Suricata and having a Oinkmaster code
-
Hello,
Can someone explain to me the purpose of having a SNORT oinkmaster code as it relates to Suricata.
I have paid for a $30 snort personal plan which I assume, for one sensor, I get the latest signatures to use. As part of the Suricata installation, an oinkmaster code is needed to make the rules set appear in the categories list.
The problem i am finding is that the majority of the Snort rules lists are empty (I understand for legacy reasons). Only ET have reasonable rules available but those are for the free tier. So whats the purpose of having Snort part of the Suricata package if the rule list is empty. -
The Oinkcode is required in order to download the rules. It must be supplied as an argument with the URL. With a paid subscription you get the more current Snort VRT rules.
Whether or not you use Snort rules with Suricata is a personal choice. Some do, and some don't. The Snort rules are the only ones that contain IPS Policy metadata, so if you like to use an IPS Policy to automatically select your rules, you can only do that with the Snort VRT rules. The ET rules have no policy metadata tags in them.
-
@bmeeks so I’m trying to understand the logic as it’s shown In the gui. If I do not select no Snort rule categories ,does snort VRT rules run under the hood? It seems that way implicitly.
-
@michmoor said in Suricata and having a Oinkmaster code:
@bmeeks so I’m trying to understand the logic as it’s shown In the gui. If I do not select no Snort rule categories ,does snort VRT rules run under the hood? It seems that way implicitly.
I don't fully understand your question here. If you do not choose any Snort category files under CATEGORIES, and you don't enable an IPS Policy, then no Snort VRT rules will be used at all (ignoring OpenAppID here as those rules are totally different). The rules may still be downloaded and updated if you have the download option enabled, but they will not be selected for use on any interface unless the appropriate category is selected on that interface. Note that SID MGMT, if used, can also automatically enable categories including Snort VRT rules.
But if you enable an IPS Policy, that will automatically choose a collection of Snort VRT rules and enable them. Remember I posted somewhere up above that the Snort VRT rules (and ONLY the Snort VRT rules) contain a special metadata tag that associates a rule with one or more pre-defined IPS policies. Also, for each assigned policy, the metadata contains a suggested action (ALERT or DROP) for each rule. So when you check the box in the GUI to enable an IPS Policy, the PHP code will automatically scan the Snort VRT rules and pull in all the rules tagged with the IPS policy metadata matching the policy you chose on the CATEGORIES tab. You can easily see these metadata tags by opening some of the Snort VRT rules and searching for the string "policy {policy_name}-ips", {policy_name} is replaced by "connectivity, balanced, etc.". When IPS Policy is enabled, manual selection of Snort VRT categories on the CATEGORIES tab is disabled. The logic there is the user is handing over the Snort VRT rule selections to the enabled IPS policy logic. However, if desired, you can still use the SID MGMT features to add additional Snort VRT rules.