Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort: Will it block after activate emergingthreats rules?

    Scheduled Pinned Locked Moved pfSense Packages
    9 Posts 3 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Davc
      last edited by

      Just want to double check with everyone, I am now using  Snort 2.8.4.1 pkg v. 1.3

      After activating the "emergingthreats rules" in the Categories, there are no more blocked IP or Alerts messages showing in the "Blocked" & "Alerts" section. Does this happened to you?

      I have tried to uncheck all "emergingthreats rules" in the Categories, all the blocked IP show again.

      So, does this mean activating these "emergingthreats rules" will automatically drop all the "bad traffic" (just wonder)?

      Thanks, David

      1 Reply Last reply Reply Quote 0
      • D
        Davc
        last edited by

        Ok, I have been testing it whole night on these new "emergingthreats rules" categories.

        Once I enabled the following categories, Snort will not blocked the incoming traffic:
        emerging-attack_response.rules
        emerging-exploit.rules
        emerging-malware.rules
        emerging-web.rules

        The rest of the  "emergingthreats rules" are so far working great.

        By the way, the emerging-virus.rules ,  emerging-rbn.rules ,  emerging-tor.rules are great. I highly  recommend to enable them. It will block out a lot of Spam and attack from Russian side.

        Thanks,

        1 Reply Last reply Reply Quote 0
        • J
          jigpe
          last edited by

          Thanks Davc. Can you show me the way how to install the rules by cli or webgui uploading there and extract? Im not good in cli typing commands…Thanks

          jigp
          Davao City
          1.2.x

          1 Reply Last reply Reply Quote 0
          • D
            Davc
            last edited by

            In the Snort Packages > Setting Tabe > check the "Install emergingthreats rules"

            Then go to the "Update Rules" and wait for all the rules update.

            Once update completed, go to "Categories" and select the Categories you want.

            However, In the V 1.4, you now need to fill the Server Rules information. Such as port and server IP.

            I cannot get V1.4 working to block  :'(

            1 Reply Last reply Reply Quote 0
            • J
              jamesdean
              last edited by

              @Davc:

              In the Snort Packages > Setting Tabe > check the "Install emergingthreats rules"

              Then go to the "Update Rules" and wait for all the rules update.

              Once update completed, go to "Categories" and select the Categories you want.

              However, In the V 1.4, you now need to fill the Server Rules information. Such as port and server IP.

              I cannot get V1.4 working to block  :'(

              Thanks for helping out the community Davc.

              You don't need to fill in the all Server rules information you can just leave it empty. If you do add Server information snort will perform better and you will get less false positives alerts.

              James

              1 Reply Last reply Reply Quote 0
              • J
                jamesdean
                last edited by

                Davc

                You can't get alerts to block ?

                Cabn you tell me more.

                James

                1 Reply Last reply Reply Quote 0
                • D
                  Davc
                  last edited by

                  Dear James,

                  I am now on the  Snort 2.8.4.1 pkg v. 1.4

                  i tried reinstall, un-install, then  reboot the firewall and install again. Unchecked all the Categories and then start with the SMTP rules. Still only show alert messages and no blocking.

                  Yes, I have leave the IP address blank and only insert the specific ports under each categories.

                  Any suggestion would be appreciated, thanks. :D

                  1 Reply Last reply Reply Quote 0
                  • J
                    jigpe
                    last edited by

                    Hi if we enable "emergingthreats rules" how much RAM would this feature use? Im just using 2.5GB RAM , 160GB HD..

                    jigp

                    1 Reply Last reply Reply Quote 0
                    • J
                      jamesdean
                      last edited by

                      jigpe

                      Use ac-bnfa as the memory Performance management and you should be fine.

                      2.5 GB RAM you don't have to worry about how many rules you select. (I wish I had your system).

                      Select all the rules and report back how much ram snort is using. It should be only 300mb for each interface.

                      James

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.