Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Overlap Running Multiple Rule Sets?

    Scheduled Pinned Locked Moved IDS/IPS
    14 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tman222
      last edited by tman222

      Thanks @bmeeks - that makes a lot of of sense!

      My apologies for taking this into a slightly different direction, but I was reviewing the "Detection Performance Settings" and a couple things caught my eye:

      1. For "Search Method" I currently have AC-BNFA-NQ selected which I think is one of the recommended settings. I have read that AC or AC-NQ has the best performance but also uses a lot of memory and thus has not been recommended in the past. If the firewall a significant memory (e.g. 16GB), would this mode be ok to try or would it still cause issues?

      2. Is there any benefit to enabling "Search Optimize"?

      Thanks again for all your help.

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @tman222
        last edited by

        @tman222 said in Overlap Running Multiple Rule Sets?:

        Thanks @bmeeks - that makes a lot of of sense!

        My apologies for taking this into a slightly different direction, but I was reviewing the "Detection Performance Settings" and a couple things caught my eye:

        1. For "Search Method" I currently have AC-BNFA-NQ selected which I think is one of the recommended settings. I have read that AC or AC-NQ has the best performance but also uses a lot of memory and thus has not been recommended in the past. If the firewall a significant memory (e.g. 16GB), would this mode be ok to try or would it still cause issues?

        2. Is there any benefit to enabling "Search Optimize"?

        Thanks again for all your help.

        Never change the Pattern Matcher setting. Don't really know why the Snort developers even offer the other settings. None of them work better than the default, and some of them basically don't work at all as your box will immediately consume all of its RAM and crash with several of the alternative settings selected. Search the threads here long enough and you will find folks who ignored this advice and ran their box out out RAM by fiddling with the Pattern Matcher.

        The defaults are defaults for a good reason ... they work well in just about every single setup 😀.

        T 2 Replies Last reply Reply Quote 0
        • T
          tman222 @bmeeks
          last edited by

          @bmeeks - thanks again for the advice, I think I'm all set (for now). 😎

          I'm looking forward to the pfSense 2.5 including the Netmap related host stack networking changes - will plan to give Snort inline mode another try then (or before if I can find some time to get a machine put together to run the 2.5 development snapshots) to see if throughput will increase.

          1 Reply Last reply Reply Quote 0
          • T
            tman222 @bmeeks
            last edited by

            Hi @bmeeks - I have an idea / request for a feature that came to mind last night:

            Do you think it might be possible to add download capability under the interface Rules section for the "Selected Category's Rules" table (e.g. as a CSV file, or similar)? I don't know easy or difficult it would be to implement this, but I think it would be very helpful to be able to take this data and load into another tool for further analysis of a given rule set (especially if it's larger one) and to aid in the process of selectively disabling / enabling some rules over others (i.e. using SID Management).

            Thanks in advance for your consideration, I really appreciate it.

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @tman222
              last edited by

              @tman222 said in Overlap Running Multiple Rule Sets?:

              Hi @bmeeks - I have an idea / request for a feature that came to mind last night:

              Do you think it might be possible to add download capability under the interface Rules section for the "Selected Category's Rules" table (e.g. as a CSV file, or similar)? I don't know easy or difficult it would be to implement this, but I think it would be very helpful to be able to take this data and load into another tool for further analysis of a given rule set (especially if it's larger one) and to aid in the process of selectively disabling / enabling some rules over others (i.e. using SID Management).

              Thanks in advance for your consideration, I really appreciate it.

              You can view the content of any of the category files by simply clicking on the name on the CATEGORIES tab. You can view individual rules by clicking on the corresponding line on the RULES tab while displaying a category. From the dialog that opens you can easily copy and paste to anyplace of your choice.

              So I don't see the advantage of adding extra complicating code to download a CSV. You can also use WinSCP, for example, and directly manipulate the files on the firewall. The raw rules file reside in /usr/local/etc/snort/rules.

              T 1 Reply Last reply Reply Quote 0
              • T
                tman222 @bmeeks
                last edited by

                @bmeeks said in Overlap Running Multiple Rule Sets?:

                @tman222 said in Overlap Running Multiple Rule Sets?:

                Hi @bmeeks - I have an idea / request for a feature that came to mind last night:

                Do you think it might be possible to add download capability under the interface Rules section for the "Selected Category's Rules" table (e.g. as a CSV file, or similar)? I don't know easy or difficult it would be to implement this, but I think it would be very helpful to be able to take this data and load into another tool for further analysis of a given rule set (especially if it's larger one) and to aid in the process of selectively disabling / enabling some rules over others (i.e. using SID Management).

                Thanks in advance for your consideration, I really appreciate it.

                You can view the content of any of the category files by simply clicking on the name on the CATEGORIES tab. You can view individual rules by clicking on the corresponding line on the RULES tab while displaying a category. From the dialog that opens you can easily copy and paste to anyplace of your choice.

                So I don't see the advantage of adding extra complicating code to download a CSV. You can also use WinSCP, for example, and directly manipulate the files on the firewall. The raw rules file reside in /usr/local/etc/snort/rules.

                Thanks @bmeeks - I see what you mean now. You're right, if you work with the Categories tab it would be just as easy to take a closer look at the different categories and disable/enable as needed using SIG Management. I've got one quick follow up question: What is the different between the "Ruleset: Snort Text Rules" and "Ruleset: Snort SO Rules" columns? I assume the latter refers to "Subscriber Only"? Thanks again.

                bmeeksB 1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @tman222
                  last edited by

                  @tman222 said in Overlap Running Multiple Rule Sets?:

                  @bmeeks said in Overlap Running Multiple Rule Sets?:

                  @tman222 said in Overlap Running Multiple Rule Sets?:

                  Hi @bmeeks - I have an idea / request for a feature that came to mind last night:

                  Do you think it might be possible to add download capability under the interface Rules section for the "Selected Category's Rules" table (e.g. as a CSV file, or similar)? I don't know easy or difficult it would be to implement this, but I think it would be very helpful to be able to take this data and load into another tool for further analysis of a given rule set (especially if it's larger one) and to aid in the process of selectively disabling / enabling some rules over others (i.e. using SID Management).

                  Thanks in advance for your consideration, I really appreciate it.

                  You can view the content of any of the category files by simply clicking on the name on the CATEGORIES tab. You can view individual rules by clicking on the corresponding line on the RULES tab while displaying a category. From the dialog that opens you can easily copy and paste to anyplace of your choice.

                  So I don't see the advantage of adding extra complicating code to download a CSV. You can also use WinSCP, for example, and directly manipulate the files on the firewall. The raw rules file reside in /usr/local/etc/snort/rules.

                  Thanks @bmeeks - I see what you mean now. You're right, if you work with the Categories tab it would be just as easy to take a closer look at the different categories and disable/enable as needed using SIG Management. I've got one quick follow up question: What is the different between the "Ruleset: Snort Text Rules" and "Ruleset: Snort SO Rules" columns? I assume the latter refers to "Subscriber Only"? Thanks again.

                  SO refers to Shared Object. Those are proprietary rules for various exploits that are created from C source code and compiled as shared libraries for a series of operating systems. FreeBSD is one such supported system. So some of these are rules where the authors, for various reasons, wanted to keep the detection mechanism secret, so the text rules are not always published. Plus, since these are compiled source code, they can do more complex things in terms of detection.

                  1 Reply Last reply Reply Quote 0
                  • T
                    tman222
                    last edited by

                    Thanks @bmeeks. So using a combination of SID Management and IPS Policies I could, for instance, run the IPS Balanced policy but auto-disable some of the categories that are represented if the attack surface is not relevant (e.g. let's say rules pertaining to IIS servers), and then just run the remainder (of the policy rules). Are you aware of a good source that explains the different rule categories? Thanks again.

                    bmeeksB 1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @tman222
                      last edited by bmeeks

                      @tman222 said in Overlap Running Multiple Rule Sets?:

                      Thanks @bmeeks. So using a combination of SID Management and IPS Policies I could, for instance, run the IPS Balanced policy but auto-disable some of the categories that are represented if the attack surface is not relevant (e.g. let's say rules pertaining to IIS servers), and then just run the remainder (of the policy rules). Are you aware of a good source that explains the different rule categories? Thanks again.

                      You would have to disable by GID:SID values instead of categories if you use an IPS policy. Rules in a policy are auto-selected based on policy metadata embedded within each rule. Unless I was really short on RAM, I would not bother with such granularity if using a policy-based approach.

                      Documentation of everyone's rules, both Snort and Emerging Threats, is basically non-existent. You have to learn to read the rule syntax for yourself and then learn about the various exploits. In short, you have to become a blackhat hacker of a sort so that you fully understand the exploits and how they work, then you learn to use the Snort rule syntax and that combination makes you an IDS security admin. It is a very technical field with few truly qualified folks; and the good ones can command very high compensation.

                      T 1 Reply Last reply Reply Quote 0
                      • T
                        tman222 @bmeeks
                        last edited by

                        @bmeeks said in Overlap Running Multiple Rule Sets?:

                        @tman222 said in Overlap Running Multiple Rule Sets?:

                        Thanks @bmeeks. So using a combination of SID Management and IPS Policies I could, for instance, run the IPS Balanced policy but auto-disable some of the categories that are represented if the attack surface is not relevant (e.g. let's say rules pertaining to IIS servers), and then just run the remainder (of the policy rules). Are you aware of a good source that explains the different rule categories? Thanks again.

                        You would have to disable by GID:SID values instead of categories if you use an IPS policy. Rules in a policy are auto-selected based on policy metadata embedded within each rule. Unless I was really short on RAM, I would not bother with such granularity if using a policy-based approach.

                        Documentation of everyone's rules, both Snort and Emerging Threats, is basically non-existent. You have to learn to read the rule syntax for yourself and then learn about the various exploits. In short, you have to become a blackhat hacker of a sort so that you fully understand the exploits and how they work, then you learn to use the Snort rule syntax and that combination makes you an IDS security admin. It is a very technical field with few truly qualified folks; and the good ones can command very high compensation.

                        Thanks @bmeeks - even if using a policy approach, wouldn't disabling a couple thousand rules (if they aren't relevant) help performance since there is less work for the CPU to do? Or am I overestimating the relative impact if the rule set is already quite large (e.g. let's say 10000+ rules).

                        I think this is a fascinating area and have enjoyed digging into the different categories and rules to try to learn more and optimize my setup. Thanks again for all your help along the way.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.