Snort how to choose rulesets/categories (level just above newbie)

MrD

Hello,

Are there any ruleset/categories descriptions available for "ET Open Rules" and "Snort OPENAPPID"?
The goal would be to finetune a bit further than IPS Policy for different cases (VLANs, Inter-VLAN access and restriction monitoring, hotspot monitoring, admin VLAN monitoring (APs, PFSense, Switches, shared printers, VOIP...)

I have read https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users
and
https://forum.netgate.com/topic/141743/best-rules-to-best-protection-in-wan-and-lan-interface/17

I took good notes to begin with soft IPS policies, no blocking, see how it works, then level up IPS policy (always on LAN)

Right now I'm testing with a very small appliance (Netgate SG-1000) but I plan to go for something bigger (more cpu, more ram, more space and fully compatible NICs.)

By now SG-1000 is just enough for LAN rule with soft IPS but I would like to go further. I'm using SG-1000 at my home/office network (1 wan/3 vlans) but the goal is tu use it at 2 or 3 places (very small business centers) so I would like to rise my Snort experience...

Thanks for your informations, advise, links, questions, ideas

bmeeks

While the SG-1000 is a fine little home firewall appliance, it does not have enough RAM to get too sophisticated with Snort rules. I would recommend you stick with the IPS-Connectivity policy and then maybe enable the ET-Malware rules category (I forget its exact name, but it has "malware" in it). If you add too many other ET categories you will likely run out of RAM, especially during rules updates when Snort temporarily needs to keep two complete copies of the configured rules in memory while swapping from the old set to the newly updated set.

MrD

@bmeeks
Hello, thanks for taking my question. My goal is not to stay with sg-1000, I would like to upgrade hardware in a near future in order to have enough ressources to go further with Snork config.

With more powerfull hardware available, in a near future I would like to prepare and allready get a better understanding of Snort rulesets and categories. Are there descriptions of "ET Open Rules" and "Snort OPENAPPID" rulesets/categories available somewhere?

Do you have links to recommend to go a bit further after reading the documents you wrote that I've linked upthere ?

Thanks again for your help

bmeeks

There are some additional documentation links embedded in this Blog Post from the Netgate team: https://www.netgate.com/blog/application-detection-on-pfsense-software.html. One of the links goes to an official pfSense documentation page describing the Snort package and how to set it up including how to configure OpenAppID.

There is really no single source out on the web for rule documentation. In fact, in my many years of supporting the two IDS/IPS packages, I've never found any good description/documentation of the individual rules that you could use say like an encyclopedia of sorts. You kind of have to figure out their purpose by their alert message. Sometimes, when a new rule is issued to combat some particular "threat of the day", the rule vendors will have some information posted on their respective blogs about the new rule.

To run a fully configured Snort package with a good many enabled rules, you probably would want something like a Netgate SG-5100 appliance.

MrD

Thanks for your reply and your explanations. Even if it is not the answer I wished, it helps not loosing anymore time searching in a wrong direction.

Thanks

Have a nice day