Overlap Running Multiple Rule Sets?

tman222

Thanks @bmeeks - that makes a lot of of sense!

My apologies for taking this into a slightly different direction, but I was reviewing the "Detection Performance Settings" and a couple things caught my eye:

1. For "Search Method" I currently have AC-BNFA-NQ selected which I think is one of the recommended settings. I have read that AC or AC-NQ has the best performance but also uses a lot of memory and thus has not been recommended in the past. If the firewall a significant memory (e.g. 16GB), would this mode be ok to try or would it still cause issues?

2. Is there any benefit to enabling "Search Optimize"?

Thanks again for all your help.

bmeeks

@tman222 said in Overlap Running Multiple Rule Sets?:

Thanks @bmeeks - that makes a lot of of sense!

My apologies for taking this into a slightly different direction, but I was reviewing the "Detection Performance Settings" and a couple things caught my eye:

1. For "Search Method" I currently have AC-BNFA-NQ selected which I think is one of the recommended settings. I have read that AC or AC-NQ has the best performance but also uses a lot of memory and thus has not been recommended in the past. If the firewall a significant memory (e.g. 16GB), would this mode be ok to try or would it still cause issues?

2. Is there any benefit to enabling "Search Optimize"?

Thanks again for all your help.

Never change the Pattern Matcher setting. Don't really know why the Snort developers even offer the other settings. None of them work better than the default, and some of them basically don't work at all as your box will immediately consume all of its RAM and crash with several of the alternative settings selected. Search the threads here long enough and you will find folks who ignored this advice and ran their box out out RAM by fiddling with the Pattern Matcher.

The defaults are defaults for a good reason ... they work well in just about every single setup .

tman222

@bmeeks - thanks again for the advice, I think I'm all set (for now).

I'm looking forward to the pfSense 2.5 including the Netmap related host stack networking changes - will plan to give Snort inline mode another try then (or before if I can find some time to get a machine put together to run the 2.5 development snapshots) to see if throughput will increase.

tman222

Hi @bmeeks - I have an idea / request for a feature that came to mind last night:

Do you think it might be possible to add download capability under the interface Rules section for the "Selected Category's Rules" table (e.g. as a CSV file, or similar)? I don't know easy or difficult it would be to implement this, but I think it would be very helpful to be able to take this data and load into another tool for further analysis of a given rule set (especially if it's larger one) and to aid in the process of selectively disabling / enabling some rules over others (i.e. using SID Management).

Thanks in advance for your consideration, I really appreciate it.

bmeeks

@tman222 said in Overlap Running Multiple Rule Sets?:

Hi @bmeeks - I have an idea / request for a feature that came to mind last night:

Do you think it might be possible to add download capability under the interface Rules section for the "Selected Category's Rules" table (e.g. as a CSV file, or similar)? I don't know easy or difficult it would be to implement this, but I think it would be very helpful to be able to take this data and load into another tool for further analysis of a given rule set (especially if it's larger one) and to aid in the process of selectively disabling / enabling some rules over others (i.e. using SID Management).

Thanks in advance for your consideration, I really appreciate it.

You can view the content of any of the category files by simply clicking on the name on the CATEGORIES tab. You can view individual rules by clicking on the corresponding line on the RULES tab while displaying a category. From the dialog that opens you can easily copy and paste to anyplace of your choice.

So I don't see the advantage of adding extra complicating code to download a CSV. You can also use WinSCP, for example, and directly manipulate the files on the firewall. The raw rules file reside in /usr/local/etc/snort/rules.

tman222

@bmeeks said in Overlap Running Multiple Rule Sets?:

@tman222 said in Overlap Running Multiple Rule Sets?:

Hi @bmeeks - I have an idea / request for a feature that came to mind last night:

Do you think it might be possible to add download capability under the interface Rules section for the "Selected Category's Rules" table (e.g. as a CSV file, or similar)? I don't know easy or difficult it would be to implement this, but I think it would be very helpful to be able to take this data and load into another tool for further analysis of a given rule set (especially if it's larger one) and to aid in the process of selectively disabling / enabling some rules over others (i.e. using SID Management).

Thanks in advance for your consideration, I really appreciate it.

You can view the content of any of the category files by simply clicking on the name on the CATEGORIES tab. You can view individual rules by clicking on the corresponding line on the RULES tab while displaying a category. From the dialog that opens you can easily copy and paste to anyplace of your choice.

So I don't see the advantage of adding extra complicating code to download a CSV. You can also use WinSCP, for example, and directly manipulate the files on the firewall. The raw rules file reside in /usr/local/etc/snort/rules.

Thanks @bmeeks - I see what you mean now. You're right, if you work with the Categories tab it would be just as easy to take a closer look at the different categories and disable/enable as needed using SIG Management. I've got one quick follow up question: What is the different between the "Ruleset: Snort Text Rules" and "Ruleset: Snort SO Rules" columns? I assume the latter refers to "Subscriber Only"? Thanks again.

bmeeks

@tman222 said in Overlap Running Multiple Rule Sets?:

@bmeeks said in Overlap Running Multiple Rule Sets?:

@tman222 said in Overlap Running Multiple Rule Sets?:

Hi @bmeeks - I have an idea / request for a feature that came to mind last night:

Do you think it might be possible to add download capability under the interface Rules section for the "Selected Category's Rules" table (e.g. as a CSV file, or similar)? I don't know easy or difficult it would be to implement this, but I think it would be very helpful to be able to take this data and load into another tool for further analysis of a given rule set (especially if it's larger one) and to aid in the process of selectively disabling / enabling some rules over others (i.e. using SID Management).

Thanks in advance for your consideration, I really appreciate it.

You can view the content of any of the category files by simply clicking on the name on the CATEGORIES tab. You can view individual rules by clicking on the corresponding line on the RULES tab while displaying a category. From the dialog that opens you can easily copy and paste to anyplace of your choice.

So I don't see the advantage of adding extra complicating code to download a CSV. You can also use WinSCP, for example, and directly manipulate the files on the firewall. The raw rules file reside in /usr/local/etc/snort/rules.

Thanks @bmeeks - I see what you mean now. You're right, if you work with the Categories tab it would be just as easy to take a closer look at the different categories and disable/enable as needed using SIG Management. I've got one quick follow up question: What is the different between the "Ruleset: Snort Text Rules" and "Ruleset: Snort SO Rules" columns? I assume the latter refers to "Subscriber Only"? Thanks again.

SO refers to Shared Object. Those are proprietary rules for various exploits that are created from C source code and compiled as shared libraries for a series of operating systems. FreeBSD is one such supported system. So some of these are rules where the authors, for various reasons, wanted to keep the detection mechanism secret, so the text rules are not always published. Plus, since these are compiled source code, they can do more complex things in terms of detection.

tman222

Thanks @bmeeks. So using a combination of SID Management and IPS Policies I could, for instance, run the IPS Balanced policy but auto-disable some of the categories that are represented if the attack surface is not relevant (e.g. let's say rules pertaining to IIS servers), and then just run the remainder (of the policy rules). Are you aware of a good source that explains the different rule categories? Thanks again.

bmeeks

@tman222 said in Overlap Running Multiple Rule Sets?:

Thanks @bmeeks. So using a combination of SID Management and IPS Policies I could, for instance, run the IPS Balanced policy but auto-disable some of the categories that are represented if the attack surface is not relevant (e.g. let's say rules pertaining to IIS servers), and then just run the remainder (of the policy rules). Are you aware of a good source that explains the different rule categories? Thanks again.

You would have to disable by GID:SID values instead of categories if you use an IPS policy. Rules in a policy are auto-selected based on policy metadata embedded within each rule. Unless I was really short on RAM, I would not bother with such granularity if using a policy-based approach.

Documentation of everyone's rules, both Snort and Emerging Threats, is basically non-existent. You have to learn to read the rule syntax for yourself and then learn about the various exploits. In short, you have to become a blackhat hacker of a sort so that you fully understand the exploits and how they work, then you learn to use the Snort rule syntax and that combination makes you an IDS security admin. It is a very technical field with few truly qualified folks; and the good ones can command very high compensation.

tman222

@bmeeks said in Overlap Running Multiple Rule Sets?:

@tman222 said in Overlap Running Multiple Rule Sets?:

Thanks @bmeeks. So using a combination of SID Management and IPS Policies I could, for instance, run the IPS Balanced policy but auto-disable some of the categories that are represented if the attack surface is not relevant (e.g. let's say rules pertaining to IIS servers), and then just run the remainder (of the policy rules). Are you aware of a good source that explains the different rule categories? Thanks again.

You would have to disable by GID:SID values instead of categories if you use an IPS policy. Rules in a policy are auto-selected based on policy metadata embedded within each rule. Unless I was really short on RAM, I would not bother with such granularity if using a policy-based approach.

Documentation of everyone's rules, both Snort and Emerging Threats, is basically non-existent. You have to learn to read the rule syntax for yourself and then learn about the various exploits. In short, you have to become a blackhat hacker of a sort so that you fully understand the exploits and how they work, then you learn to use the Snort rule syntax and that combination makes you an IDS security admin. It is a very technical field with few truly qualified folks; and the good ones can command very high compensation.

Thanks @bmeeks - even if using a policy approach, wouldn't disabling a couple thousand rules (if they aren't relevant) help performance since there is less work for the CPU to do? Or am I overestimating the relative impact if the rule set is already quite large (e.g. let's say 10000+ rules).

I think this is a fascinating area and have enjoyed digging into the different categories and rules to try to learn more and optimize my setup. Thanks again for all your help along the way.