@Darkk said in GUIDE: Snort's AppID custom rules Quick Guide to blocking. Example shows OpenAI ChatGPT or Itunes.:
@bmeeks
I have a question. Why can't we get Snort 3 on pfsense since version 2 is being depreciated? I know there's Suricata but like to have options.
Snort and Suricata are both volunteer maintained packages. That means a volunteer contributes the programming effort required to create and maintain the package without compensation and without any involvement from the pfSense developer team other than that team manually merging code changes submitted by the maintainer into the official pfSense repository. For Snort, I assumed the maintainer role for that package many years ago when the original developer grew weary and moved on. I wanted certain features to be available in the package (flowbits primarily), and so I added the necessary code and submitted the Pull Request to GitHub. It was accepted, and so I offered a few more updates such that over the years I became the defacto maintainer for Snort. For Suricata, I created that package from scratch, submitted the Pull Request to the Netgate team, and have been maintaining it since as a volunteer contributer sharing my work with the pfSense community for free.
For both packages, I am getting ready to step aside. There is no compensation for volunteer maintainers, and since I retired from an IT role in a Fortune 500 US company several years ago, I am slowly disentangling myself from committments to more fully enjoy my retirement. That's one of the reasons you have seen fewer Snort and Suricata updates over the last year.
I tried on two separate occasions in the recent past to create a Snort3 package for pfSense. But I gave up in frustration both times. Partly because my heart was not totally in it for the reasons outlined above (my retirement), but also because it's very hard to do since Snort3 is a radical departure code-wise from Snort 2.9.x on the binary side. It will require rewriting things in C++ and adapting all the old Snort 2.9.x configuration parameters over to Lua scripting. The use of Lua will require substantial changes in the GUI package code.
The only way Snort3 will come to pfSense is if either some other new volunteer steps forward to create the required package, or if Netgate decides to take it over. Everything needed is available on the pfSense GitHub repo here -
Snort Binary Package Code: https://github.com/pfsense/FreeBSD-ports/tree/devel/security/snort
Snort GUI Package Code: https://github.com/pfsense/FreeBSD-ports/tree/devel/security/pfSense-pkg-snort
If Snort3 is important to you, perhaps you might consider stepping into the volunteer maintainer role like I did many years ago and then sharing your work with the pfSense community ... 😀.
