Some questions from a beginner

M2x78

Hello.

I have some questions about the Snort Package.

I bought a business license on the website www.snort.org.

I am currently using Snort on WAN interface in legacy mode with “IPS Policy Security” setting.

My question is, how do the policies differ between the Free, Personal and Business license? Are there more policies available to the user with the Business license and if so, how do I recognize this in “IPS Policy Security”?

kiokoman

@M2x78
rules are available 30 days faster than registered users
idk but I suppose that your Snort Oinkmaster Code permits you to download a different file from the one available to the free users

bmeeks

@M2x78 said in Some questions from a beginner:

My question is, how do the policies differ between the Free, Personal and Business license? Are there more policies available to the user with the Business license

The available IPS policy metadata is the same among all the rules subscriptions. The only difference between a paid personal subscription and a paid business subscription is the price. The Snort VRT wants more money from commercial use of their rules. The actual file downloaded is identical for both subscription packages.

The "free" registered user rules are at a minimum 30 days older than the paid rules. Stated another way, when a new exploit emerges and the Snort VRT creates a new rule to address that exploit, the new rule will immediately appear in the paid subscription package. But that new rule will not show up in the free package until a minimum of 30 days AFTER it first appeared in the paid package.

kiokoman

@bmeeks
but I can see different file names available for registered and subscriber, I may be wrong but from what I can see these is the files

registered: snortrules-snapshot-29161.tar.gz

subscription: snortrules-snapshot-29181.tar.gz

bmeeks

@kiokoman said in Some questions from a beginner:

@bmeeks
but I can see different file names available for registered and subscriber, I may be wrong but from what I can see these is the files

registered: snortrules-snapshot-29161.tar.gz

subscription: snortrules-snapshot-29181.tar.gz

Neither of those file versions will work with the current Snort version in pfSense. Snort is currently the 2.9.20 version and that requires a 2.9.20 rules package. Snort's binary version and the corresponding rules version are locked together, and the Snort binary will refuse to load any rules package that is not the same version as the binary.

I don't know where you are seeing those rule versions, but they are not currently being used by the pfSense Snort binary.

What determines which particular file you download during a rules update is the Oinkcode. The user's Oinkcode is sent along as part of the download URL link, and the Snort server uses the Oinkcode to determine whether you are a paid user or a free registered user. It then sends back the corresponding file, but the version will always be the same as the underlying Snort binary -- so, 2.9.20 at this time (the filename will be snortrules-snapshot-29200.tar.gz).

kiokoman

@bmeeks
what about suricata, is it the same file ? snortrules-snapshot-29200.tar.gz ?

bmeeks

@kiokoman said in Some questions from a beginner:

@bmeeks
what about suricata, is it the same file ? snortrules-snapshot-29200.tar.gz ?

Suricata is not tied to any specific rules version. And in fact, Suricata is really not designed to be 100% compatible with Snort rules. Most of them work, but quite a few (several hundred) do not due to the differences in keyword syntax between Suricata and Snort.

With the Suricata package, users are free to download and install any Snort rules version they desire so long as it is compatible with the 2.9.x branch of Snort. You cannot use any Snort3 rules with Suricata. That will break the installation of the package quite badly! But you can use the 29161, 29181, or 29200 Snort rules package with Suricata. It is only the Snort binary that is locked to specifically matching rules versions.