I have been trying to get Snort going on our LEM box and while the process shows up in top. It doesn't appear some of the rule are working. I followed this guide SolarWinds Knowledge Base :: Snort IDS Best Practices. It would seem there are some discrepancies in the .conf files. I have edited the snort.conf with our subnets as well as the snort.debian.conf. I'm not entirely sure which one needs to be updated. Per the guide the variables are updated in the snort.debian.conf and I guess then are queried from the snort.conf. Does anyone have a definitive guide for this on LEM? Or am I better off setting up Snort from scratch on a dedicated box?