ET Rules or Snort Subscriber rule
-
Hello,
I run Snort IPDS. I pay for the snort subscriber ruleset personal license so i get updates every week.
Does it make sense to select ET rules as well or is this just overlap? To me, once you pay for the rules and modify the IPS policy to whatever level you deem fit there really is no added value to 30 day old rules from ET but perhaps I'm missing the value in it. -
@michmoor said in ET Rules or Snort Subscriber rule:
Hello,
I run Snort IPDS. I pay for the snort subscriber ruleset personal license so i get updates every week.
Does it make sense to select ET rules as well or is this just overlap? To me, once you pay for the rules and modify the IPS policy to whatever level you deem fit there really is no added value to 30 day old rules from ET but perhaps I'm missing the value in it.Probably no great benefit. I think in most folks' mind they run them because they are free and there is a very outside chance some ET rule might do better at detecting an off-the-wall threat than Snort VRT. But that's a pretty big stretch.
Also remember that end-to-end encryption hobbles just about everything an IDS/IPS could formerly do. Without being able to inspect the actual packet payload, all it can do is look at source and destination IP addresses and ports and maybe get a glimpse of the SNI (while that is still not encrypted). And if you are running plain-text DNS (meaning no DoT and no DoH), then the IDS/IPS can see DNS packets. But it is pretty much blind to email traffic and web traffic as that is almost 100% encrypted now. And where do most of the threat come from today? Yep, email attachments and booby-trapped websites. Your best defense from those attacks is going to be software on the endpoints of your network.
If you have the RAM and CPU horsepower, then perhaps you run the paid Snort VRT rules and then add some of the ET Open free rules just for insurance. But if you have a smaller box (and many of the less expensive Netgate appliances meet that definition), then you probably want to be a bit stingier with the number of enabled rules.
-
@bmeeks Thanks Bill. You pretty much verified my suspecion here. To be honest, the reason I even have the Snort paid rules is that the personal subscriber fee isn't expensive and I figured getting weekly updates is not bad.
I had the ET rules enabled but i don't think there is much benefit in waiting 30 days for some signatures that I get weekly. If anything, enabling a few of the ET rules resulted in performance degradation by as much as 50%.
My negate 4100 running with snort enabled on 2x LAN interfaces isn't the performance hit i thought it would be. Security Onion getting the logs for further analysis.
I largely agree with your analysis of the usefulness of it all anyway. I think of it more like a 'belt and suspenders type of thing. Good to have part of the overall package. Now I have a IPS policy on "Connectivity" which should provide good overall coverage.@bmeeks how is the decision made regarding which signature should be part of the Connectivity IPS ruleset?
-
@michmoor said in ET Rules or Snort Subscriber rule:
@bmeeks how is the decision made regarding which signature should be part of the Connectivity IPS ruleset?
That I don't know. My suspicion is it would be a score composed of something like how widespread the threat is, the impact of the threat, and how dicey is the detection. That last parameter would be determined by how often legitimate traffic might trigger the rule (or turned around, how much trust can you put in reliable detection of just the specific threat with no false positives?).
The goal of the "Connectivity" policy is to insure connectivity by not triggering on false positives (or as few as possible).
While not 100% related to your question, I did find this link from the Snort VRT (now Cisco) that describes a little bit of their philosophy: https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117891-config-firewall-00.html.
-
@bmeeks The link was helpful so thank you for that.
To be honest, the paid snort rules I would like to think, are similar in respect to what the big brand vendors use (PA) on their products so i feel like i am getting the feeds at a bargain price. Am I wrong in thinking that?
Also, if IPS/IDS signatures are becoming increasingly irrelevant then why do some sell the feeds at a premium, even snort or ET sells at a high cost. -
@michmoor said in ET Rules or Snort Subscriber rule:
@bmeeks The link was helpful so thank you for that.
To be honest, the paid snort rules I would like to think, are similar in respect to what the big brand vendors use (PA) on their products so i feel like i am getting the feeds at a bargain price. Am I wrong in thinking that?
Also, if IPS/IDS signatures are becoming increasingly irrelevant then why do some sell the feeds at a premium, even snort or ET sells at a high cost.The paid Snort Subscriber Rules are offered at a steep discount for home users (and I think educational accounts). A commercial or business license is more expensive, but not as expensive as the Emerging Threats Pro rules are.
Most of the vendors offering "premium" products (read that as expensive) are also selling you the ability to utilize man-in-the-middle (MITM) systems to break the encryption at the firewall so packets can be inspected. They are then encrypted again after inspection. That requires client-trusted certs on your internal endpoints and all of the associated headache that comes with managing that. For large corporations, the cost and headache can be worth it for compliance reasons. But for a small business- and certainly for a home user- the cost/benefit ratio is generally just not there.
One thing that happens under the cover in both the Snort and Suricata binaries is that the packet inspection engine automatically bails out when it sees encrypted data (i.e., when the protocol is SSH, HTTPS, etc.). The engine looks at the header and preamble bits, but skips the encrypted payload. Thus to actually inspect that kind of traffic it must be decrypted before feeding it to the IDS/IPS.
-
@michmoor Greetings! Just to clarify - our ET Open rulesets are updated daily. There is no '30 day' delay introduced. Available free of charge, these signatures are put through the same QA testing as our ETPRO signatures.
Any signatures created as a result of Proofpoint research (including malware detonation, global sensor network, integration with other products) go into ETPRO. Any signatures contributed by the community, or signatures that are written by ET/Proofpoint based on community research, go into ET Open. A signature can be migrated from ETPRO to ET Open if a user submits a signatures which has original coverage for an ETPRO signature.
Hope this helps! Feel free to reach out here via DM, on twitter (@et_labs) or on our Discourse.
-
@EmergingThreats, switching gears slightly here, Is there a way to purchase a smaller license count for the Emerging Threats Intelligence subscription? Looks like this subscriptions is incredible expensive (like $25k USD)- even at the lowest tier. I don't mind paying a modest fee, but my home lab does not have 4,000 users.
Example: https://store.hypertecsp.com/Products/overview/M016949697
Update: I just found this which I believe can be used in pfBlockerNG: https://store.hypertecsp.com/Products/overview/M013632790
Can you please confirm? Thanks.
-
@DefenderLLC Greetings - unfortunately, there is currently no alternative pricing at that tier. I will let the sales team know of the interest, though.
-
@EmergingThreats said in ET Rules or Snort Subscriber rule:
@DefenderLLC Greetings - unfortunately, there is currently no alternative pricing at that tier. I will let the sales team know of the interest, though.
Thanks for the reply. I would be gladly pay a modest fee for both licenses. Perhaps you can offer a home lab license kind of like what Netgate does for pfSense+ licenses for home users.