Snort 3 Release Candidate Available
-
Looking at the Snort blog today I see that Snort 3 is finally out of beta with a RC available now and GA to follow in about a month:
https://blog.snort.org/2020/09/official-snort-3-release-candidate.html
I think this is very exciting news - Snort 3 includes a number of enhancements over Snort 2 and it would be great to use the new version with pfSense as well:
https://blog.snort.org/2020/08/snort-3-2-differences.html
@bmeeks - I did see some your concerns moving to Snort 3 in this thread, including challenges you were facing with the migration from Snort 2 to 3:
https://forum.netgate.com/topic/139683/snort-3
Any chance you would reconsider working on a pfSense package for Snort 3 even if it meant that we would have migrate settings manually? I think the improvements from Snort 2 to Snort 3 are significant enough that many of use would probably see a bump in performance, perhaps especially while running in inline (IPS) mode. Thanks in advance for your consideration, I really appreciate it.
-
@tman222 said in Snort 3 Release Candidate Available:
Looking at the Snort blog today I see that Snort 3 is finally out of beta with a RC available now and GA to follow in about a month:
https://blog.snort.org/2020/09/official-snort-3-release-candidate.html
I think this is very exciting news - Snort 3 includes a number of enhancements over Snort 2 and it would be great to use the new version with pfSense as well:
https://blog.snort.org/2020/08/snort-3-2-differences.html
@bmeeks - I did see some your concerns moving to Snort 3 in this thread, including challenges you were facing with the migration from Snort 2 to 3:
https://forum.netgate.com/topic/139683/snort-3
Any chance you would reconsider working on a pfSense package for Snort 3 even if it meant that we would have migrate settings manually? I think the improvements from Snort 2 to Snort 3 are significant enough that many of use would probably see a bump in performance, perhaps especially while running in inline (IPS) mode. Thanks in advance for your consideration, I really appreciate it.
Snort3 left a very bad taste in my mouth from trying to massage it into a GUI-configured design. I might look again, but creating the necessary Lua configuration file from PHP with all the options and variations available in Snort3 is a pain. Or at least it turned into one very quickly the last time I worked on the package.
And that's just the basic GUI IDS side. The internal binary structure is totally different than Snort 2.9.x and thus the custom blocking module used on pfSense has to be totally rewritten. Also not sure the new netmap device code will work either without a pretty significant rewrite. So lots of work involved with this package.
Nothing will prevent users from installing the basic Snort3 binary package and then configuring and running it strictly from the command-line, though. So just pretend you are running it on a basic FreeBSD client with no GUI. The binary package was, at one time, enabled in the pfSense package repository. It might have been disabled some back due to not building currently, but I'm not sure.
-
Thanks @bmeeks - I appreciate you getting back to me on this. Do you think going forward that the Snort team will abandon Snort 2 development in favor of Snort 3 when it goes GA? Or are there enough Snort 2 users out there that this is unlikely to happen for some time? I think for me personally I'm curious to see how Snort 2 will perform in pfSense 2.5. If inline mode throughput is still an issue I may try to Suricata for a bit to see if features such as multi-threading actually make a difference. Since Snort 3 pfSense package development is still TBD at this time, do you have advice for those of us who might want to get a bit of a head start and toy with the Snort 3 binary on our own in a lab setup? Is it as simple as running the binary and setting up the configuration files appropriately? Would Netmap work properly as well for inline mode or will that likely require modifications? Thanks again for all your help.
-
Questions about Snort 2.9.x support would need to be directed at the Snort team over at Talos/Cisco. My guess is no new features will get into Snort 2.x, but critical bug fixes might be addressed going forward after Snort3 goes full release. Of course it's been many years since any really new feature was added to Snort 2.x. I think the last big one was OpenAppID.
You would run Snort3 on pfSense just like you would run it on any other Unix-type system. Install the binary, hand-edit the necessary configuration file or files, install the rules manually using something like PulledPork or other tools, and then either create your own or use any provided shell script to start Snort3. There would be absolutely no GUI interfacing at all. No logs to see in the GUI, no configuration in GUI, and no control from the GUI.
As for netmap support, that actually depends on the shared DAQ library produced by the Snort team. There is a new version of DAQ used in Snort3. I do not know for sure, but I don't believe they have imported support into the Snort3 DAQ for software host rings. I think it is still limited to supporting only hardware rings. That means you can't set up Snort3 to sit between the NIC and the host stack like you can with Snort 2.x and the older DAQ-2.2.2 that I modified. So netmap will work, but to do anything meaningful with it in pfSense will require you to use two physical interfaces on the box in order to implement a true inline-IPS mode. Not very interface efficient for sure.
And finally, unless you use two physical interfaces as mentioned above, there would be no blocking with Snort3 on pfSense. It would be IDS only. No IPS as there is no custom legacy blocking output plugin for Snort3.