[Solved] Snort GPLv2 Community Rules - Unable to download checksum file
-
@DefenderLLC said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
The good news is that your suppression lists should also work too since they seem to use the same format.
Correct. The format is exactly the same and you can simply copy and paste the text from your Snort lists into Suricata.
-
Thank you very much, Bill, I bookmarked your explanation! (for the future when it becomes necessary - because I doubt that someone will do the work for Snort 3.0)
-
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
@DefenderLLC said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
The good news is that your suppression lists should also work too since they seem to use the same format.
Correct. The format is exactly the same and you can simply copy and paste the text from your Snort lists into Suricata.
Is there somewhere a file (maybe) where all the "User Forced Disabled Rules" reside? (Not the suppression list)
-
@fireodo said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
Is there somewhere a file (maybe) where all the "User Forced Disabled Rules" reside? (Not the suppression list)
No, those live as encoded strings within the
config.xmlfile of pfSense in the <packages><snort> section. And even the Suppress List resides there, but it does get written out as plaintext each time Snort is started. And it is visible as plaintext on the Suppress List edit tab, so it can easily be copied.Suricata stores its information the same way. So, if you are handy with recognizing how the XML configuration file of pfSense works, you can do a manual port of those settings.
-
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
@fireodo said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
Is there somewhere a file (maybe) where all the "User Forced Disabled Rules" reside? (Not the suppression list)
No, those live as encoded strings within the
config.xmlfile of pfSense in the <packages><snort> section. And even the Suppress List resides there, but it does get written out as plaintext each time Snort is started. And it is visible as plaintext on the Suppress List edit tab, so it can easily be copied.Suricata stores its information the same way. So, if you are handy with recognizing how the XML configuration file of pfSense works, you can do a manual port of those settings.
Aha, OK Thanks - I guess others are also interested in these Informations!
I found in the config.xml at the coresponding interface:
<rule_sid_off>{lots of sids}</rule_sid_off>
I guess thats the place. -
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
At that point Suricata will be the IDS/IPS package on pfSense unless someone else steps up to provide a Snort3 package.
The problem with Suricata was the missing OpenAppID function, or I'm not up-to-date and there is a solution?
-
@slu said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
At that point Suricata will be the IDS/IPS package on pfSense unless someone else steps up to provide a Snort3 package.
The problem with Suricata was the missing OpenAppID function, or I'm not up-to-date and there is a solution?
Suricata does not have layer 7 capabilities. You will lose OpenAppID functionality if you move away from Snort. This is the only reason I use Snort. I have Snort IPS configured with the "Security" role on the WAN and IDS on the LAN just to see the app flow. The OpenAppID rules don't really get updated all that often, so it's not going to be aware of newer app patterns. I'll keep using Snort until they stop developing subscriber rules for v2.9.
-
@slu said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
The problem with Suricata was the missing OpenAppID function, or I'm not up-to-date and there is a solution?
Suricata does not have an exact analog of OpenAppID. However, there are several rule options in Suricata that could potentially help you duplicate some of the OpenAppID functionality. These rule options (keywords and modifiers) are not present in Snort.
The headache with Snort3 is that everything in it has changed from the ground up. It is written in a different programming language, and the internal APIs are all different. That would mean totally rewriting from the ground up the custom blocking module used for Legacy Mode operation on pfSense. The configuration parameters are also quite a bit different now as everything moved to LUA and there is no seamless "transition path" to easily migrate pfSense legacy Snort package settings over to the new Snort3 binary. Not saying it's impossible, but doing so is a ton of work. Most likely a Snort3 package for pfSense would require you to do a green field install without migrating any existing Snort 2.9.x settings.
After wrestling with all of the above, I realized that the ONLY thing Snort3 had that Suricata did not was OpenAppID. But in Suricata's favor it offers detailed TLS signature detection, extensive logging, visibility into DNS transactions, and much more. At the end of the day it made more sense to me to continue support for Suricata and not move forward with Snort3.
-
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
However, there are several rule options in Suricata that could potentially help you duplicate some of the OpenAppID functionality. These rule options (keywords and modifiers) are not present in Snort.
Is it possible to post one example?
@bmeeks said in [Solved] Snort GPLv2 Community Rules - Unable to download checksum file:
At the end of the day it made more sense to me to continue support for Suricata and not move forward with Snort3.
In this case it make sense to me moving forward to Suricata.
-
@slu:
Here are some links I found on Google that describe using the SSL/TLS keywords:https://forum.suricata.io/t/understanding-tls-sni-rules/1323
https://docs.suricata.io/en/suricata-6.0.13/rules/tls-keywords.html
You can basically create your own rules (or perhaps find someone offering a downloadable archive) that examine the SNI header for insight into the site the traffic is originating from or destined for. This is fundamentally what the OpenAppID feature in Snort does.
-
