See http://forum.ipfire.org/viewtopic.php?f=52&t=18344. When using VRT rules the IDS log stays empty. Stopping and starting IDS does not give error messages in the log as far as I can see. (Besides the flowbit messages I mentioned on the forum). I am on core 109, but experience this problem since core105. (no one was complaining, so I thought it had to be something in my setup, but now it seems I am not alone with this issue). Regards, Edwin.
Hmmm, I have no idea what to do here. Some long time ago I was using VRT, but it used to work. Maybe Stefan can help.
I'm using the VRT rules without any problem. This could be down to the ET rules including IP Blocklists, which means that there are a lot of alerts for traffic that is actually blocked by the default firewall input policy. The VRT rules don't do this - they only alert when it detects a problem, which means much lower alert rates. Unless you're using windows and have the appropriate rules enabled, in which case the VRT rules will give you lots of warnings about Windows sending USB Metadata to Microsoft.
Speaking for the current next tree with suricata, these rules are working.