• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

ET Rules or Snort Subscriber rule

Scheduled Pinned Locked Moved IDS/IPS
10 Posts 4 Posters 2.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    michmoor LAYER 8 Rebel Alliance
    last edited by Aug 28, 2022, 10:47 PM

    Hello,
    I run Snort IPDS. I pay for the snort subscriber ruleset personal license so i get updates every week.
    Does it make sense to select ET rules as well or is this just overlap? To me, once you pay for the rules and modify the IPS policy to whatever level you deem fit there really is no added value to 30 day old rules from ET but perhaps I'm missing the value in it.

    Firewall: NetGate,Palo Alto-VM,Juniper SRX
    Routing: Juniper, Arista, Cisco
    Switching: Juniper, Arista, Cisco
    Wireless: Unifi, Aruba IAP
    JNCIP,CCNP Enterprise

    B 1 Reply Last reply Aug 29, 2022, 2:03 AM Reply Quote 0
    • B
      bmeeks @michmoor
      last edited by bmeeks Aug 29, 2022, 2:04 AM Aug 29, 2022, 2:03 AM

      @michmoor said in ET Rules or Snort Subscriber rule:

      Hello,
      I run Snort IPDS. I pay for the snort subscriber ruleset personal license so i get updates every week.
      Does it make sense to select ET rules as well or is this just overlap? To me, once you pay for the rules and modify the IPS policy to whatever level you deem fit there really is no added value to 30 day old rules from ET but perhaps I'm missing the value in it.

      Probably no great benefit. I think in most folks' mind they run them because they are free and there is a very outside chance some ET rule might do better at detecting an off-the-wall threat than Snort VRT. But that's a pretty big stretch.

      Also remember that end-to-end encryption hobbles just about everything an IDS/IPS could formerly do. Without being able to inspect the actual packet payload, all it can do is look at source and destination IP addresses and ports and maybe get a glimpse of the SNI (while that is still not encrypted). And if you are running plain-text DNS (meaning no DoT and no DoH), then the IDS/IPS can see DNS packets. But it is pretty much blind to email traffic and web traffic as that is almost 100% encrypted now. And where do most of the threat come from today? Yep, email attachments and booby-trapped websites. Your best defense from those attacks is going to be software on the endpoints of your network.

      If you have the RAM and CPU horsepower, then perhaps you run the paid Snort VRT rules and then add some of the ET Open free rules just for insurance. But if you have a smaller box (and many of the less expensive Netgate appliances meet that definition), then you probably want to be a bit stingier with the number of enabled rules.

      M 1 Reply Last reply Aug 29, 2022, 2:42 AM Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @bmeeks
        last edited by michmoor Aug 29, 2022, 2:47 AM Aug 29, 2022, 2:42 AM

        @bmeeks Thanks Bill. You pretty much verified my suspecion here. To be honest, the reason I even have the Snort paid rules is that the personal subscriber fee isn't expensive and I figured getting weekly updates is not bad.
        I had the ET rules enabled but i don't think there is much benefit in waiting 30 days for some signatures that I get weekly. If anything, enabling a few of the ET rules resulted in performance degradation by as much as 50%.
        My negate 4100 running with snort enabled on 2x LAN interfaces isn't the performance hit i thought it would be. Security Onion getting the logs for further analysis.
        I largely agree with your analysis of the usefulness of it all anyway. I think of it more like a 'belt and suspenders type of thing. Good to have part of the overall package. Now I have a IPS policy on "Connectivity" which should provide good overall coverage.

        @bmeeks how is the decision made regarding which signature should be part of the Connectivity IPS ruleset?

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        B E 2 Replies Last reply Aug 29, 2022, 1:22 PM Reply Quote 0
        • B
          bmeeks @michmoor
          last edited by bmeeks Aug 29, 2022, 1:23 PM Aug 29, 2022, 1:22 PM

          @michmoor said in ET Rules or Snort Subscriber rule:

          @bmeeks how is the decision made regarding which signature should be part of the Connectivity IPS ruleset?

          That I don't know. My suspicion is it would be a score composed of something like how widespread the threat is, the impact of the threat, and how dicey is the detection. That last parameter would be determined by how often legitimate traffic might trigger the rule (or turned around, how much trust can you put in reliable detection of just the specific threat with no false positives?).

          The goal of the "Connectivity" policy is to insure connectivity by not triggering on false positives (or as few as possible).

          While not 100% related to your question, I did find this link from the Snort VRT (now Cisco) that describes a little bit of their philosophy: https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117891-config-firewall-00.html.

          M 1 Reply Last reply Aug 30, 2022, 2:53 PM Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @bmeeks
            last edited by Aug 30, 2022, 2:53 PM

            @bmeeks The link was helpful so thank you for that.
            To be honest, the paid snort rules I would like to think, are similar in respect to what the big brand vendors use (PA) on their products so i feel like i am getting the feeds at a bargain price. Am I wrong in thinking that?
            Also, if IPS/IDS signatures are becoming increasingly irrelevant then why do some sell the feeds at a premium, even snort or ET sells at a high cost.

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            B 1 Reply Last reply Aug 30, 2022, 3:04 PM Reply Quote 0
            • B
              bmeeks @michmoor
              last edited by bmeeks Aug 30, 2022, 3:09 PM Aug 30, 2022, 3:04 PM

              @michmoor said in ET Rules or Snort Subscriber rule:

              @bmeeks The link was helpful so thank you for that.
              To be honest, the paid snort rules I would like to think, are similar in respect to what the big brand vendors use (PA) on their products so i feel like i am getting the feeds at a bargain price. Am I wrong in thinking that?
              Also, if IPS/IDS signatures are becoming increasingly irrelevant then why do some sell the feeds at a premium, even snort or ET sells at a high cost.

              The paid Snort Subscriber Rules are offered at a steep discount for home users (and I think educational accounts). A commercial or business license is more expensive, but not as expensive as the Emerging Threats Pro rules are.

              Most of the vendors offering "premium" products (read that as expensive) are also selling you the ability to utilize man-in-the-middle (MITM) systems to break the encryption at the firewall so packets can be inspected. They are then encrypted again after inspection. That requires client-trusted certs on your internal endpoints and all of the associated headache that comes with managing that. For large corporations, the cost and headache can be worth it for compliance reasons. But for a small business- and certainly for a home user- the cost/benefit ratio is generally just not there.

              One thing that happens under the cover in both the Snort and Suricata binaries is that the packet inspection engine automatically bails out when it sees encrypted data (i.e., when the protocol is SSH, HTTPS, etc.). The engine looks at the header and preamble bits, but skips the encrypted payload. Thus to actually inspect that kind of traffic it must be decrypted before feeding it to the IDS/IPS.

              1 Reply Last reply Reply Quote 0
              • E
                EmergingThreats @michmoor
                last edited by Jan 3, 2023, 8:45 PM

                @michmoor Greetings! Just to clarify - our ET Open rulesets are updated daily. There is no '30 day' delay introduced. Available free of charge, these signatures are put through the same QA testing as our ETPRO signatures.

                Any signatures created as a result of Proofpoint research (including malware detonation, global sensor network, integration with other products) go into ETPRO. Any signatures contributed by the community, or signatures that are written by ET/Proofpoint based on community research, go into ET Open. A signature can be migrated from ETPRO to ET Open if a user submits a signatures which has original coverage for an ETPRO signature.

                Hope this helps! Feel free to reach out here via DM, on twitter (@et_labs) or on our Discourse.

                D 1 Reply Last reply Jun 4, 2023, 2:11 AM Reply Quote 3
                • D
                  DefenderLLC @EmergingThreats
                  last edited by DefenderLLC Jun 4, 2023, 2:19 AM Jun 4, 2023, 2:11 AM

                  @EmergingThreats, switching gears slightly here, Is there a way to purchase a smaller license count for the Emerging Threats Intelligence subscription? Looks like this subscriptions is incredible expensive (like $25k USD)- even at the lowest tier. I don't mind paying a modest fee, but my home lab does not have 4,000 users.

                  Example: https://store.hypertecsp.com/Products/overview/M016949697

                  Update: I just found this which I believe can be used in pfBlockerNG: https://store.hypertecsp.com/Products/overview/M013632790

                  Can you please confirm? Thanks.

                  E 1 Reply Last reply Jun 20, 2023, 3:30 PM Reply Quote 0
                  • E
                    EmergingThreats @DefenderLLC
                    last edited by Jun 20, 2023, 3:30 PM

                    @DefenderLLC Greetings - unfortunately, there is currently no alternative pricing at that tier. I will let the sales team know of the interest, though.

                    D 1 Reply Last reply Jun 20, 2023, 4:46 PM Reply Quote 2
                    • D
                      DefenderLLC @EmergingThreats
                      last edited by Jun 20, 2023, 4:46 PM

                      @EmergingThreats said in ET Rules or Snort Subscriber rule:

                      @DefenderLLC Greetings - unfortunately, there is currently no alternative pricing at that tier. I will let the sales team know of the interest, though.

                      Thanks for the reply. I would be gladly pay a modest fee for both licenses. Perhaps you can offer a home lab license kind of like what Netgate does for pfSense+ licenses for home users.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received