• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort v3

IDS/IPS
7
17
2.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    DefenderLLC
    last edited by DefenderLLC May 31, 2023, 1:14 AM May 31, 2023, 1:03 AM

    Hey Netgate,

    I know there’s quite a few old threads on this topic already, but I’m just curious if there are any plans to integrate Snort v3 into pfSense. I definitely prefer it over Suricata at this point, except for the fact that it’s single-threaded on v2. A lot has changed with pfSense with 23.01 and 23.05, so I’m hoping this is on the roadmap!

    Thanks!

    J 1 Reply Last reply May 31, 2023, 6:19 AM Reply Quote 1
    • D
      Dobby_
      last edited by May 31, 2023, 3:31 AM

      I consider to @DefenderLLC it will be
      nice to see at one day snort v3 will in
      pfSense either CE or the "Plus" version.

      #~. @Dobby

      Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
      PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
      PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

      1 Reply Last reply Reply Quote 1
      • J
        jdeloach @DefenderLLC
        last edited by jdeloach May 31, 2023, 6:20 AM May 31, 2023, 6:19 AM

        @DefenderLLC

        If you search this forum, you will find several messages from the current maintainer, @bmeeks , that he has no current plans to convert to Snort v3 but that anyone else who wishes to maintain it are welcome to step in and support Snort v3.

        D 1 Reply Last reply May 31, 2023, 11:56 AM Reply Quote 1
        • D
          DefenderLLC @jdeloach
          last edited by May 31, 2023, 11:56 AM

          @jdeloach said in Snort v3:

          @DefenderLLC

          If you search this forum, you will find several messages from the current maintainer, @bmeeks , that he has no current plans to convert to Snort v3 but that anyone else who wishes to maintain it are welcome to step in and support Snort v3.

          I have read a lot of those posts, but they are 2 years old when we were running on FreeBSD 12. After all, Snort v3 has been out for over 3 years now.

          B 1 Reply Last reply May 31, 2023, 1:49 PM Reply Quote 0
          • B
            bmeeks @DefenderLLC
            last edited by May 31, 2023, 1:49 PM

            @DefenderLLC said in Snort v3:

            I have read a lot of those posts, but they are 2 years old when we were running on FreeBSD 12. After all, Snort v3 has been out for over 3 years now.

            Nothing has changed. I still have no plans to create a Snort3 package. Anyone else is free to create one and contribute it, but I have decided to concentrate on Suricata only.

            At some point in the future I expect the upstream Snort team will cease development work on Snort 2.9.x (the version currently in pfSense). At that point, unless someone has stepped up and created a Snort3 package, Snort will die on pfSense.

            D P 2 Replies Last reply May 31, 2023, 2:06 PM Reply Quote 3
            • D
              DefenderLLC @bmeeks
              last edited by May 31, 2023, 2:06 PM

              @bmeeks said in Snort v3:

              @DefenderLLC said in Snort v3:

              I have read a lot of those posts, but they are 2 years old when we were running on FreeBSD 12. After all, Snort v3 has been out for over 3 years now.

              Nothing has changed. I still have no plans to create a Snort3 package. Anyone else is free to create one and contribute it, but I have decided to concentrate on Suricata only.

              At some point in the future I expect the upstream Snort team will cease development work on Snort 2.9.x (the version currently in pfSense). At that point, unless someone has stepped up and created a Snort3 package, Snort will die on pfSense.

              Looks like I'm going back to Suricata! Who needed those L7 features anyway? :)

              M 1 Reply Last reply Jun 2, 2023, 9:22 PM Reply Quote 0
              • S SteveITS referenced this topic on Jun 2, 2023, 4:18 PM
              • P
                pfsjap @bmeeks
                last edited by Jun 2, 2023, 9:14 PM

                @bmeeks said in Snort v3:

                At some point in the future I expect the upstream Snort team will cease development work on Snort 2.9.x (the version currently in pfSense). At that point, unless someone has stepped up and created a Snort3 package, Snort will die on pfSense.

                Will Suricata package accept Snort3 rules at that point?

                M 1 Reply Last reply Jun 2, 2023, 9:18 PM Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance @pfsjap
                  last edited by Jun 2, 2023, 9:18 PM

                  @pfsjap No.

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  P 1 Reply Last reply Jun 3, 2023, 10:53 AM Reply Quote 0
                  • M
                    michmoor LAYER 8 Rebel Alliance @DefenderLLC
                    last edited by Jun 2, 2023, 9:22 PM

                    @DefenderLLC The only way the rules have been in any way useful in 2023 is if you were writing custom rules. The category list that comes as part of the Snort OpenAppID install is extremely out of date. Although the app.id signatures are very relevant the custom rules that come as part of the installation do not take into account todays apps. For example, TikTok.
                    Considering no one has taken the time out for the last 5 or 6 years to keep up with the new apps and write custom rules so that we all can use them in the categories that are pushed out i would say no one else is in all probability using Snort for its L7 features.

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    1 Reply Last reply Reply Quote 1
                    • P
                      pfsjap @michmoor
                      last edited by Jun 3, 2023, 10:53 AM

                      @michmoor Well, that leaves a lot of the rules out then.

                      Is this because of the same reason as with Snort3 package not being in sight?

                      B 1 Reply Last reply Jun 3, 2023, 11:46 AM Reply Quote 0
                      • B
                        bmeeks @pfsjap
                        last edited by bmeeks Jun 3, 2023, 11:47 AM Jun 3, 2023, 11:46 AM

                        @pfsjap said in Snort v3:

                        @michmoor Well, that leaves a lot of the rules out then.

                        Is this because of the same reason as with Snort3 package not being in sight?

                        Not exactly. Many users don't fully understand how the OpenAppID rules work. They are completely unlike all the other rules. The mechanics of creating functional OpenAppID rules is quite different.

                        The OpenAppID technology in Snort 2.9.x consists of two distinct parts, and neither part stands alone. That means without BOTH parts in place, the OpenAppID function is non-functional.

                        The two parts are the rule stubs (provided by the Snort Vulnerability Research Team) and the associated text rules (which must be written or provided by the user). The only thing that ships with Snort from upstream is the rule stubs package. The rule stubs get updated by the Snort VRT on a regular basis.

                        The OpenAppID text rules must be created by the Snort user. The text rules use the rule stubs package to perform application detection. When OpenAppID was first introduced into the pfSense Snort package, a professor at a University in Brazil volunteered to produce a free OpenAppID text rules package for Snort on pfSense. For a while (maybe a year or two) that professor and his students maintained the OpenAppID text rules package and hosted it on the University's network. But due to IP geoblocking which the University network security team implemented, many Snort package users around the world could not access the free text rules package hosted on the University site. At that point Netgate agreed to host the OpenAppID text rules archive on their server infrastructure. But Netgate only hosts the archive on their server, they DO NOT maintain the rules in the archive.

                        Over time the rule have fallen quite out of date because the original maintainers ceased their updates.

                        D P 2 Replies Last reply Jun 3, 2023, 1:07 PM Reply Quote 0
                        • D
                          DefenderLLC @bmeeks
                          last edited by Jun 3, 2023, 1:07 PM

                          @bmeeks I guess since OpenAppID is “open,” then there probably aren’t any L7 rulesets subscriptions available for purchase like the VRT rulesets. Although I’m a little bummed out about it, my UDM-SE, which sits behind my pfSense managing the rest of my UniFi gear and clients devices, support some basic L7 functions using netflow and app rules.

                          1 Reply Last reply Reply Quote 0
                          • P
                            pfsjap @bmeeks
                            last edited by Jun 3, 2023, 3:34 PM

                            @bmeeks said in Snort v3:

                            Not exactly. Many users don't fully understand how the OpenAppID rules work. They are completely unlike all the other rules. The mechanics of creating functional OpenAppID rules is quite different

                            I referred to Snort Subscriber Rules, which there are plenty.

                            I don't care about OpenAppID Detectors, never have used them.

                            B 1 Reply Last reply Jun 3, 2023, 4:06 PM Reply Quote 0
                            • B
                              bmeeks @pfsjap
                              last edited by Jun 3, 2023, 4:06 PM

                              @pfsjap said in Snort v3:

                              @bmeeks said in Snort v3:

                              Not exactly. Many users don't fully understand how the OpenAppID rules work. They are completely unlike all the other rules. The mechanics of creating functional OpenAppID rules is quite different

                              I referred to Snort Subscriber Rules, which there are plenty.

                              I don't care about OpenAppID Detectors, never have used them.

                              In that case the Emerging Threats rules cover the same threats. Of course the "paid version" of those rules is more than 10x the cost of a personal Snort Subscriber Rules subscription. The free open-source version of ET rules is more limited.

                              P D 2 Replies Last reply Jun 3, 2023, 4:08 PM Reply Quote 0
                              • P
                                pfsjap @bmeeks
                                last edited by Jun 3, 2023, 4:08 PM

                                @bmeeks said in Snort v3:

                                Of course the "paid version" of those rules is more than 10x the cost of a personal Snort Subscriber Rules subscription.

                                Yeah, too much for personal use.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  DefenderLLC @bmeeks
                                  last edited by DefenderLLC Jun 3, 2023, 4:36 PM Jun 3, 2023, 4:35 PM

                                  @bmeeks said in Snort v3:

                                  @pfsjap said in Snort v3:

                                  @bmeeks said in Snort v3:

                                  Not exactly. Many users don't fully understand how the OpenAppID rules work. They are completely unlike all the other rules. The mechanics of creating functional OpenAppID rules is quite different

                                  I referred to Snort Subscriber Rules, which there are plenty.

                                  I don't care about OpenAppID Detectors, never have used them.

                                  In that case the Emerging Threats rules cover the same threats. Of course the "paid version" of those rules is more than 10x the cost of a personal Snort Subscriber Rules subscription. The free open-source version of ET rules is more limited.

                                  You can purchase the ET Pro subscription from the OPNsense store for about $802.73 at today's exchange rate. It will work with pfSense if you want to spend the big bucks. It was the cheapest I could find when I considering it originally. I just use the personal paid Snort rules instead.

                                  https://shop.opnsense.com/product/proofpoint-et-pro-ruleset-1yr-subscription/

                                  1 Reply Last reply Reply Quote 0
                                  • S SteveITS referenced this topic on Aug 5, 2023, 7:40 PM
                                  • S SteveITS referenced this topic on Nov 29, 2023, 12:20 AM
                                  • J
                                    JonathanLee
                                    last edited by JonathanLee Nov 29, 2023, 4:08 AM Nov 29, 2023, 4:07 AM

                                    The pfSense Snort AppID de-cipher sorcerer's code file with case sensitive messages: --> 1696920726080-textrules2 (1).txt
                                    Sid range: 1000000 - 1003371

                                    Total 3,371 AppID rules you can use with the custom option.

                                    Use this with AppID enabled and place it as custom to use all the AppID snort snubs with custom text rules.

                                    https://forum.netgate.com/topic/183210/guide-snort-s-appid-custom-rules-quick-guide-to-blocking-example-shows-openai-chatgpt-or-itunes

                                    This also has tictok in it.

                                    Make sure to upvote

                                    1 Reply Last reply Reply Quote 0
                                    10 out of 17
                                    • First post
                                      10/17
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.