Snort rules order

bmeeks

@bmeeks Ok, than possible to keep this rules off?How to found them?

If you want to use the Snort rules package, then just ignore the errors. Suricata is not loading the rules. Other than the log message, there is no harm and no foul in terms of operability.

You can disable rules by GID:SID, but personally I would not go to that amount of trouble. Just ignore the log errors.

Antibiotic

@bmeeks Ok,thanks)))

Antibiotic

@bmeeks I wiil try to use snort rules on snort , when in an one day may be snort become to multithreading on pfSense)))

Antibiotic

@bmeeks Hi,
How often snort snapshot updating, I mean period of time between releases? or when ready than pushing to public snapshot. Last one 29200 when should be next release?

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks Hi,
How often snort snapshot updating, I mean period of time between releases? or when ready than pushing to public snapshot. Last one 29200 when should be next release?

The Snort 2.9.x binary is effectively at end-of-life. It has been superseded for the most part by Snort3. But there is no effort at present to create a Snort3 package for pfSense. I tried at least two different times to create a Snort3 package and gave up very frustrated each time.

Snort3 is the multithreaded variant of Snort. But it was completely rewritten from the ground up in C++, has a new and different plugin API, and uses Lua for conf files instead of plaintext like previous Snort versions. For these and several other reasons, I abandoned creating a Snort3 package for pfSense. So far as I know, no one else is working on such a package either. That means when the upstream Snort team officially pulls support for the legacy 2.9.x Snort branch, Snort will be effectively dead on pfSense.

Suricata is the way forward on pfSense -- not Snort.

To answer your question about Snort 2.9.x, the last update was over two years ago and that was the release of the 2.9.20 binary. Nothing has happened in that branch since then. Only the rules themselves are getting updated, but I suspect at some point in the future even that will cease. That means I doubt there will ever be an update past the 29200 rules version.

You CANNOT use Snort3 rules with the current Snort 2.9.x package on pfSense nor can you use them on Suricata. Attempting to download and install Snort3 rules on pfSense will totally break the IDS/IPS installation.

Antibiotic

@bmeeks So, please confirm that. Can me use snort3 rules snapshot on pfsense Suricata?or can not use at all on pfsesnse ( both snort and suricata)?

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks So, please confirm that. Can me use snort3 rules snapshot on pfsense Suricata?or can not use at all on pfsesnse ( both snort and suricata)?

Did you not read what I just posted above? I've copied and pasted it again immediately below--

@bmeeks said in Snort rules order:

You CANNOT use Snort3 rules with the current Snort 2.9.x package on pfSense nor can you use them on Suricata. Attempting to download and install Snort3 rules on pfSense will totally break the IDS/IPS installation.

I tried to be as clear as possible. You CANNOT use Snort3 rules for anything on pfSense.

Antibiotic

@bmeeks OK. now clear but if have snort subscribe rules not registered. IPS Policy Mode in suricata for snort rules will work in auto drop? Connectivity , balanced and security?

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks OK. now clear but if have snort subscribe rules not registered. IPS Policy Mode in suricata for snort rules will work in auto drop? Connectivity , balances and security?

Yes, but with the same caveat I mentioned earlier. Not all Snort rules have syntax that is compatible with Suricata. So, don't be surprised if a number of the Snort rules produce load errors and get ignored and not loaded by Suricata.

For example, if you choose IPS Policy Balanced, I would expect potentially a hundred or more Snort rules to generate syntax errors and be ignored and not loaded by Suricata. I don't recall the exact number. But I do know that if you select all Snort rules in Suricata, somewhere around 700 or more will not load due to syntax errors. This is expected behavior because like I said before, Suricata was developed for Emerging Threats rules and not Snort rules. Some Snort rules work, but that is more of a coincidence and not a design goal.

bmeeks

@Antibiotic said in Snort rules order:

if have snort subscribe rules not registered. IPS Policy Mode in suricata for snort rules will work in auto drop?

Registered versus Subscriber has absolutely nothing to do with IPS Policy metadata. The only difference in those two rules packages is the age of the included rules. No newly developed Snort rule will get put into the Registered User package until at least 30 days have passed since it was added to the Subscriber Rules package. That's what you pay for in the Subscriber Rules package -- newly released rules at the time they are created. In the free Registered User package, you don't get newly released rules until they are at a minimum 30 days old.

Antibiotic

@bmeeks said in Snort rules order:

Emerging Threats rules

But what about Emerging Threats rules in snort? Working well or the same problem with syntax as snort rules in suricata?

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks said in Snort rules order:

Emerging Threats rules

But what about Emerging Threats rules in snort? Working well or the same problem with syntax as snort rules in suricata?

In one of our previous conversations I said Emerging Threats created a special set of rules for Suricata. When you enable those in the Suricata package, it automatically downloads the correct set of ET rules for Suricata.

Similarly for Snort, Emerging Threats produces a set of rules tailored for Snort. When you enable ET rules in Snort, the package automatically downloads the matching set.

That is not the case for Snort VRT rules. The Snort VRT and Suricata (OISF) are basically competitors like Microsoft versus Apple. They do not go out of their way to "support" each other . Snort could care less if their rules work on Suricata or not. They see Suricata as a competitor - not as a friendly platform they want to support. And conversely, the Suricata developer team has zero interest in making sure their product supports every Snort rule syntax.

Antibiotic

@bmeeks But snort is more integrated in pfsense than suricata? any profit or doesnt matter ,except multitreading

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks But snort is more integrated in pfsense than suricata? any profit or doesnt matter ,except multitreading

I do not understand your question. What do you mean by "more integrated" and "any profit"?

The translation to English does not appear to be working well.

Antibiotic

@bmeeks I mean, suricata also well tested as snort before put to pfsense repo?You are doing snort. who is making suricata for pfsense?

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks I mean, suricata also well tested as snort before put to pfsense repo?

I created the Suricata package on pfSense, and I have maintained the Snort package for more than 10 years. There is no difference in testing for either package. In fact, the GUI portions of both packages are in many cases identical since they share the same PHP code base.

Both rely on custom plugins used for blocking on pfSense, and both have underlying binary components provided by an upstream source.

I still don't really understand your question.

Antibiotic

@bmeeks Ah ok)) clear now

Antibiotic

@bmeeks Emerging Threats Pro rules is too expensive)))

Antibiotic

@bmeeks But snort have ja3 fingerprint detection and droping functionality or ja4

Antibiotic

@bmeeks Hello again!
Now did dropsid for some rules and its working. But how to make drop action for whole category?Lets say category: emergening-ja3-rules want to drop action for all category.

The numbers are going not but orders and click whole category too long or make dropsid with a different numbers. Is it possible to make drop action for whole category? Suricata