Using Only Emerging Threat Rules with Snort( No Sourcefire Rules) A guide
-
I am posting this guide. because I searched the forum and did a bit of searching over the last few days and couldn't find an answer to this question anywhere.
I just want to say that YES it is possible to use ONLY the Emerging Threat Rules with Snort on PfSense…I am currently on 1.2.2...I do not use the SourceFire VRT rules, Nor is an Oink Code needed. There are reasons a person my not want to use the VRT rules, so I am offering an Alternative.
Installing Emerging Threat Rules on PfSense
Step 1: Download and install WinSCP from the following link. http://winscp.net/eng/index.php
We will need WinSCP later.
Step 2: Go to Emerging Threats web site http://www.emergingthreats.net/ and download the rules (the file you want to download is emerging.rules.tar.gz)
Step 3: If you haven't already done so, Add the Snort Package to Your PfSense.
Step 4: On the Snort setting page on your PfSense ensure that ONLY the following boxes are checked.
Automatically Block Offenders
Associate Events on the Blocked TabAlso, the Performance option should be set to ac-bfna
Save the Settings
Step 5: Extract the the emerging.rules.tar.gz file to a folder of your choosing. Once this done, we proceed to the next step.
Note: you can use 7zip on Windows to extract the emerging rules.tar.gz file http://www.7-zip.org/
Step 6: Enable SSH on your Pfsense Box. This will be temporary. This is done under System–-> Advanced Menu..putting Checkbox in Enable Secure Shell and click Save
Step 7: Use WinSCP to log in to your Pfsense box (I prefer using the Norton Commander Interface on WinSCP as I find its easier to use, but this is personal preference)
Step 8: In WinSCP navigate to the following folder on your PfSense Box /usr/local/etc/snort/rules
Step 9: Using WinSCP copy the Emerging Threat Rules into the /usr/local/etc/snort/rules folder. Copy the Individual Rules files to the /usr/local/etc/snort/rules directory…copying the folder that has the Emerging Threat Rules to the directory will not work.
Note: The Individual Rule files MUST exist under /usr/local/etc/snort/rules for example /usr/local/etc/snort/rules/rules will not work…the Individual rules files must exist under /usr/local/etc/snort/rules
Step 10: Once the Rules are copied. Close WinSCP
Step 11: Go to Diagnostics and then Command on the pfsense Web Interface
On the Diagnostics page, in the box that says Execute Shell Command type sync and click execute 3 times…this is for good measure to ensure it picks up the Emerging Files Written to the Disk.
Step 12: On the Diagnostics Page under PHP execute type apc_clear_cache(); and click Execute
Step 13: Go to System–-->Advanced and Remove the Check box from Enable Secure Shell and Click Save.
Step 14: Go to the Snort Settings Tabs and Click on the "Categories" Tab.
Now All the Emerging Threat Categories will now be listed. Even for those who don't have a Snort Code.
Choose the Catagories you wish to use…For Reference I am using the Following Emerging Threats Rules with no problems on PfSense 1.2.2 with the latest pfsense snort package:
emerging-attack_response.rules
emerging-botcc.rules
emerging-compromised.rules
emerging-dos.rules
emerging-drop.rules
emerging-dshield.rules
emerging-exploit.rules
emerging-inappropriate.rules
emerging-malware.rules
emerging-p2p.rules
emerging-rbn.rules
emerging-scan.rules
emerging-tor.rules
emerging-virus.rules
emerging-voip.rules
emerging-web.rules
emerging-web_sql_injection.rules
emerging.rulesOnce you have chosen the categories you want, Click Save and then click the settings tab choose the WAN interface and Click Save.
Now if you want to update the rules, all you have to do is download them and extract them, Use WinSCP to copy them on to your PfSense Box, Issue the sync Command 3 times, and apc_clear_cache(); on the Daignostics page and save your snort settings and your done.
The apc_clear_cache(); and the sync command are issued to prevent you from having to reboot your pfsense box. I have found PfSense won't recognize the updates until you issue the sync command 3 times, and then the apc_Clear_Cache(); php command.
Your mileage may vary there. Following the above guide will allow one to use the Emerging Threats Rules as the base of their Snort rules without having to use the VRT rules or registering with snort.org or getting an OinkCode.
I fiddled around with this because the VRT rules are just too big…77MB and growing...its just too much...I have also begun contributing to the Emerging Threats Community submitting Snort rules I have written...so it feels good to give back, and I wanted to let PfSense users know they can use then without the VRT rules if they want to.
Hope this guide helps someone out there