Snort: Will it block after activate emergingthreats rules?



  • Just want to double check with everyone, I am now using  Snort 2.8.4.1 pkg v. 1.3

    After activating the "emergingthreats rules" in the Categories, there are no more blocked IP or Alerts messages showing in the "Blocked" & "Alerts" section. Does this happened to you?

    I have tried to uncheck all "emergingthreats rules" in the Categories, all the blocked IP show again.

    So, does this mean activating these "emergingthreats rules" will automatically drop all the "bad traffic" (just wonder)?

    Thanks, David



  • Ok, I have been testing it whole night on these new "emergingthreats rules" categories.

    Once I enabled the following categories, Snort will not blocked the incoming traffic:
    emerging-attack_response.rules
    emerging-exploit.rules
    emerging-malware.rules
    emerging-web.rules

    The rest of the  "emergingthreats rules" are so far working great.

    By the way, the emerging-virus.rules ,  emerging-rbn.rules ,  emerging-tor.rules are great. I highly  recommend to enable them. It will block out a lot of Spam and attack from Russian side.

    Thanks,



  • Thanks Davc. Can you show me the way how to install the rules by cli or webgui uploading there and extract? Im not good in cli typing commands…Thanks

    jigp
    Davao City
    1.2.x



  • In the Snort Packages > Setting Tabe > check the "Install emergingthreats rules"

    Then go to the "Update Rules" and wait for all the rules update.

    Once update completed, go to "Categories" and select the Categories you want.

    However, In the V 1.4, you now need to fill the Server Rules information. Such as port and server IP.

    I cannot get V1.4 working to block  :'(



  • @Davc:

    In the Snort Packages > Setting Tabe > check the "Install emergingthreats rules"

    Then go to the "Update Rules" and wait for all the rules update.

    Once update completed, go to "Categories" and select the Categories you want.

    However, In the V 1.4, you now need to fill the Server Rules information. Such as port and server IP.

    I cannot get V1.4 working to block  :'(

    Thanks for helping out the community Davc.

    You don't need to fill in the all Server rules information you can just leave it empty. If you do add Server information snort will perform better and you will get less false positives alerts.

    James



  • Davc

    You can't get alerts to block ?

    Cabn you tell me more.

    James



  • Dear James,

    I am now on the  Snort 2.8.4.1 pkg v. 1.4

    i tried reinstall, un-install, then  reboot the firewall and install again. Unchecked all the Categories and then start with the SMTP rules. Still only show alert messages and no blocking.

    Yes, I have leave the IP address blank and only insert the specific ports under each categories.

    Any suggestion would be appreciated, thanks. :D



  • Hi if we enable "emergingthreats rules" how much RAM would this feature use? Im just using 2.5GB RAM , 160GB HD..

    jigp



  • jigpe

    Use ac-bnfa as the memory Performance management and you should be fine.

    2.5 GB RAM you don't have to worry about how many rules you select. (I wish I had your system).

    Select all the rules and report back how much ram snort is using. It should be only 300mb for each interface.

    James


Log in to reply