Snort v3

DefenderLLC

@jdeloach said in Snort v3:

@DefenderLLC

If you search this forum, you will find several messages from the current maintainer, @bmeeks , that he has no current plans to convert to Snort v3 but that anyone else who wishes to maintain it are welcome to step in and support Snort v3.

I have read a lot of those posts, but they are 2 years old when we were running on FreeBSD 12. After all, Snort v3 has been out for over 3 years now.

bmeeks

@DefenderLLC said in Snort v3:

I have read a lot of those posts, but they are 2 years old when we were running on FreeBSD 12. After all, Snort v3 has been out for over 3 years now.

Nothing has changed. I still have no plans to create a Snort3 package. Anyone else is free to create one and contribute it, but I have decided to concentrate on Suricata only.

At some point in the future I expect the upstream Snort team will cease development work on Snort 2.9.x (the version currently in pfSense). At that point, unless someone has stepped up and created a Snort3 package, Snort will die on pfSense.

DefenderLLC

@bmeeks said in Snort v3:

@DefenderLLC said in Snort v3:

I have read a lot of those posts, but they are 2 years old when we were running on FreeBSD 12. After all, Snort v3 has been out for over 3 years now.

Nothing has changed. I still have no plans to create a Snort3 package. Anyone else is free to create one and contribute it, but I have decided to concentrate on Suricata only.

At some point in the future I expect the upstream Snort team will cease development work on Snort 2.9.x (the version currently in pfSense). At that point, unless someone has stepped up and created a Snort3 package, Snort will die on pfSense.

Looks like I'm going back to Suricata! Who needed those L7 features anyway? :)

pfsjap

@bmeeks said in Snort v3:

At some point in the future I expect the upstream Snort team will cease development work on Snort 2.9.x (the version currently in pfSense). At that point, unless someone has stepped up and created a Snort3 package, Snort will die on pfSense.

Will Suricata package accept Snort3 rules at that point?

michmoor

@pfsjap No.

michmoor

@DefenderLLC The only way the rules have been in any way useful in 2023 is if you were writing custom rules. The category list that comes as part of the Snort OpenAppID install is extremely out of date. Although the app.id signatures are very relevant the custom rules that come as part of the installation do not take into account todays apps. For example, TikTok.
Considering no one has taken the time out for the last 5 or 6 years to keep up with the new apps and write custom rules so that we all can use them in the categories that are pushed out i would say no one else is in all probability using Snort for its L7 features.

pfsjap

@michmoor Well, that leaves a lot of the rules out then.

Is this because of the same reason as with Snort3 package not being in sight?

bmeeks

@pfsjap said in Snort v3:

@michmoor Well, that leaves a lot of the rules out then.

Is this because of the same reason as with Snort3 package not being in sight?

Not exactly. Many users don't fully understand how the OpenAppID rules work. They are completely unlike all the other rules. The mechanics of creating functional OpenAppID rules is quite different.

The OpenAppID technology in Snort 2.9.x consists of two distinct parts, and neither part stands alone. That means without BOTH parts in place, the OpenAppID function is non-functional.

The two parts are the rule stubs (provided by the Snort Vulnerability Research Team) and the associated text rules (which must be written or provided by the user). The only thing that ships with Snort from upstream is the rule stubs package. The rule stubs get updated by the Snort VRT on a regular basis.

The OpenAppID text rules must be created by the Snort user. The text rules use the rule stubs package to perform application detection. When OpenAppID was first introduced into the pfSense Snort package, a professor at a University in Brazil volunteered to produce a free OpenAppID text rules package for Snort on pfSense. For a while (maybe a year or two) that professor and his students maintained the OpenAppID text rules package and hosted it on the University's network. But due to IP geoblocking which the University network security team implemented, many Snort package users around the world could not access the free text rules package hosted on the University site. At that point Netgate agreed to host the OpenAppID text rules archive on their server infrastructure. But Netgate only hosts the archive on their server, they DO NOT maintain the rules in the archive.

Over time the rule have fallen quite out of date because the original maintainers ceased their updates.

DefenderLLC

@bmeeks I guess since OpenAppID is “open,” then there probably aren’t any L7 rulesets subscriptions available for purchase like the VRT rulesets. Although I’m a little bummed out about it, my UDM-SE, which sits behind my pfSense managing the rest of my UniFi gear and clients devices, support some basic L7 functions using netflow and app rules.

pfsjap

@bmeeks said in Snort v3:

Not exactly. Many users don't fully understand how the OpenAppID rules work. They are completely unlike all the other rules. The mechanics of creating functional OpenAppID rules is quite different

I referred to Snort Subscriber Rules, which there are plenty.

I don't care about OpenAppID Detectors, never have used them.

bmeeks

@pfsjap said in Snort v3:

@bmeeks said in Snort v3:

Not exactly. Many users don't fully understand how the OpenAppID rules work. They are completely unlike all the other rules. The mechanics of creating functional OpenAppID rules is quite different

I referred to Snort Subscriber Rules, which there are plenty.

I don't care about OpenAppID Detectors, never have used them.

In that case the Emerging Threats rules cover the same threats. Of course the "paid version" of those rules is more than 10x the cost of a personal Snort Subscriber Rules subscription. The free open-source version of ET rules is more limited.

pfsjap

@bmeeks said in Snort v3:

Of course the "paid version" of those rules is more than 10x the cost of a personal Snort Subscriber Rules subscription.

Yeah, too much for personal use.

DefenderLLC

@bmeeks said in Snort v3:

@pfsjap said in Snort v3:

@bmeeks said in Snort v3:

Not exactly. Many users don't fully understand how the OpenAppID rules work. They are completely unlike all the other rules. The mechanics of creating functional OpenAppID rules is quite different

I referred to Snort Subscriber Rules, which there are plenty.

I don't care about OpenAppID Detectors, never have used them.

In that case the Emerging Threats rules cover the same threats. Of course the "paid version" of those rules is more than 10x the cost of a personal Snort Subscriber Rules subscription. The free open-source version of ET rules is more limited.

You can purchase the ET Pro subscription from the OPNsense store for about $802.73 at today's exchange rate. It will work with pfSense if you want to spend the big bucks. It was the cheapest I could find when I considering it originally. I just use the personal paid Snort rules instead.

https://shop.opnsense.com/product/proofpoint-et-pro-ruleset-1yr-subscription/

JonathanLee

The pfSense Snort AppID de-cipher sorcerer's code file with case sensitive messages: --> 1696920726080-textrules2 (1).txt
Sid range: 1000000 - 1003371

Total 3,371 AppID rules you can use with the custom option.

Use this with AppID enabled and place it as custom to use all the AppID snort snubs with custom text rules.

https://forum.netgate.com/topic/183210/guide-snort-s-appid-custom-rules-quick-guide-to-blocking-example-shows-openai-chatgpt-or-itunes

This also has tictok in it.