Snort rules order
-
@Antibiotic said in Snort rules order:
@bmeeks said in Snort rules order:
Emerging Threats rules
But what about Emerging Threats rules in snort? Working well or the same problem with syntax as snort rules in suricata?
In one of our previous conversations I said Emerging Threats created a special set of rules for Suricata. When you enable those in the Suricata package, it automatically downloads the correct set of ET rules for Suricata.
Similarly for Snort, Emerging Threats produces a set of rules tailored for Snort. When you enable ET rules in Snort, the package automatically downloads the matching set.
That is not the case for Snort VRT rules. The Snort VRT and Suricata (OISF) are basically competitors like Microsoft versus Apple. They do not go out of their way to "support" each other . Snort could care less if their rules work on Suricata or not. They see Suricata as a competitor - not as a friendly platform they want to support. And conversely, the Suricata developer team has zero interest in making sure their product supports every Snort rule syntax.
-
@bmeeks But snort is more integrated in pfsense than suricata? any profit or doesnt matter ,except multitreading
-
@Antibiotic said in Snort rules order:
@bmeeks But snort is more integrated in pfsense than suricata? any profit or doesnt matter ,except multitreading
I do not understand your question. What do you mean by "more integrated" and "any profit"?
The translation to English does not appear to be working well.
-
@bmeeks I mean, suricata also well tested as snort before put to pfsense repo?You are doing snort. who is making suricata for pfsense?
-
@Antibiotic said in Snort rules order:
@bmeeks I mean, suricata also well tested as snort before put to pfsense repo?
I created the Suricata package on pfSense, and I have maintained the Snort package for more than 10 years. There is no difference in testing for either package. In fact, the GUI portions of both packages are in many cases identical since they share the same PHP code base.
Both rely on custom plugins used for blocking on pfSense, and both have underlying binary components provided by an upstream source.
I still don't really understand your question.
-
@bmeeks Ah ok)) clear now
-
@bmeeks Emerging Threats Pro rules is too expensive)))
-
@bmeeks But snort have ja3 fingerprint detection and droping functionality or ja4
-
@bmeeks Hello again!
Now did dropsid for some rules and its working. But how to make drop action for whole category?Lets say category: emergening-ja3-rules want to drop action for all category.The numbers are going not but orders and click whole category too long or make dropsid with a different numbers. Is it possible to make drop action for whole category? Suricata
-
@Antibiotic said in Snort rules order:
@bmeeks Hello again!
Now did dropsid for some rules and its working. But how to make drop action for whole category?Lets say category: emergening-ja3-rules want to drop action for all category.The numbers are going not but orders and click whole category too long or make dropsid with a different numbers. Is it possible to make drop action for whole category? Suricata
Go read this Sticky Post at the top of this sub-forum: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata.
-
This post is deleted!