Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using Only Emerging Threat Rules with Snort( No Sourcefire Rules) A guide

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 13.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rw783
      last edited by

      I am posting this guide. because I searched the forum and did a bit of searching over the last few days and couldn't find an answer to this question anywhere.

      I just want to say that YES it is possible to use ONLY the Emerging Threat Rules with Snort on PfSense…I am currently on 1.2.2...I do not use the SourceFire VRT rules, Nor is an Oink Code needed. There are reasons a person my not want to use the VRT rules, so I am offering an Alternative.

      Installing Emerging Threat Rules on PfSense

      Step 1: Download and install WinSCP from the following link. http://winscp.net/eng/index.php

      We will need WinSCP later.

      Step 2: Go to Emerging Threats web site http://www.emergingthreats.net/ and download the rules (the file you want to download is emerging.rules.tar.gz)

      Step 3: If you haven't already done so, Add the Snort Package to Your PfSense.

      Step 4: On the Snort setting page on your PfSense ensure that ONLY the following boxes are checked.

      Automatically Block Offenders
      Associate Events on the Blocked Tab

      Also, the Performance option should be set to ac-bfna

      Save the Settings

      Step 5: Extract the the emerging.rules.tar.gz file to a folder of your choosing. Once this done, we proceed to the next step.

      Note: you can use 7zip on Windows to extract the emerging rules.tar.gz file http://www.7-zip.org/

      Step 6: Enable SSH on your Pfsense Box. This will be temporary. This is done under System–-> Advanced Menu..putting Checkbox in Enable Secure Shell and click Save

      Step 7: Use WinSCP to log in to your Pfsense box (I prefer using the Norton Commander Interface on WinSCP as I find its easier to use, but this is personal preference)

      Step 8: In WinSCP navigate to the following folder on your PfSense Box /usr/local/etc/snort/rules

      Step 9: Using WinSCP copy the Emerging Threat Rules into the /usr/local/etc/snort/rules folder. Copy the Individual Rules files to the /usr/local/etc/snort/rules directory…copying the folder that has the Emerging Threat Rules to the directory will not work.

      Note: The Individual Rule files MUST exist under /usr/local/etc/snort/rules  for example /usr/local/etc/snort/rules/rules will not work…the Individual rules files must exist under /usr/local/etc/snort/rules

      Step 10: Once the Rules are copied. Close WinSCP

      Step 11: Go to Diagnostics and then Command on the pfsense Web Interface

      On the Diagnostics page, in the box that says Execute Shell Command type sync and click execute 3 times…this is for good measure to ensure it picks up the Emerging Files Written to the Disk.

      Step 12: On the Diagnostics Page under PHP execute type apc_clear_cache(); and click Execute

      Step 13: Go to System–-->Advanced and Remove the Check box from Enable Secure Shell and Click Save.

      Step 14: Go to the Snort Settings Tabs and Click on the "Categories" Tab.

      Now All the Emerging Threat Categories will now be listed. Even for those who don't have a Snort Code.

      Choose the Catagories you wish to use…For Reference I am using the Following Emerging Threats Rules with no problems on PfSense 1.2.2 with the latest pfsense snort package:

      emerging-attack_response.rules
      emerging-botcc.rules
      emerging-compromised.rules
      emerging-dos.rules
      emerging-drop.rules
      emerging-dshield.rules
      emerging-exploit.rules
      emerging-inappropriate.rules
      emerging-malware.rules
      emerging-p2p.rules
      emerging-rbn.rules
      emerging-scan.rules
      emerging-tor.rules
      emerging-virus.rules
      emerging-voip.rules
      emerging-web.rules
      emerging-web_sql_injection.rules
      emerging.rules

      Once you have chosen the categories you want, Click Save and then click the settings tab choose the WAN interface and Click Save.

      Now if you want to update the rules, all you have to do is download them and extract them, Use WinSCP to copy them on to your PfSense Box, Issue the sync Command 3 times, and apc_clear_cache(); on the Daignostics page and save your snort settings and your done.

      The apc_clear_cache(); and the sync command are issued to prevent you from having to reboot your pfsense box. I have found PfSense won't recognize the updates until you issue the sync command 3 times, and then the apc_Clear_Cache(); php command.

      Your mileage may vary there. Following the above guide will allow one to use the Emerging Threats Rules as the base of their Snort rules without having to use the VRT rules or registering with snort.org or getting an OinkCode.

      I fiddled around with this because the VRT rules are just too big…77MB and growing...its just too much...I have also begun contributing to the Emerging Threats Community submitting Snort rules I have written...so it feels good to give back, and I wanted to let PfSense users know they can use then without the VRT rules if they want to.

      Hope this guide helps someone out there

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.