Suricata with ET IPS like Snort Rules Inline

N0_Klu3

So I'm now running Suricata with Snort rules for the IPS Categories option as I'm running Inline mode.

Is there a future where we can have these IPS categories mimicked for ET?
Like, Balanced, Security and so on? It would make setup and life so much easier.
And then users that want super fine grain control can dropsid.conf file.

Also out of curiosity if I am using ETOpen and wanted to use dropsid.conf file do I name my files:
emerging-ciarmy, emerging-worm and so on?
The sample isnt too clear.

That tho would turn on EVERY alert under each of those categories right? So if emerging-worm had some rules set by default to only alert, they would now all be set to drop.

Its because of the last line I use Snort rules, as it seems to have IPS categories set pretty much OK. Few tweaks here and there but otherwise all good. But I would really like to use ET with Suricata.

bmeeks

@N0_Klu3 said in Suricata with ET IPS like Snort Rules Inline:

So I'm now running Suricata with Snort rules for the IPS Categories option as I'm running Inline mode.

Is there a future where we can have these IPS categories mimicked for ET?
Like, Balanced, Security and so on? It would make setup and life so much easier.
And then users that want super fine grain control can dropsid.conf file.

Also out of curiosity if I am using ETOpen and wanted to use dropsid.conf file do I name my files:
emerging-ciarmy, emerging-worm and so on?
The sample isnt too clear.

That tho would turn on EVERY alert under each of those categories right? So if emerging-worm had some rules set by default to only alert, they would now all be set to drop.

Its because of the last line I use Snort rules, as it seems to have IPS categories set pretty much OK. Few tweaks here and there but otherwise all good. But I would really like to use ET with Suricata.

You would need to make this request to the Emerging Threats (now Proofpoint) team that authors those rules. The pfSense package can't create policies. It can only use what the rule providers include in their packages.

The name of the rules category used on the SID MGMT tab should include the "emerging" prefix. Use the same name that you see on the CATEGORIES tab if in doubt.

When you use the SID MGMT feature, it will change the action for all matching rules. So if you set an entire category to DROP, then all rules in that list would be DROP. However, there are many "default disabled" rules in the various categories. Those would get changed to DROP as well, but they would not be automatically enabled UNLESS they also matched critiera in an enablesid.conf file.

N0_Klu3

@bmeeks thank you so much for all your work and continued support! You're efforts are truly appreciated.

The drop for entire categories where default could be disabled or just alert, thats gonna suck.
Guess that makes my decision for me.

As the author for both, is Snort multi-threaded now?
What do you use/prefer personally?
I'm thinking more now towards Snort and use Snort rules just for those IPS categories, but it wont have inline as you say till pfSense 2.5

bmeeks

@N0_Klu3 said in Suricata with ET IPS like Snort Rules Inline:

@bmeeks thank you so much for all your work and continued support! You're efforts are truly appreciated.

The drop for entire categories where default could be disabled or just alert, thats gonna suck.
Guess that makes my decision for me.

As the author for both, is Snort multi-threaded now?
What do you use/prefer personally?
I'm thinking more now towards Snort and use Snort rules just for those IPS categories, but it wont have inline as you say till pfSense 2.5

I think you misunderstood me. Changing a category to all DROP will change the rule action, but it will NOT enable a rule that is default-disabled by the rule author. You would use the enablesid and/or disablesid features to change the state of particular rules from disabled to enabled or vice-versa.

However, it is correct that the Emerging Threats rules don't have IPS policy metadata encoded in them.

Snort is single-threaded on pfSense as it is still using the 2.9.x version of Snort. Snort 3.0 is multithreaded, but it is still in BETA and has been for quite some time (more than two years, in fact). On a practical level, though, multithreaded versus single-threaded means very little where the rubber meets the road processing packets. Until you get past 1 Gigabit/second of sustained traffic it really matters very little. And even multithreaded Suricata still has bottlenecks at some points in the packet processing chain that are, in effect, single-threaded.

I personally use Snort, but that's just because I started with that package many years ago. Neither is more "secure" than the other, and actually, neither is necessarily "faster" than the other in practical terms.

N0_Klu3

Thanks man, very insightful.

I will have 1gb/1gb by the end of the year running on a Atom c3758.
Hopefully Snort will still awesome. What about doing a _Devl edition with Snort 3? Then again, dont know if I'd actually like to run that :D

bmeeks

@N0_Klu3 said in Suricata with ET IPS like Snort Rules Inline:

Thanks man, very insightful.

I will have 1gb/1gb by the end of the year running on a Atom c3758.
Hopefully Snort will still awesome. What about doing a _Devl edition with Snort 3? Then again, dont know if I'd actually like to run that :D

I started working on a Snort3 package, but I have shelved it for now. The changes are enormous and the required configuration file is radically different. It would be pretty much a "from the ground up rewrite" of the package, and to be honest I can't seem to get myself all thrilled about that yet ... .

N0_Klu3

LOL I feel ya.
Thing is tho, if you do it/get it started now when Snort3 is actually released you'll be in good standing.

Or alternatively it could be radically different from the beta and need another rewrite Although I think that is not very likely.

Like I say I very much appreciate your work. Maybe you can put out the feelers for some other devs to help with the rewrite?