Snort and Paid Rule Subscriptions

JonathanLee · Nov 16, 2023, 12:02 AM

is this ok?

I never see any Snort branded alerts, they are always ET emerging threats branded.

bmeeks · Nov 16, 2023, 3:29 AM

Are the Snort rules actually downloaded? Post a screen capture of the UPDATES tab.

IPS Policy Connectivity is designed to have the least amount of false positives. That means it is not a "noisy" set of rules. That resulting set of rules is only going to trigger on significant events, so I'm not surprised you don't see a lot of alerts from it.

It is strange that your Snort Shared Object (SO) rules are empty. There should be categories showing there, but they would be grayed-out like the Snort Text Rules.

JonathanLee · Nov 16, 2023, 4:06 AM

@bmeeks

I just purchased a subscription today.

What do I do to fix the SO rulesets?

bmeeks · Nov 16, 2023, 4:32 AM

@JonathanLee said in Snort and Paid Rule Subscriptions:

What do I do to fix the SO rulesets?

They should show up no matter if you have a paid subscriber or free registered subscriber license.

The Shared Object rule category files all have .so.rules as their filename suffix. They will be stored in the same master rules directory as the regular text rules. That should be /usr/local/etc/snort/rules/.

Are any *.so.rules files present in the master rules directory? Are you doing anything with a script that might be altering the filenames in the master rules directory?

JonathanLee · Nov 16, 2023, 4:47 AM

@bmeeks

So I have no SO file ? I am not altering any rules. I have never seen the SO rules ever, I have a SG2100 is that the issue because I can't run in line mode?

JonathanLee · Nov 16, 2023, 6:56 AM

I opened a Redmine for the missing rules.

bmeeks · Nov 16, 2023, 2:17 PM

@JonathanLee said in Snort and Paid Rule Subscriptions:

I opened a Redmine for the missing rules.

A Redmine is totally inappropriate in this case. The problem is specific to your box and configuration. This is not a global issue.

It just now dawned on me why you do not have the rules. It's because your hardware is ARM-based. The SO rules come precompiled for AMD64 hardware only. Since your firewall does not have an AMD64 processor, those rules cannot work and the package thus excludes them. It is perfectly normal and expected that the SO rules are not available on non-Intel hardware platforms.

I did not know what type of hardware you had until I saw your reply to the Snort Signal 11 Redmine. That's why it is very important to include your hardware description when posting with questions or issues.

JonathanLee · Nov 16, 2023, 3:24 PM

@bmeeks sorry I did not know that.

JonathanLee · Nov 16, 2023, 11:11 PM

I opened a feature request

https://redmine.pfsense.org/issues/14997

Feature Request: Snort *.so.rules should also function on ARM architecture processors as Netgate sells appliances with ARM processors.

Maybe one day it will work with the RISC.

bmeeks · Nov 16, 2023, 11:26 PM

@JonathanLee said in Snort and Paid Rule Subscriptions:

I opened a feature request

https://redmine.pfsense.org/issues/14997

Feature Request: Snort *.so.rules should also function on ARM architecture processors as Netgate sells appliances with ARM processors.

Maybe one day it will work with the RISC.

Jonathan, this is a pointless request that will never happen. pfSense does not control Snort at all. At best you should post this request on the Snort VRT mailing list. But I can already tell you it will be ignored there as Snort 2.9.x is on the way to being deprecated in favor of Snort3. This is the equivalent of asking Microsoft to make Windows run native on Mac hardware, or asking Apple to make MacOS run on vanilla Intel hardware.

Here is a thread direct from the Snort mailing list where they state they do not compile the shared object rules for ARM: https://seclists.org/snort/2013/q2/1219. Because Snort VRT does not provide Shared Object pre-compiled rules for ARM hardware, they are automatically "turned off" in ARM hardware environments like the SG-2100. If you want to use these rules, move your installation to an Intel-based CPU platform.

JonathanLee · Nov 17, 2023, 3:34 AM

@bmeeks Dang I was hoping to get traction on this and that post looks old. Maybe this is a next generation type software programming thing. You know where the next generation of programmers start to fix some of the cross platform issues once they start working? Who knows. I can tell you ARM is amazing, look at the Raspberry PI 5, ARM is not going away any time soon. The Raspberry PI 5 is 2x as powerful as Generation 4B. It's the future, we can't avoid it. Have you seen the Oracle super computer built all with Raspberry PIs? It's astonishing.

mcury · Nov 17, 2023, 3:35 AM

@JonathanLee said in Snort and Paid Rule Subscriptions:

I can tell you ARM is amazing, look at the Raspberry PI 5

I'm going to get one for me, 8GB variant... It is not selling here yet, waiting...

JonathanLee · Nov 17, 2023, 3:35 AM

@mcury I am going to get one to test items with soon. I have the 4B it even has 64 bit options.

mcury · Nov 17, 2023, 11:04 AM

@JonathanLee said in Snort and Paid Rule Subscriptions:

@mcury I am going to get one to test items with soon. I have the 4B it even has 64 bit options.

I have a raspberry pi 3b, it has only 1GB of RAM, so it is constantly running on swap.
It is running a samba-ad-dc, freeradius, apache2 server with php and ssl, and a unifi controller, it is too much for it hehe
I also have a raspberry pi 4 with 4GB that I'm using for Graylog server, but unfortunately Graylog loves RAM and 4GB is not enough.

So my plan is to move Graylog server to Raspberry Pi 5 8GB, move everything that is running in the raspberry pi3 to raspberry pi 4 and then install KVM in the raspberry pi 3b.
I'll use KVM to manage my computer through tailscale, I'll be able to turn it off, choose what OS I'll boot, boot to Linux or Windows as I desire..