ET Pro Ruleset
-
Hey everyone,
I am patiently waiting for my 6100 to arrive in the next few days. I have been testing pfSense on a VM for the past few weeks and I am super excited to get my hands-on the appliance.
Suricata is one the packages I am going to use and I’m wondering if anyone on here has made the jump from the ET Open ruleset to the ET Pro ruleset. $900 is too much to pay, but you can actually buy it from OPNsense for $750 with no VAT once you put in a US-based billing address. They are the only authorized distributor listed on the Proofpoint website. I did confirm that the license key is the exactly the same as buying it from CDW or any other *authorized reseller.”
https://shop.opnsense.com/product/proofpoint-et-pro-ruleset-1yr-subscription/
$900 is a lot, but $750 is not totally unreasonable for what you get. I just question how different the two rulesets really are and is it worth since most traffic is HTTPS anyway.
Has anyone made the leap to ET Pro? I plan on buying the Snort rules too since it’s only $30 for a home user.
-
@cloudified Personally.......I paid something along the lines of 35 bucks for the Snort Subscriber rule set. Not saying you shouldn't get the ET Pro sub but that seems like an awful lot of money and i doubt those Pro rules are any better than the Snort rules which are cheaper.
-
I agree with @michmoor here. For home use, I consider the ET-Pro ruleset grossly overpriced. This is especially true when you consider that unless you configure a complex MITM proxy of some sort, a huge percentage of the rules really don't work for you because encryption prevents them from seeing the packet payloads. The only ones that can reasonably work with encrypted traffic are the rules that look at source and destination IP addresses and ports, and the limited amount of info that can be gleaned from non-encrypted SNI (but only for the traffic types that contain/utilize SNI).
A personal edition subscription to the Snort Subscriber Rules is $29.99 USD annually -- https://snort.org/products. That's reasonable, but you still have the issue described above with encrypted traffic.
-
I decided to go with the Snort Personal subscription and the ET Open rulesets. I just can't justify the cost for the ET Pro ruleset.
Thanks for the replies.
-
@cloudified said in ET Pro Ruleset:
I decided to go with the Snort Personal subscription and the ET Open rulesets. I just can't justify the cost for the ET Pro ruleset.
Thanks for the replies.
One issue with the Snort rules and Suricata is that not every Snort rule is compatible with Suricata's rule engine. That's because Suricata does not recognize a handful of Snort rule keywords. Suricata will complain about syntax when attempting to load in those rules, flag an error in the
suricata.logfile for each one, and discard it. It will not stop Suricata from continuing on with loading the remaining rules, but just be aware that you may see errors for some of the Snort rules if you examine thesuricata.logfile (accessible on the LOGS VIEW tab) after starting Suricata on an interface. Whether you see errors or not depends on exactly which rule categories you enable and whether any given rules within the category contain unrecognized syntax.I forget the exact number, but I seem to recall that if you were to enable every Snort rule in every category (that's several thousand rules and not something you would normally do) you would see about 100 to 200 Snort rules giving syntax errors and being discarded.
-
@bmeeks I've read a few posts on here describing that same exact issue. I really haven't had a chance to mess with it too much yet since I just got my 6100 yesterday. I'm also replacing my old UniFi gear with new UniFi gear at the same time. I will spend some more time on this over the weekend. Thanks again for you advice!
-
@cloudified For what its worth, i have set up the IPS Policy to Connectivity and that has worked out well. Its a starter policy but good coverage.
@bmeeks for some of the snort rules, e.g. CIArmy, i noticed these are just blocking IPs. If one has PFblockerNG with IP blocking enabled and Snort is it fair to say there's a bit of overlap and those IP blocking rules can be skipped within snort?
-
@michmoor said in ET Pro Ruleset:
@bmeeks for some of the snort rules, e.g. CIArmy, i noticed these are just blocking IPs. If one has PFblockerNG with IP blocking enabled and Snort is it fair to say there's a bit of overlap and those IP blocking rules can be skipped within snort?
Yes, the CIArmy and a few similar rule categories are just simple lists of IP addresses and I would expect a fair amount of overlap with many pfBlockerNG lists. So, if using pfBlockerNG you likely don't want to enable those IP list rules in Snort.
-
@bmeeks yep thats what i thought. Thank you sir
