Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    (RESOLVED!!!) WARNING!! Emerging Threats Dshield rule set is now empty inside Snort and on Emerging Threats official website

    Scheduled Pinned Locked Moved IDS/IPS
    41 Posts 5 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee @michmoor
      last edited by JonathanLee

      @michmoor I am running an ARM processor on a 2100 MAX I have always wondered about it's usage of multithreading within its DNA. If your using SSL intercept the firewall itself runs the certificates, again you can also issue the SSL certs from inside of the Squid software and import them back into the Pfsense software. To my understanding Snort uses only one thread inside of the Pfsense software package; however Snort has multithreading functionality within some versions. Anyway Snort has appID options like Palo Alto does and they function but it eats memory. I can only "speculate" APP ID uses the certificates stored on the firewall.

      Screenshot 2022-12-30 at 2.34.49 PM.png

      Screenshot 2022-12-30 at 2.40.20 PM.png

      it's stateful inspection too.

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee @michmoor
        last edited by

        @michmoor Snort is not even listed within the sockets when it runs.

        Make sure to upvote

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @JonathanLee
          last edited by

          @jonathanlee I would caution that OpenAppID is not really like PaloAlto so don’t assume you’re getting those feature like quality for free.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          JonathanLeeJ 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            Snort's OpenAppID is NOT seeing decrypted data. It simply analyzes the unencrypted SNI header in certain traffic types to guess at the application. Once encrypted SNI (ESNI) becomes a regular thing, OpenAppID is going to have some issues identifying applications.

            And today neither Snort nor Suricata, by default, will see unencrypted SSL traffic on pfSense even when MITM is present with something like HA-Proxy. The network plumbing on FreeBSD by default puts the IDS/IPS immediately after the NIC driver, so all traffic seen there is still encrypted. You would have to utilize multiple NIC ports and set up custom routing outside of the package GUI for either Snort or Suricata in order to have them see the unencrypted traffic available with MITM.

            JonathanLeeJ 3 Replies Last reply Reply Quote 1
            • JonathanLeeJ
              JonathanLee @michmoor
              last edited by

              @michmoor Noted: My firewall is not a enterprise class system like some PaloAlto's mine is just a home system, my streaming services never skip a beat now with pfSense running :) a smaller system is all I need. We went over so many PaloAlto options during class it can make your head spin they have so many options. I wonder with all the new whitebox software being installed right on the network cards if maybe something like a large Ciena router could also manage security options right on the router itself. Cisco started doing a firewall and router all in some years ago, it was cutting edge at the time to combine them.

              Make sure to upvote

              1 Reply Last reply Reply Quote 0
              • JonathanLeeJ
                JonathanLee @bmeeks
                last edited by JonathanLee

                @bmeeks but what about the sockets inside pfsense software, it lists nothing for snort? Is that separate from the software? I love this stuff it is so impressive what pfsense can do. The packages the firewall software all of it, it's a work of software art.

                Make sure to upvote

                bmeeksB 1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @JonathanLee
                  last edited by bmeeks

                  @jonathanlee said in (RESOLVED NEXT RELEASE) WARNING!! Emerging Threats Dshield rule set is now empty inside Snort and on Emerging Threats official website:

                  @bmeeks but what about the sockets inside pfsense software, it lists nothing for snort? Is that separate from the software?

                  Totally unrelated and not used by either package. Suricata offers an optional socket connection for control purposes (starting, stopping, reloading rules, etc.), but not for inspection purposes. But that optional control socket is not used on pfSense.

                  Sockets in the context you seem to be talking about are generally used for inter-process communications where applications swap limited amounts of data or control information with each other.

                  1 Reply Last reply Reply Quote 0
                  • JonathanLeeJ
                    JonathanLee @bmeeks
                    last edited by

                    @bmeeks Have no fear Pfsense firewall software teams will always find a way to protect systems, HSM security modules today still need management software just like TPK attestation software. Firewall software teams work diligently to keep systems protected. A couple months ago I thought HTTPS/3 UDP QUIC was invincible and now wireshark can spot it, I even saw someone posted a video where they blocked specific QUIC website traffic. Without direct government protocol approval how can experimental traffic even get around a backbone internet router like a monster Ciena system? I personally think the wildwest days of dotcom are over, because more and more protocols and rules are taking hold, hence government compliance servers now just going to block it out if they want. It truly is mirrored analytics.

                    Make sure to upvote

                    1 Reply Last reply Reply Quote 0
                    • JonathanLeeJ
                      JonathanLee @bmeeks
                      last edited by

                      @bmeeks look at what Russia wants to do with ESNI

                      https://www.privateinternetaccess.com/blog/russia-wants-to-outlaw-tls-1-3-esni-dns-over-https-and-dns-over-tls/

                      They are going to force state issued certificates. WOW!!

                      Make sure to upvote

                      1 Reply Last reply Reply Quote 0
                      • M
                        michmoor LAYER 8 Rebel Alliance @bmeeks
                        last edited by

                        @bmeeks curious are there any development projects to have the IDS sit after the proxy in order to scan packets or would that require a rework within FreeBSD?

                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                        Routing: Juniper, Arista, Cisco
                        Switching: Juniper, Arista, Cisco
                        Wireless: Unifi, Aruba IAP
                        JNCIP,CCNP Enterprise

                        bmeeksB 1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks @michmoor
                          last edited by

                          @michmoor said in (RESOLVED NEXT RELEASE) WARNING!! Emerging Threats Dshield rule set is now empty inside Snort and on Emerging Threats official website:

                          @bmeeks curious are there any development projects to have the IDS sit after the proxy in order to scan packets or would that require a rework within FreeBSD?

                          Nothing in progress that I am aware of.

                          1 Reply Last reply Reply Quote 1
                          • JonathanLeeJ
                            JonathanLee
                            last edited by

                            Screenshot 2022-12-31 at 8.51.36 AM.png

                            Brandon and others from emerging threats support has helped bring resolve to this issue.

                            Update your lists and they should populate again for all the items.

                            Make sure to upvote

                            1 Reply Last reply Reply Quote 0
                            • EmergingThreatsE
                              EmergingThreats
                              last edited by EmergingThreats

                              Jonathan, thanks for reporting! This disruption was due to an internal automation failing - we've fixed that problem and added some further alerting around failure points. We pushed the rules after the fixes were made on Saturday morning.

                              I'm glad we caught this post, and I'd also like to invite everyone to interact with us on twitter @et_labs and to join our Discourse.

                              Thanks again!

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.