snortcenter site, with green lights all around.

 

Am I being ignorant, or is there something I'm missing?  If I should
just re-RTFM, then please say so!

 

Thanks in advance!

 

Michael