• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort v3

IDS/IPS
7
17
2.3k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bmeeks @DefenderLLC
    last edited by May 31, 2023, 1:49 PM

    @DefenderLLC said in Snort v3:

    I have read a lot of those posts, but they are 2 years old when we were running on FreeBSD 12. After all, Snort v3 has been out for over 3 years now.

    Nothing has changed. I still have no plans to create a Snort3 package. Anyone else is free to create one and contribute it, but I have decided to concentrate on Suricata only.

    At some point in the future I expect the upstream Snort team will cease development work on Snort 2.9.x (the version currently in pfSense). At that point, unless someone has stepped up and created a Snort3 package, Snort will die on pfSense.

    D P 2 Replies Last reply May 31, 2023, 2:06 PM Reply Quote 3
    • D
      DefenderLLC @bmeeks
      last edited by May 31, 2023, 2:06 PM

      @bmeeks said in Snort v3:

      @DefenderLLC said in Snort v3:

      I have read a lot of those posts, but they are 2 years old when we were running on FreeBSD 12. After all, Snort v3 has been out for over 3 years now.

      Nothing has changed. I still have no plans to create a Snort3 package. Anyone else is free to create one and contribute it, but I have decided to concentrate on Suricata only.

      At some point in the future I expect the upstream Snort team will cease development work on Snort 2.9.x (the version currently in pfSense). At that point, unless someone has stepped up and created a Snort3 package, Snort will die on pfSense.

      Looks like I'm going back to Suricata! Who needed those L7 features anyway? :)

      M 1 Reply Last reply Jun 2, 2023, 9:22 PM Reply Quote 0
      • S SteveITS referenced this topic on Jun 2, 2023, 4:18 PM
      • P
        pfsjap @bmeeks
        last edited by Jun 2, 2023, 9:14 PM

        @bmeeks said in Snort v3:

        At some point in the future I expect the upstream Snort team will cease development work on Snort 2.9.x (the version currently in pfSense). At that point, unless someone has stepped up and created a Snort3 package, Snort will die on pfSense.

        Will Suricata package accept Snort3 rules at that point?

        M 1 Reply Last reply Jun 2, 2023, 9:18 PM Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @pfsjap
          last edited by Jun 2, 2023, 9:18 PM

          @pfsjap No.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          P 1 Reply Last reply Jun 3, 2023, 10:53 AM Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @DefenderLLC
            last edited by Jun 2, 2023, 9:22 PM

            @DefenderLLC The only way the rules have been in any way useful in 2023 is if you were writing custom rules. The category list that comes as part of the Snort OpenAppID install is extremely out of date. Although the app.id signatures are very relevant the custom rules that come as part of the installation do not take into account todays apps. For example, TikTok.
            Considering no one has taken the time out for the last 5 or 6 years to keep up with the new apps and write custom rules so that we all can use them in the categories that are pushed out i would say no one else is in all probability using Snort for its L7 features.

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            1 Reply Last reply Reply Quote 1
            • P
              pfsjap @michmoor
              last edited by Jun 3, 2023, 10:53 AM

              @michmoor Well, that leaves a lot of the rules out then.

              Is this because of the same reason as with Snort3 package not being in sight?

              B 1 Reply Last reply Jun 3, 2023, 11:46 AM Reply Quote 0
              • B
                bmeeks @pfsjap
                last edited by bmeeks Jun 3, 2023, 11:47 AM Jun 3, 2023, 11:46 AM

                @pfsjap said in Snort v3:

                @michmoor Well, that leaves a lot of the rules out then.

                Is this because of the same reason as with Snort3 package not being in sight?

                Not exactly. Many users don't fully understand how the OpenAppID rules work. They are completely unlike all the other rules. The mechanics of creating functional OpenAppID rules is quite different.

                The OpenAppID technology in Snort 2.9.x consists of two distinct parts, and neither part stands alone. That means without BOTH parts in place, the OpenAppID function is non-functional.

                The two parts are the rule stubs (provided by the Snort Vulnerability Research Team) and the associated text rules (which must be written or provided by the user). The only thing that ships with Snort from upstream is the rule stubs package. The rule stubs get updated by the Snort VRT on a regular basis.

                The OpenAppID text rules must be created by the Snort user. The text rules use the rule stubs package to perform application detection. When OpenAppID was first introduced into the pfSense Snort package, a professor at a University in Brazil volunteered to produce a free OpenAppID text rules package for Snort on pfSense. For a while (maybe a year or two) that professor and his students maintained the OpenAppID text rules package and hosted it on the University's network. But due to IP geoblocking which the University network security team implemented, many Snort package users around the world could not access the free text rules package hosted on the University site. At that point Netgate agreed to host the OpenAppID text rules archive on their server infrastructure. But Netgate only hosts the archive on their server, they DO NOT maintain the rules in the archive.

                Over time the rule have fallen quite out of date because the original maintainers ceased their updates.

                D P 2 Replies Last reply Jun 3, 2023, 1:07 PM Reply Quote 0
                • D
                  DefenderLLC @bmeeks
                  last edited by Jun 3, 2023, 1:07 PM

                  @bmeeks I guess since OpenAppID is “open,” then there probably aren’t any L7 rulesets subscriptions available for purchase like the VRT rulesets. Although I’m a little bummed out about it, my UDM-SE, which sits behind my pfSense managing the rest of my UniFi gear and clients devices, support some basic L7 functions using netflow and app rules.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfsjap @bmeeks
                    last edited by Jun 3, 2023, 3:34 PM

                    @bmeeks said in Snort v3:

                    Not exactly. Many users don't fully understand how the OpenAppID rules work. They are completely unlike all the other rules. The mechanics of creating functional OpenAppID rules is quite different

                    I referred to Snort Subscriber Rules, which there are plenty.

                    I don't care about OpenAppID Detectors, never have used them.

                    B 1 Reply Last reply Jun 3, 2023, 4:06 PM Reply Quote 0
                    • B
                      bmeeks @pfsjap
                      last edited by Jun 3, 2023, 4:06 PM

                      @pfsjap said in Snort v3:

                      @bmeeks said in Snort v3:

                      Not exactly. Many users don't fully understand how the OpenAppID rules work. They are completely unlike all the other rules. The mechanics of creating functional OpenAppID rules is quite different

                      I referred to Snort Subscriber Rules, which there are plenty.

                      I don't care about OpenAppID Detectors, never have used them.

                      In that case the Emerging Threats rules cover the same threats. Of course the "paid version" of those rules is more than 10x the cost of a personal Snort Subscriber Rules subscription. The free open-source version of ET rules is more limited.

                      P D 2 Replies Last reply Jun 3, 2023, 4:08 PM Reply Quote 0
                      • P
                        pfsjap @bmeeks
                        last edited by Jun 3, 2023, 4:08 PM

                        @bmeeks said in Snort v3:

                        Of course the "paid version" of those rules is more than 10x the cost of a personal Snort Subscriber Rules subscription.

                        Yeah, too much for personal use.

                        1 Reply Last reply Reply Quote 0
                        • D
                          DefenderLLC @bmeeks
                          last edited by DefenderLLC Jun 3, 2023, 4:36 PM Jun 3, 2023, 4:35 PM

                          @bmeeks said in Snort v3:

                          @pfsjap said in Snort v3:

                          @bmeeks said in Snort v3:

                          Not exactly. Many users don't fully understand how the OpenAppID rules work. They are completely unlike all the other rules. The mechanics of creating functional OpenAppID rules is quite different

                          I referred to Snort Subscriber Rules, which there are plenty.

                          I don't care about OpenAppID Detectors, never have used them.

                          In that case the Emerging Threats rules cover the same threats. Of course the "paid version" of those rules is more than 10x the cost of a personal Snort Subscriber Rules subscription. The free open-source version of ET rules is more limited.

                          You can purchase the ET Pro subscription from the OPNsense store for about $802.73 at today's exchange rate. It will work with pfSense if you want to spend the big bucks. It was the cheapest I could find when I considering it originally. I just use the personal paid Snort rules instead.

                          https://shop.opnsense.com/product/proofpoint-et-pro-ruleset-1yr-subscription/

                          1 Reply Last reply Reply Quote 0
                          • S SteveITS referenced this topic on Aug 5, 2023, 7:40 PM
                          • S SteveITS referenced this topic on Nov 29, 2023, 12:20 AM
                          • J
                            JonathanLee
                            last edited by JonathanLee Nov 29, 2023, 4:08 AM Nov 29, 2023, 4:07 AM

                            The pfSense Snort AppID de-cipher sorcerer's code file with case sensitive messages: --> 1696920726080-textrules2 (1).txt
                            Sid range: 1000000 - 1003371

                            Total 3,371 AppID rules you can use with the custom option.

                            Use this with AppID enabled and place it as custom to use all the AppID snort snubs with custom text rules.

                            https://forum.netgate.com/topic/183210/guide-snort-s-appid-custom-rules-quick-guide-to-blocking-example-shows-openai-chatgpt-or-itunes

                            This also has tictok in it.

                            Make sure to upvote

                            1 Reply Last reply Reply Quote 0
                            14 out of 17
                            • First post
                              14/17
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.