Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Rules

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 868 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      siil-it
      last edited by

      I've got a netgate device with snort VTR rules applied along with ET and OpenAppID.

      Initally I've gone with the IPS Policy Selection so I could have a play with both the "Connectivity" & "Balanced" settings but after a week of monitoring, we need somewhere between the two (users complained too much when I totally blocked their social media access)!

      With the IPS Policy unticked, I've started to play with the different rulesets and found an issue. I'm seeing the following rulesets
      Snort GPLv2 Community
      ET Open Rules
      Snort Text Rules
      Snort SO Rules
      Snort OpenAppI

      I'm unable to select any of the Snort SO Rules! If I do tick them, they don't survive the save. Is there something else I need to be configuring on the system for these rules to work?

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @siil-it
        last edited by bmeeks

        @siil-it
        If you have an SG-3100 or similar ARM processor device, then the SO rules won't work. The SO (shared object) rules in Snort are a set of precompiled rules that are actually based off C language source code. The SO rules in the tarball provided by the Snort VRT are precompiled for only x86/AMD CPU hardware. They are also provided for use in a few different operating systems (FreeBSD being one of those).

        So if you have an ARM-based architecture in your firewall, the SO rules won't work. They should work fine if you have a x86/AMD (Intel) based architecture.

        1 Reply Last reply Reply Quote 0
        • S
          siil-it
          last edited by

          It's an SG-8860 reporting an intel Atom CPU running FreeBSD so it looks like I'm going to need to do some deeper digging into this.
          It's good to know about the ARM processors though as I've got 15 SG-3100 & 1000's on order! Will need a different rules setup for them.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @siil-it
            last edited by

            @siil-it
            So the Snort SO rules are the only ones that don't survive the SAVE operation? Do you have the latest Snort package version? That would be 3.2.9.7_2 if my memory serves me correctly.

            Might be a bug in the GUI code. Several changes have had to be made to the GUI source code in order to accomodate the move to PHP 7.2 in pfSense.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.