How do I enable ALL Snort IPS rules in ALL rule categories?


  • Good evening from Singapore,

    How do I enable ALL Snort IPS rules in ALL rule categories?

    Are there Snort rules which are supposed to remain disabled by default? If you enable them all, will it cause Snort engine to fail to start?

    If I enable ALL the Snort IPS rules in ALL rule categories, how much memory/RAM will I need? I only have 4 GB of RAM in my pfsense firewall appliance at the moment.

    I am looking forward to your advice.

    Thank you.

    Mr. Turritopsis Dohrnii Teo En Ming
    Singapore


  • There is a button on the CATEGORIES tab for Enable All. That will enable all the rules categories for all the rule vendors you have enabled (Snort Subscriber, Emerging Threats and/or Snort Community GPLv2). Then on the RULES tab is another Enable All button that will turn on all rules in the selected category. You would have to select each category in the drop-down and click the Enable All button.

    Now for the caveats.

    1. I mean this in a nice way, but the fact you want to enable all rules shows you must be very new to administering an IDS/IPS. It is NEVER a good idea to enable all rules unless you basically want to cripple your network. You may as well just disconnect it from the Internet entirely and run an air-gapped network.

    2. In each category the rules vendors ship certain rules disabled by default (actually they are commented out). This is because in most situations those rules will false positive -- sometimes quite aggressively.

    3. The proper way to administer an IDS/IPS is to run it in alert-only mode for several weeks, observe the alerts you receive, research each of them to determine if it is a false positive, and then disable and suppress those false positive rules.

    4. Enabling all rules in all categories with only 4 GB of RAM will likely overload your box. Even if it doesn't kill the box, doing such a thing is pointless. The fact you might consider that a good idea goes back to my caveat #1 above.

    Learn how to properly manage an IDS/IPS and tune the rules to monitor for only the traffic types that are going to be on your network. For example, if you have no internal mail server, why would you need SMTP rules enabled. If you do not run an internal authoritative DNS server available to the public, why do you need DNS server rules enabled? If you don't have a public-facing internal web server, why do you need the web server rules enabled? See what I mean about examining your network and determining what you need to protect and then enabling only the rules that protect against exposures you actually have? It's pointless to run a bunch of rules to protect against attacks aimed at infrastructure that does not even exist on your network.


  • @bmeeks said in How do I enable ALL Snort IPS rules in ALL rule categories?:

    There is a button on the CATEGORIES tab for Enable All. That will enable all the rules categories for all the rule vendors you have enabled (Snort Subscriber, Emerging Threats and/or Snort Community GPLv2). Then on the RULES tab is another Enable All button that will turn on all rules in the selected category. You would have to select each category in the drop-down and click the Enable All button.

    Now for the caveats.

    1. I mean this in a nice way, but the fact you want to enable all rules shows you must be very new to administering an IDS/IPS. It is NEVER a good idea to enable all rules unless you basically want to cripple your network. You may as well just disconnect it from the Internet entirely and run an air-gapped network.

    2. In each category the rules vendors ship certain rules disabled by default (actually they are commented out). This is because in most situations those rules will false positive -- sometimes quite aggressively.

    3. The proper way to administer an IDS/IPS is to run it in alert-only mode for several weeks, observe the alerts you receive, research each of them to determine if it is a false positive, and then disable and suppress those false positive rules.

    4. Enabling all rules in all categories with only 4 GB of RAM will likely overload your box. Even if it doesn't kill the box, doing such a thing is pointless. The fact you might consider that a good idea goes back to my caveat #1 above.

    Learn how to properly manage an IDS/IPS and tune the rules to monitor for only the traffic types that are going to be on your network. For example, if you have no internal mail server, why would you need SMTP rules enabled. If you do not run an internal authoritative DNS server available to the public, why do you need DNS server rules enabled? If you don't have a public-facing internal web server, why do you need the web server rules enabled? See what I mean about examining your network and determining what you need to protect and then enabling only the rules that protect against exposures you actually have? It's pointless to run a bunch of rules to protect against attacks aimed at infrastructure that does not even exist on your network.

    Noted with thanks!


  • My suggestion is to first subscribe to the Snort Subcriber Rules. They are free for registered users. For free you get new rules only when they are 30 days old or more. For $29.99 USD per year you get access to new rules the instant they are published.

    Once the rules are enabled for download, go to the CATEGORIES tab and check the box to use an IPS Policy and choose "Connectivity" in the drop-down. That is an excellent starter set of rules that are not likely to false positive in most networks.

    Do not enable blocking yet. Run in alert-only mode (just IDS mode) for several weeks and note the alerts you see on the interface. For 99% of users, you should configure Snort on your LAN interface only.

    It is likely you will get a lot of false positive alerts from several of the HTTP_INSPECT preprocessor rules. Search a thread on the forums here with "Snort Master Suppress" in the title and you will find lots of suggestions from other users on which rules are prone to false positives and should usually be disabled or suppressed.

    Edit: here is that thread: https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf.