[Solved] Snort GPLv2 Community Rules - Unable to download checksum file

bmeeks

This issue has once again been solved by the Snort Rules Team. The GPLv2 Community Rules for Snort 2.9.x are available.

monotypeTattoo

@bmeeks Thank you.

I did send an email enquiry linking to this thread and describing the problem. I received a very brief reply effectively denying the problem.

I suspect the process that creates the community-rules.tar.gz file possibly breaks on occasion?

bmeeks

@monotypetattoo said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

@bmeeks Thank you.

I did send an email enquiry linking to this thread and describing the problem. I received a very brief reply effectively denying the problem.

I suspect the process that creates the community-rules.tar.gz file possibly breaks on occasion?

From the little bit I understand via previous email conversations with some of the Snort team members, this is an automated process. It sometimes hiccups, and I guess now that Snort3 is their main focus, they don't always notice if the 2.9.x rules packages fail to build and post correctly.

xperttech

Hi all, I'm new to pfSense.
I just installed it over the weekend and have this very issue from the start. My gateway has never seen the GPLv2 Community Rules for Snort 2.0.x. I find that it has happened a few times in years past. Seems to be back.
Do we need to keep reminding someone to fix this automated process?
Thanks!

bmeeks

@xperttech said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

Hi all, I'm new to pfSense.
I just installed it over the weekend and have this very issue from the start. My gateway has never seen the GPLv2 Community Rules for Snort 2.0.x. I find that it has happened a few times in years past. Seems to be back.
Do we need to keep reminding someone to fix this automated process?
Thanks!

This would be something you should take up with the Snort team. Perhaps by joining their mailing list here: https://seclists.org/snort/.

You should also be aware that if you have a Snort VRT subscription (or are registered for their free 30-day aged rules), then you do not need to download the GPL v2 Community Rules separately as they are included within the subscriber and registered packages.

Edited: found out only paid subscribers have the GPLv2 Community Rules included within that archive. Registered users (non-paying) get an archive that does not include the GPLv2 Rules.

DefenderLLC

@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

@xperttech said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

Hi all, I'm new to pfSense.
I just installed it over the weekend and have this very issue from the start. My gateway has never seen the GPLv2 Community Rules for Snort 2.0.x. I find that it has happened a few times in years past. Seems to be back.
Do we need to keep reminding someone to fix this automated process?
Thanks!

This would be something you should take up with the Snort team. Perhaps by joining their mailing list here: https://seclists.org/snort/.

You should also be aware that if you have a Snort VRT subscription (or are registered for their free 30-day aged rules), then you do not need to download the GPL v2 Community Rules separately as they are included within the subscriber and registered packages.

I’m having the same exact issue although I’m a paid subscriber, so I just disabled the community rules. Something definitely happened in the last few days.

Update: It looks like Snort removed the community ruleset for v2.9.. #Shocker

https://www.snort.org/downloads#rules

fireodo

@DefenderLLC said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

Something definitely happened in the last few days.

I guess asking Talos would bring clarity ... ;-)

slu

@bmeeks
any change to bring SNORT 3.x to pfSense?
I guess this is much work, otherwise you would have done it a long time ago?

bmeeks

@slu said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

@bmeeks
any change to bring SNORT 3.x to pfSense?
I guess this is much work, otherwise you would have done it a long time ago?

No, I am not working on anything for Snort3 and have no future plans to do so. I tried it twice and gave up. The benefit was not worth the effort and hassle compared to just using the existing Suricata package.

At some point Snort 2.9.x is going to go EOL (end-of-life) upstream. At that point Suricata will be the IDS/IPS package on pfSense unless someone else steps up to provide a Snort3 package.

DefenderLLC

@bmeeks I'm guessing you probably have that reply saved in your notes somewhere for replies to this never-ending question. :)

fireodo

@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

At that point Suricata will be the IDS/IPS package on pfSense unless someone else steps up to provide a Snort3 package.

Is there a good strategy to go from snort to suricata? (I mean with as less as possible hassle)

DefenderLLC

@fireodo I know you didn't ask me, but most of your rulesets will work. Some Snort rules might throw up an error. The good news is that your suppression lists should also work too since they seem to use the same format. For me, that's the hardest about tuning IDS/IPS on a new network. Just make sure to copy them before removing the Snort package. You also just disable any Snort interfaces while you're configuring Suricata. When you're done, then you can remove Snort and it's underlying data.

fireodo

@DefenderLLC said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

@fireodo I know you didn't ask me, but most of your rulesets will work. Some Snort rules might throw up an error. The good news is that your suppression lists should also work too since they seem to use the same format. For me, that's the hardest about tuning IDS/IPS on a new network. Just make sure to copy them before removing the Snort package. You also just disable any Snort interfaces while you're configuring Suricata. When you're done, then you can remove Snort and it's underlying data.

Thanks! Ofcourse I will try to save as much of the settings (and most important the supression list) in a note-file.

bmeeks

@fireodo said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

Is there a good strategy to go from snort to suricata? (I mean with as less as possible hassle)

It's pretty much starting over with a green field install with regards to IDS/IPS. First thing to do is review the official Suricata docs from upstream here: https://docs.suricata.io/en/suricata-6.0.13/.

Here is what I would do next --

1. Document your current Snort interface names (assuming you will want to run Suricata on those same interfaces).
2. Take note of the rule families you are using. You can continue to use the majority of the Snort Subscriber Rules with Suricata. Just be aware that not all of them are compatible. Suricata will let you know which ones it does not like in the suricata.log file. Make sure you still have access to your Snort Oinkcode so you can enter it into Suricata if you plan to continue with the Snort Subscriber Rules.
3. Remove the Snort package first! You never want both of them installed and active at the same time. Make sure your Snort interfaces are all set to DISABLED before installing Suricata if you plan on leaving Snort there for a bit to copy over things like Suppress Lists. And if it were me, I would uncheck the option on the GLOBAL SETTINGS tab to save the old Snort configuration when removing Snort. I would not want it cluttering up my config.xml file. But this is not a requirement. It won't hurt anything by remaining other than make the file slightly larger.
4. Install the Suricata package. With no existing configuration, it will install quickly.
5. Go to the GLOBAL SETTINGS tab and enter your rules download configuration just like you did when you set up Snort.
6. Now go to the UPDATES tab and download the rules you selected previously.
7. When the rules download is completed, go to the INTERFACES tab and configure your interfaces. For each interface click on the Edit icon to access its configuration parameters. Note that Suricata relies heavily on its EVE JSON logging system whereas Snort primarily used syslog. Suricata can also use syslog, but with some limitations. There is a multitude of EVE JSON logging options available in Suricata. Details about each can be found in the Suricata docs link provided up above.
8. For each configured interface, remember to visit the CATEGORIES tab and select the rules groups you desire. Or you can use the SID MGMT feature if preferred. This all works exactly like it does in Snort.
9. Start up all your interfaces and monitor things for a while.

Some Observations:

1. The GUI look and feel is almost identical between Snort and Suricata. Suricata's PHP code was in large part a simple copy and paste from existing Snort code in many areas. So, there should be no big surprises in terms of the GUI between Snort and Suricata.
2. Suricata does not have OpenAppID nor any similar feature. Anything you had around OpenAppID in Snort will not be available in Suricata.
3. Suricata does NOT use preprocessors. There are no preprocessor configuration options. That simplifies setup a bit in my opinion.

bmeeks

@DefenderLLC said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

The good news is that your suppression lists should also work too since they seem to use the same format.

Correct. The format is exactly the same and you can simply copy and paste the text from your Snort lists into Suricata.

fireodo

@bmeeks

Thank you very much, Bill, I bookmarked your explanation! (for the future when it becomes necessary - because I doubt that someone will do the work for Snort 3.0)

fireodo

@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

@DefenderLLC said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

The good news is that your suppression lists should also work too since they seem to use the same format.

Correct. The format is exactly the same and you can simply copy and paste the text from your Snort lists into Suricata.

Is there somewhere a file (maybe) where all the "User Forced Disabled Rules" reside? (Not the suppression list)

bmeeks

@fireodo said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

Is there somewhere a file (maybe) where all the "User Forced Disabled Rules" reside? (Not the suppression list)

No, those live as encoded strings within the config.xml file of pfSense in the <packages><snort> section. And even the Suppress List resides there, but it does get written out as plaintext each time Snort is started. And it is visible as plaintext on the Suppress List edit tab, so it can easily be copied.

Suricata stores its information the same way. So, if you are handy with recognizing how the XML configuration file of pfSense works, you can do a manual port of those settings.

fireodo

@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

@fireodo said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

Is there somewhere a file (maybe) where all the "User Forced Disabled Rules" reside? (Not the suppression list)

No, those live as encoded strings within the config.xml file of pfSense in the <packages><snort> section. And even the Suppress List resides there, but it does get written out as plaintext each time Snort is started. And it is visible as plaintext on the Suppress List edit tab, so it can easily be copied.

Suricata stores its information the same way. So, if you are handy with recognizing how the XML configuration file of pfSense works, you can do a manual port of those settings.

Aha, OK Thanks - I guess others are also interested in these Informations!

I found in the config.xml at the coresponding interface:
<rule_sid_off>{lots of sids}</rule_sid_off>
I guess thats the place.

slu

@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:

At that point Suricata will be the IDS/IPS package on pfSense unless someone else steps up to provide a Snort3 package.

The problem with Suricata was the missing OpenAppID function, or I'm not up-to-date and there is a solution?