Snort Questions
-
Hallo,
I want to use snort as IDS/IPS but I just want to block if certain rules alert. Is that possible?
Snort doesn't start if I choose VRT and ET at the same time. Is it possible to use all rules from VRT, Community and ET at the same time?Should I prefer suricate over snort?
Thank you & Bye
miyagi -
Hallo,
I want to use snort as IDS/IPS but I just want to block if certain rules alert. Is that possible?
Snort doesn't start if I choose VRT and ET at the same time. Is it possible to use all rules from VRT, Community and ET at the same time?Should I prefer suricate over snort?
Thank you & Bye
miyagiAt the moment Snort is not very selective with blocking. By that I mean if you enable blocking, then any rule generating an alert will result in a block as well (unless the offending IP is whitelisted on a Pass List). Suricata now offers an inline IPS mode where you can have some rules that only alert and others that actually drop (block) traffic. You can find more information about that feature in other posts in this section.
Bill
-
That means the only disadvantage of Suricata is that you can't use compiled binaries to detect intrusions?
Can I write my own rules or add additional rulesets to Suricata?
I want to implement an IPS that doesn't need to managed by a person and still offers a high level of security.
With this conditions, is it recommended to use Suricata as an IPS?Thank you,
mrmiyagi -
You are correct that Suricata can't run the Snort VRT pre-compiled Shared Object rules. There are also a few other VRT rules that Suricata cannot run due to differences between Snort and Suricata.
On the other hand Suricata does have some other advantages over Snort:
-more types of logging (dns, http, etc.) which can be useful if you don't have other systems logging these types of traffic
-ability to run inline mode, which will allow you to specify which rules to drop traffic on and which rules to only alert onYou can write your own or add additional rulesets to either Snort or Suricata. I wouldn't recommend running both VRT and ET rulesets with either Snort or Suricata unless you tune them down considerably for your environment, especially if you are running in IPS mode. Both rulesets will have a lot of rules that aren't relevant to your network.
Both Snort and Suricata are going to have some upfront management/tuning. I think Suricata inline mode would make for a better unmanaged IPS because it will just drop the traffic that matches a rule, without effecting other traffic to the same IP. This will make a big difference in terms of false positives.
-
Thank you alot :)
I am not yet this familiar with all the rulesets and have a general question about ET rules:
As the name ET (emerging threats) says, it provides rules for emerging threats.
So if the IPS is only blocking/dropping a few precisely selected rules, emerging threats like zero day exploits will pass.
Is there any best practice for that?Maybe my question looks dumb caus I didn't dive into rulesets.
mrmiyagi
-
Emerging Threats is the brand name.
There are two ET main rulesets:
Emerging Threats Open is free and provides (in my opinion) a decent amount of coverage
Emerging Threats Pro is $750 per year per sensor and includes more rules and provides better coverage.On pfSense Snort only supports what is now referred to as legacy IPS mode. Suricata supports both legacy and inline IPS mode.
With either Snort or Suricata in non-blocking mode you will only get alerts for whichever rules you are running
With either Snort or Suricata in legacy IPS mode you will block the IP of the offending traffic for whichever rules you are running. Some amount of traffic will pass before the IP is blocked and the states killed.
With Suricata in inline mode you must specify which rules you want to run in drop mode. Any rules specified for drop mode will drop the traffic before it passes, and the IP address will not be blocked entirely. Any rules that are active that are not specified for drop mode will generate alerts without any dropping/blocking.
