Snort Rules

  • I've got a netgate device with snort VTR rules applied along with ET and OpenAppID.

    Initally I've gone with the IPS Policy Selection so I could have a play with both the "Connectivity" & "Balanced" settings but after a week of monitoring, we need somewhere between the two (users complained too much when I totally blocked their social media access)!

    With the IPS Policy unticked, I've started to play with the different rulesets and found an issue. I'm seeing the following rulesets
    Snort GPLv2 Community
    ET Open Rules
    Snort Text Rules
    Snort SO Rules
    Snort OpenAppI

    I'm unable to select any of the Snort SO Rules! If I do tick them, they don't survive the save. Is there something else I need to be configuring on the system for these rules to work?

  • @siil-it
    If you have an SG-3100 or similar ARM processor device, then the SO rules won't work. The SO (shared object) rules in Snort are a set of precompiled rules that are actually based off C language source code. The SO rules in the tarball provided by the Snort VRT are precompiled for only x86/AMD CPU hardware. They are also provided for use in a few different operating systems (FreeBSD being one of those).

    So if you have an ARM-based architecture in your firewall, the SO rules won't work. They should work fine if you have a x86/AMD (Intel) based architecture.

  • It's an SG-8860 reporting an intel Atom CPU running FreeBSD so it looks like I'm going to need to do some deeper digging into this.
    It's good to know about the ARM processors though as I've got 15 SG-3100 & 1000's on order! Will need a different rules setup for them.

  • @siil-it
    So the Snort SO rules are the only ones that don't survive the SAVE operation? Do you have the latest Snort package version? That would be if my memory serves me correctly.

    Might be a bug in the GUI code. Several changes have had to be made to the GUI source code in order to accomodate the move to PHP 7.2 in pfSense.

Log in to reply