Snort: Will it block after activate emergingthreats rules?

Davc

Just want to double check with everyone, I am now using  Snort 2.8.4.1 pkg v. 1.3

After activating the "emergingthreats rules" in the Categories, there are no more blocked IP or Alerts messages showing in the "Blocked" & "Alerts" section. Does this happened to you?

I have tried to uncheck all "emergingthreats rules" in the Categories, all the blocked IP show again.

So, does this mean activating these "emergingthreats rules" will automatically drop all the "bad traffic" (just wonder)?

Thanks, David

Davc

Ok, I have been testing it whole night on these new "emergingthreats rules" categories.

Once I enabled the following categories, Snort will not blocked the incoming traffic:
emerging-attack_response.rules
emerging-exploit.rules
emerging-malware.rules
emerging-web.rules

The rest of the  "emergingthreats rules" are so far working great.

By the way, the emerging-virus.rules ,  emerging-rbn.rules ,  emerging-tor.rules are great. I highly  recommend to enable them. It will block out a lot of Spam and attack from Russian side.

Thanks,

jigpe

Thanks Davc. Can you show me the way how to install the rules by cli or webgui uploading there and extract? Im not good in cli typing commands…Thanks

jigp
Davao City
1.2.x

Davc

In the Snort Packages > Setting Tabe > check the "Install emergingthreats rules"

Then go to the "Update Rules" and wait for all the rules update.

Once update completed, go to "Categories" and select the Categories you want.

However, In the V 1.4, you now need to fill the Server Rules information. Such as port and server IP.

I cannot get V1.4 working to block  :'(

jamesdean

@Davc:

In the Snort Packages > Setting Tabe > check the "Install emergingthreats rules"

Then go to the "Update Rules" and wait for all the rules update.

Once update completed, go to "Categories" and select the Categories you want.

However, In the V 1.4, you now need to fill the Server Rules information. Such as port and server IP.

I cannot get V1.4 working to block  :'(

Thanks for helping out the community Davc.

You don't need to fill in the all Server rules information you can just leave it empty. If you do add Server information snort will perform better and you will get less false positives alerts.

James

jamesdean

Davc

You can't get alerts to block ?

Cabn you tell me more.

James

Davc

Dear James,

I am now on the  Snort 2.8.4.1 pkg v. 1.4

i tried reinstall, un-install, then  reboot the firewall and install again. Unchecked all the Categories and then start with the SMTP rules. Still only show alert messages and no blocking.

Yes, I have leave the IP address blank and only insert the specific ports under each categories.

Any suggestion would be appreciated, thanks. :D

jigpe

Hi if we enable "emergingthreats rules" how much RAM would this feature use? Im just using 2.5GB RAM , 160GB HD..

jigp

jamesdean

jigpe

Use ac-bnfa as the memory Performance management and you should be fine.

2.5 GB RAM you don't have to worry about how many rules you select. (I wish I had your system).

Select all the rules and report back how much ram snort is using. It should be only 300mb for each interface.

James