Some snort categories have no rules?



  • Hello all,

    I have a pfsense machine set up as an edge firewall/router to protect some web servers and ssh servers. I've been playing around with Snort IDS, and I currently have the Snort VRT free rules, Snort Community rules, and ETOpen rules installed.

    For the most part it seems to be working well, but I've been noticing something strange: though I've been getting tons of alerts, they are pretty much all being generated by the ETOpen rules. I've been seeing few to no alerts generated by Snort Community Rules or Snort VRT Rules, even when I put the VRT Policy selection to the most sensitive setting of "Security".

    Then I decided to manually select rule categories to enable rather than use the VRT policy selection. After enabling some categories I went to the "WAN Rules" tab, and to my surprise many of the categories had no rules! For example, snort_botnet-cnc, snort_ddos, snort_scan, and snort_virus were all empty. Some categories had rules but with most of them disabled.

    I searched Google but could not find any explanation for this. Is this normal behavior?

    Screenshot for reference:




  • @tlng55:

    Hello all,

    I have a pfsense machine set up as an edge firewall/router to protect some web servers and ssh servers. I've been playing around with Snort IDS, and I currently have the Snort VRT free rules, Snort Community rules, and ETOpen rules installed.

    For the most part it seems to be working well, but I've been noticing something strange: though I've been getting tons of alerts, they are pretty much all being generated by the ETOpen rules. I've been seeing few to no alerts generated by Snort Community Rules or Snort VRT Rules, even when I put the VRT Policy selection to the most sensitive setting of "Security".

    Then I decided to manually select rule categories to enable rather than use the VRT policy selection. After enabling some categories I went to the "WAN Rules" tab, and to my surprise many of the categories had no rules! For example, snort_botnet-cnc, snort_ddos, snort_scan, and snort_virus were all empty. Some categories had rules but with most of them disabled.

    I searched Google but could not find any explanation for this. Is this normal behavior?

    Screenshot for reference:

    Yes, the Snort VRT deprecated many of the original rule package names and reorganized them quite some time ago.  However, they did not delete the old package file names in order to not break existing configurations.  Many legacy Snort configurations (especially on non-pfSense systems) individually list each enabled rule category filename in the snort.conf file.

    It is OK to have an empty rule category file, so the VRT just emptied out the deprecated files and left the empty shells to prevent breaking those legacy system configurations.

    There is no magic bullet rule set.  Each installation/network is different, so the onus is on the system administrator to choose the appropriate rules.  Some rules are default "disabled" because they are either known to be prone to false positives in some situations, or they are deemed to be more specialized.

    When you choose one of the three VRT Security Policies (connectivity, balanced or security) on the CATEGORIES tab, a set of specifically tagged rules from across all the Snort VRT categories will be automatically enabled.  Certain rules are marked with metadata tags tying them to one or more Security Policies.  My recommendation for a novice with Snort is to choose the "Connectivity" or "Balanced" IPS Policy and then maybe add a handful of the ET categories as icing on the cake (examples would be ET-Malware, ET-Current Events, etc.).

    Bill



  • Thanks, that makes sense. But what if I wanted to select rule categories manually, instead of using one of the three default policies? Where have the rules been moved to?



  • @tlng55:

    Thanks, that makes sense. But what if I wanted to select rule categories manually, instead of using one of the three default policies? Where have the rules been moved to?

    You will have to search through each of the Snort VRT rule categories files.  There is some information on the Snort VRT web site that may help.

    Bill



  • Hmm…looking at the rule category descriptions on the VRT websites they don't seem to give any indication of which categories are no longer active. Is there a specific page you were referring to? It seems rather strange to me that they would have all the rules neatly organized, only to completely change it without modifying the documentation.

    EDIT: I found the blog posts explaining the move. I guess this means I'll just have to figure out where the rules I need have gone. Thanks for the help!


Log in to reply