Is there a rule set similar to Snort Open App ID in Suricata?
-
Is there a ruleset similar to Snort Open App ID in Suricata?
There is a set of "app-layer-events.rules", but it doesn't give an app name.
It gives a very general warning that "SURICATA Applayer Detect protocol is only in one direction". This is not explanatory at all. I want to see the application name, for example "Teamviewer".What do experts think about this?
-
@enesas
unfortunately not:
https://forum.netgate.com/post/895781 -
@slu While I was researching before writing here, I saw this message, but it was from 2020. I thought maybe this feature had been introduced recently.
-
Not having this is a big deficiency for me. In this case, do you think there are any different advantages that would require staying in Suricata?
-
@enesas said in Is there a rule set similar to Snort Open App ID in Suricata?:
Not having this is a big deficiency for me. In this case, do you think there are any different advantages that would require staying in Suricata?
Suricata is multi-threaded while Snort on pfSense is not. The Snort package on pfSense is based on the 2.9.x version of the Snort binary. That will be deprecated at some point in the future by upstream as Talos/Cisco has now developed and is pushing the new Snort3 binary (which is multi-threaded). But the new binary is a quite radical departure from the old version and requires a complete rewrite of all the Snort bits as currently used on pfSense. There are no plans to do that. So, when upstream finally officially deprecates and declares the Snort 2.9.x branch as end-of-life, Snort will cease to exist as a pfSense package.
Suricata is currently seen as the way forward for IDS/IPS on pfSense. But to be perfectly honest, the widespread adoption of end-to-end encryption for network traffic is spelling the slow death of perimeter IDS/IPS technology (meaning IDS/IPS on the firewall or edge device). The only viable solution in the face of such encrypted traffic is a man-in-the-middle proxy configuration, and that brings a whole host of other issues into play (and most of them are not good).
-
@bmeeks It was a very descriptive answer. Let me continue to stay in snort, at least until the scenarios you mentioned come true. I preferred snort because it allowed me to restrict/block at the application layer. If only If only we could do this easily in suricata :( If pfsense produces a solution at the application layer in the future, then the problem will be eliminated. Really, why doesn't Pfsense switch to UTM? Doesn't the change in security layers you mentioned gradually push pfsensi into the background? How far can layer 3 go? (Without pfblockerng and snort/suricata / ntopng, pure pfsense looks like a normal router. Am I wrong? I think pfsense should make a radical revolution and provide application layer support by default.
-
@enesas said in Is there a rule set similar to Snort Open App ID in Suricata?:
I think pfsense should make a radical revolution and provide application layer support by default.
The problem with UTM is that someone must maintain the list of threats and distribute it. An analog is the maintenance of the pfBlockerNG block lists (the lists of IP addresses to block). Nobody is going to put a lot of effort into doing that work for no profit. The only way UTM works long-term is a paid subscription model. Not saying Netgate cannot do UTM, but I don't see Netgate providing any sort of "free" UTM product. Even now, the Snort AppID rules have not been updated in years. The list that gets downloaded was developed by a University professor and his graduate students in Brazil many years ago. The file is simply hosted on Netgate's server, but it is not updated. The rule stubs are updated by Cisco/Talos, but the text rules that perform the actual analysis and blocking are from that Brazil team - and those have not been updated in years.
Sure there are some "free" IP lists out there today, but they are really unreliable and not always well maintained. Just search through the posts here on the forum and you can quickly find lots of users posting with issues caused by faulty IP block lists -- usually in the form of false positives where some site or service is blocked when it should not be.
With end-to-end encryption and the push to ESNI and/or ECH, the only viable "blocking" option remaining will be simple lists of suspicious IP addresses which a firewall can block access to. There will be nothing actionable in the network traffic outside of protocol (TCP or UDP) and source and destination IP addresses and ports.
So, the TLDR version is simply "concentrate your security at the endpoints of communication (workstations, servers, and the like) and not so much at the perimeter or in transit".
-
@bmeeks said in Is there a rule set similar to Snort Open App ID in Suricata?:
The only way UTM works long-term is a paid subscription model. Not saying Netgate cannot do UTM, but I don't see Netgate providing any sort of "free" UTM product.
-
Can't this be done with pfsense plus at reasonable prices?
-
You said that rules are not updated in Snort, what about Suricata? Is it the same there?
While researching, I read that there are approximately 40 thousand rules in Suricata and 4 thousand in Snort. This is a huge difference. Does this mean that Suricata is more up-to-date or are there too many rules written due to its structure?
(Although the Suricata app ID part is not what I wanted)- There are many software experts in the world who support open source. I wish they would do a study to provide/update pfsense with UTM feature.
Or, UTM feature can be provided with an external plugin such as pfblockerng (I am grateful to its creators). Of course, free minds are needed for this!
-
-
@enesas said in Is there a rule set similar to Snort Open App ID in Suricata?:
You said that rules are not updated in Snort, what about Suricata? Is it the same there?
You misunderstood what I was saying there. I said the "Snort OpenAppID rules" were not updated. I said nothing about Suricata rules at all. Make sure you fully understand how OpenAppID in Snort works. It requires a combination of AppID rule stubs (Lua scripts, actually) and a set of text rules specifying which particular apps to look for. It's that second set of AppID text rules that is not being updated -- and this only applies to Snort because Suricata does not have OpenAppID.
@enesas said in Is there a rule set similar to Snort Open App ID in Suricata?:
While researching, I read that there are approximately 40 thousand rules in Suricata and 4 thousand in Snort.
I am not sure I agree with that count. I believe there are more than 4,000 rules available for Snort. Emerging Threats (aka Proofpoint) has two packages of very similar rules: one for Snort and the other for Suricata. Each package is customized because Snort and Suricata do not share all of the same keywords. They share many, but not all.
@enesas said in Is there a rule set similar to Snort Open App ID in Suricata?:
Can't this be done with pfsense plus at reasonable prices?
What is your definition of "reasonable prices"?
-
@bmeeks I may have misunderstood. Ok, I think I understand better now. - What I mean by reasonable fee is not a commercial marketing logic like other companies, but a fee that will cover expenses. Of course, this may be relative to everyone. For example, the prices are similar to the pfsense plus package right now.
Thank you also for taking the time to reply.
-
@bmeeks said in Is there a rule set similar to Snort Open App ID in Suricata?:
slow death of perimeter IDS/IPS technology (meaning IDS/IPS on the firewall or edge device)
but IPDS on internal segments is still very much a thing. So in theory, if you have internal firewalls (extranet facing , datacenter facing for example) i can see running an IPS solution.
-
@bmeeks said in Is there a rule set similar to Snort Open App ID in Suricata?:
The problem with UTM is that someone must maintain the list of threats and distribute it.
wait wait...I have to pay for the cool NGFW experience?!
