Appearance of new custom alerts in BASE delayed

[Black Lion via Snort-users <snort-users () lists snort org>]

Hello. I am running Snort 2.9.11.1 on Ubuntu Server 16.04. I am also
running Barnyard2 2.1.14, BASE 1.4.5 and PulledPork 0.7.4. Whenever I add a
custom rule in /etc/snort/rules/local.rules and do a test connection to
trigger the custom alert, this alert does not appear in BASE right away. It
appears after sometime has elapsed. Below is what I have done which results
in the delay:

   - Added the below custom rule to /etc/snort/rules/local.rules:

*alert tcp any any -> 192.168.1.97 3389 (msg:"RDP to server"; GID:1;
sid:1000008; rev:001; classtype:misc-activity;)*

   - Ran PulledPork in order to add the custom rule to
   /etc/snort/sid-msg.map (the new entry has been added in sid-msg.map)
   - Restarted the snort and barnyard2 services
   - Connected to the snort database and ran the below line to check if
   barnyard2 has added the custom rule to the database:

*SELECT * FROM snort.signature WHERE sig_name = 'RDP to server'';*

(it took ~15 min before the custom rule was added to the database).

   - To test if the custom rule works, I connected to the server using
   Remote Desktop.
   - The interesting thing is that one of the downloaded Snort rules: *"ET
   POLICY RDP connection confirm"* appears in BASE as an alert, but my my
   custom alert does not appear in BASE. After a long delay, my custom alert
   eventually appears.

What could be the reason that there is a delay with the added custom alert
appearing in BASE? Is there a way to troubleshoot this?

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette