[Solved] Snort GPLv2 Community Rules - Unable to download checksum file
-
@slu said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
@bmeeks
any change to bring SNORT 3.x to pfSense?
I guess this is much work, otherwise you would have done it a long time ago?No, I am not working on anything for Snort3 and have no future plans to do so. I tried it twice and gave up. The benefit was not worth the effort and hassle compared to just using the existing Suricata package.
At some point Snort 2.9.x is going to go EOL (end-of-life) upstream. At that point Suricata will be the IDS/IPS package on pfSense unless someone else steps up to provide a Snort3 package.
-
@bmeeks I'm guessing you probably have that reply saved in your notes somewhere for replies to this never-ending question. :)
-
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
At that point Suricata will be the IDS/IPS package on pfSense unless someone else steps up to provide a Snort3 package.
Is there a good strategy to go from snort to suricata? (I mean with as less as possible hassle)
-
@fireodo I know you didn't ask me, but most of your rulesets will work. Some Snort rules might throw up an error. The good news is that your suppression lists should also work too since they seem to use the same format. For me, that's the hardest about tuning IDS/IPS on a new network. Just make sure to copy them before removing the Snort package. You also just disable any Snort interfaces while you're configuring Suricata. When you're done, then you can remove Snort and it's underlying data.
-
@DefenderLLC said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
@fireodo I know you didn't ask me, but most of your rulesets will work. Some Snort rules might throw up an error. The good news is that your suppression lists should also work too since they seem to use the same format. For me, that's the hardest about tuning IDS/IPS on a new network. Just make sure to copy them before removing the Snort package. You also just disable any Snort interfaces while you're configuring Suricata. When you're done, then you can remove Snort and it's underlying data.
Thanks! Ofcourse I will try to save as much of the settings (and most important the supression list) in a note-file.
-
@fireodo said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
Is there a good strategy to go from snort to suricata? (I mean with as less as possible hassle)
It's pretty much starting over with a green field install with regards to IDS/IPS. First thing to do is review the official Suricata docs from upstream here: https://docs.suricata.io/en/suricata-6.0.13/.
Here is what I would do next --
- Document your current Snort interface names (assuming you will want to run Suricata on those same interfaces).
- Take note of the rule families you are using. You can continue to use the majority of the Snort Subscriber Rules with Suricata. Just be aware that not all of them are compatible. Suricata will let you know which ones it does not like in the
suricata.logfile. Make sure you still have access to your Snort Oinkcode so you can enter it into Suricata if you plan to continue with the Snort Subscriber Rules. - Remove the Snort package first! You never want both of them installed and active at the same time. Make sure your Snort interfaces are all set to DISABLED before installing Suricata if you plan on leaving Snort there for a bit to copy over things like Suppress Lists. And if it were me, I would uncheck the option on the GLOBAL SETTINGS tab to save the old Snort configuration when removing Snort. I would not want it cluttering up my
config.xmlfile. But this is not a requirement. It won't hurt anything by remaining other than make the file slightly larger. - Install the Suricata package. With no existing configuration, it will install quickly.
- Go to the GLOBAL SETTINGS tab and enter your rules download configuration just like you did when you set up Snort.
- Now go to the UPDATES tab and download the rules you selected previously.
- When the rules download is completed, go to the INTERFACES tab and configure your interfaces. For each interface click on the Edit icon to access its configuration parameters. Note that Suricata relies heavily on its EVE JSON logging system whereas Snort primarily used syslog. Suricata can also use syslog, but with some limitations. There is a multitude of EVE JSON logging options available in Suricata. Details about each can be found in the Suricata docs link provided up above.
- For each configured interface, remember to visit the CATEGORIES tab and select the rules groups you desire. Or you can use the SID MGMT feature if preferred. This all works exactly like it does in Snort.
- Start up all your interfaces and monitor things for a while.
Some Observations:
- The GUI look and feel is almost identical between Snort and Suricata. Suricata's PHP code was in large part a simple copy and paste from existing Snort code in many areas. So, there should be no big surprises in terms of the GUI between Snort and Suricata.
- Suricata does not have OpenAppID nor any similar feature. Anything you had around OpenAppID in Snort will not be available in Suricata.
- Suricata does NOT use preprocessors. There are no preprocessor configuration options. That simplifies setup a bit in my opinion.
-
@DefenderLLC said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
The good news is that your suppression lists should also work too since they seem to use the same format.
Correct. The format is exactly the same and you can simply copy and paste the text from your Snort lists into Suricata.
-
Thank you very much, Bill, I bookmarked your explanation! (for the future when it becomes necessary - because I doubt that someone will do the work for Snort 3.0)
-
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
@DefenderLLC said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
The good news is that your suppression lists should also work too since they seem to use the same format.
Correct. The format is exactly the same and you can simply copy and paste the text from your Snort lists into Suricata.
Is there somewhere a file (maybe) where all the "User Forced Disabled Rules" reside? (Not the suppression list)
-
@fireodo said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
Is there somewhere a file (maybe) where all the "User Forced Disabled Rules" reside? (Not the suppression list)
No, those live as encoded strings within the
config.xmlfile of pfSense in the <packages><snort> section. And even the Suppress List resides there, but it does get written out as plaintext each time Snort is started. And it is visible as plaintext on the Suppress List edit tab, so it can easily be copied.Suricata stores its information the same way. So, if you are handy with recognizing how the XML configuration file of pfSense works, you can do a manual port of those settings.
-
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
@fireodo said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
Is there somewhere a file (maybe) where all the "User Forced Disabled Rules" reside? (Not the suppression list)
No, those live as encoded strings within the
config.xmlfile of pfSense in the <packages><snort> section. And even the Suppress List resides there, but it does get written out as plaintext each time Snort is started. And it is visible as plaintext on the Suppress List edit tab, so it can easily be copied.Suricata stores its information the same way. So, if you are handy with recognizing how the XML configuration file of pfSense works, you can do a manual port of those settings.
Aha, OK Thanks - I guess others are also interested in these Informations!
I found in the config.xml at the coresponding interface:
<rule_sid_off>{lots of sids}</rule_sid_off>
I guess thats the place. -
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
At that point Suricata will be the IDS/IPS package on pfSense unless someone else steps up to provide a Snort3 package.
The problem with Suricata was the missing OpenAppID function, or I'm not up-to-date and there is a solution?
-
@slu said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
At that point Suricata will be the IDS/IPS package on pfSense unless someone else steps up to provide a Snort3 package.
The problem with Suricata was the missing OpenAppID function, or I'm not up-to-date and there is a solution?
Suricata does not have layer 7 capabilities. You will lose OpenAppID functionality if you move away from Snort. This is the only reason I use Snort. I have Snort IPS configured with the "Security" role on the WAN and IDS on the LAN just to see the app flow. The OpenAppID rules don't really get updated all that often, so it's not going to be aware of newer app patterns. I'll keep using Snort until they stop developing subscriber rules for v2.9.
-
@slu said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
The problem with Suricata was the missing OpenAppID function, or I'm not up-to-date and there is a solution?
Suricata does not have an exact analog of OpenAppID. However, there are several rule options in Suricata that could potentially help you duplicate some of the OpenAppID functionality. These rule options (keywords and modifiers) are not present in Snort.
The headache with Snort3 is that everything in it has changed from the ground up. It is written in a different programming language, and the internal APIs are all different. That would mean totally rewriting from the ground up the custom blocking module used for Legacy Mode operation on pfSense. The configuration parameters are also quite a bit different now as everything moved to LUA and there is no seamless "transition path" to easily migrate pfSense legacy Snort package settings over to the new Snort3 binary. Not saying it's impossible, but doing so is a ton of work. Most likely a Snort3 package for pfSense would require you to do a green field install without migrating any existing Snort 2.9.x settings.
After wrestling with all of the above, I realized that the ONLY thing Snort3 had that Suricata did not was OpenAppID. But in Suricata's favor it offers detailed TLS signature detection, extensive logging, visibility into DNS transactions, and much more. At the end of the day it made more sense to me to continue support for Suricata and not move forward with Snort3.
-
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
However, there are several rule options in Suricata that could potentially help you duplicate some of the OpenAppID functionality. These rule options (keywords and modifiers) are not present in Snort.
Is it possible to post one example?
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
At the end of the day it made more sense to me to continue support for Suricata and not move forward with Snort3.
In this case it make sense to me moving forward to Suricata.
-
@slu:
Here are some links I found on Google that describe using the SSL/TLS keywords:https://forum.suricata.io/t/understanding-tls-sni-rules/1323
https://docs.suricata.io/en/suricata-6.0.13/rules/tls-keywords.html
You can basically create your own rules (or perhaps find someone offering a downloadable archive) that examine the SNI header for insight into the site the traffic is originating from or destined for. This is fundamentally what the OpenAppID feature in Snort does.
-
