Snort 3

bmeeks

@siil-it said in Snort 3:

What are we likely to get as a replacement for barnyard2?

I manage a growing number of various models of Netgate devices, all with Snort installed. To attempt to monitor them all from one screen i'm trying to use an external SIEM setup. This has proved problematical to say the least.

Probably something like this blog post talks about. Except instead of Logstash something like Filebeats might work better on a FreeBSD platform like pfSense. I have not investigated any of that in much detail, though. Here is a tutorial on converting from Logstash Forwarder to Filebeats (or Beats in FreeBSD): https://www.elastic.co/guide/en/beats/filebeat/current/migrating-from-logstash-forwarder.html.

l0rdraiden

@bmeeks

Do you think it will be posible to create IDS policies and apply them to firewall rules like in the commercial firewalls?

Basically you can create a policy with a personalized configuration and rules and apply this policy to a fw rule, so the traffic of that firewall rule is the only affected by that IDS policy.
THis can be to a firewall rule or to a port, or host.

bmeeks

@l0rdraiden said in Snort 3:

@bmeeks

Do you think it will be posible to create IDS policies and apply them to firewall rules like in the commercial firewalls?

Basically you can create a policy with a personalized configuration and rules and apply this policy to a fw rule, so the traffic of that firewall rule is the only affected by that IDS policy.
THis can be to a firewall rule or to a port, or host.

No, that is not something that I predict is on the horizon. The packet filter firewall used by pfSense is totally unaware of the presence of any installed IDS/IPS package and any policies defined in the IDS/IPS. Today the IDS/IPS component sits completely outside of the firewall. Changing that would require substantially reworking the internal network plumbing of the FreeBSD kernel used beneath pfSense.

Paych3ck

I was just curious if there was any update to this. I am very interested in using Snort 3 with Pfsense. Thanks!

bmeeks

@Paych3ck said in Snort 3:

I was just curious if there was any update to this. I am very interested in using Snort 3 with Pfsense. Thanks!

Snort3 will likely be a long time in coming -- if ever. I started working on a package for it, but the effort got to be very frustrating because so much is different from Snort 2.9.x. Migrating an existing pfSense Snort 2.9.x configuration over to Snort3 proved to be a tough challenge. That's one of the reasons I put the package development back into mothballs. I never did get a working system going with Snort3 on pfSense. The binary part is not really the issue. The difficulties are in the PHP GUI code and all the gymnastics required to create the LUA configuration file for the binary to use.

Anybody is free to take up the challenge and work on a Snort3 package if they desire, but my enthusiasm for it has evaporated for now.

Paych3ck

@bmeeks Thank you for the update.

posix

@Paych3ck I am not a developer nor have any vested interest in snort. But like you was curious and I came across this thread. Kinda bummed out that at this time no further development was going to be done and to be fair it is a large task at hand. But I wanted to offer others some context who are like us curious as about snort 3.

Checking the official snort blog:
https://blog.snort.org/
-https://blog.snort.org/2018/08/snort-3-beta-available-now.html -8/2018 beta released

Other points from the snort download page:
-Up to now its been receiving updates (still beta stage)
-2.9.16 is still listed as stable but not 3.0

So I dunno maybe another reason is that the dust hasn't settled.

Impatient

According to twitter snort3 is on it's final beta with release later this year.

talaverde

As the OP of this thread, I sorta felt bad because I lost interest. This is because I ended up installing Suricata, even if only just to try it out. Surprisingly, I was able to significantly drop the RAM used by my pfSense (VMs) and even noticed a slight improvement in speeds. I may have just had things mis-configured with Snort, but I'm happy at the moment. While I'll almost definitely try out Snort 3 when it's available, I'm not anxiously waiting, like I was before.

I have noticed many more alerts with Suricata, than with Snort. I don't know that that means more protection or more false alarms. It may be a little of both.

beachbum2021

any updates on snort 3.0? Single Threading is killing my use of it but their rule sets are far and away cheaper than suricata. Single threading kill throughput to the point it's pointless to even use the package on higher end network speeds.

bmeeks

@beachbum2021 said in Snort 3:

any updates on snort 3.0? Single Threading is killing my use of it but their rule sets are far and away cheaper than suricata. Single threading kill throughput to the point it's pointless to even use the package on higher end network speeds.

No more progress, and I have no plans at present to resume work on a Snort3 package. If someone else wishes to tackle that project, they are welcome to do so.

beachbum2021

@bmeeks thanks for the update