Suricata IPS policies vs default rules



  • Hi all,  :D
    Just installed Suricata and tried to play with it a little bit. Works fine  :)
    But I'm a newbie with these IDS/IPS toys. Feel free to move my post if required.
    Well. Among interface categories, in "Snort IPS policy selection", we can "use IPS policy", going from "connectivity" (enabling few rules) to "security" (lots of rules). OK, I understand.
    In the other hand, if "Use IPS policy" is unchecked, and all rulesets enabled, we have another behavior, with some rule enabled or disabled by default.
    My question is : what is the default security level when all rulesets (snort part) are enabled ? I tried to have a closer look on a few rules, and it seems that this mode is still more restrictive than "security" policy level.
    I'm wrong ?
    Sorry for this (probably) stupid question !  :o
    I didn't find the answer in the forum pages…  :-
    Thanks a lot !



  • @tipiewot:

    Hi all,  :D
    Just installed Suricata and tried to play with it a little bit. Works fine  :)
    But I'm a newbie with these IDS/IPS toys. Feel free to move my post if required.
    Well. Among interface categories, in "Snort IPS policy selection", we can "use IPS policy", going from "connectivity" (enabling few rules) to "security" (lots of rules). OK, I understand.
    In the other hand, if "Use IPS policy" is unchecked, and all rulesets enabled, we have another behavior, with some rule enabled or disabled by default.
    My question is : what is the default security level when all rulesets (snort part) are enabled ? I tried to have a closer look on a few rules, and it seems that this mode is still more restrictive than "security" policy level.
    I'm wrong ?
    Sorry for this (probably) stupid question !  :o
    I didn't find the answer in the forum pages…  :-
    Thanks a lot !

    The IPS Policies are created by scanning the Snort VRT rules for certain metadata.  Several of the rules contain special keywords that associate those rules with one or more IPS policies.  This special keyword metadata is only present in rules produced by the Snort VRT (Vulnerability Research Team).  This data is not contained within the Emerging Threats rules.  The keyword in a Snort rule will look similar to this:

    
    policy connectivity-ips, balanced-ips;
    
    

    This would associate this particular rule with both the Connectivity and Balanced IPS policies.  This metadata is put there by the Snort VRT when they create the rule.  The Suricata (or Snort) package just scans the rules looking for any where the policy metadata tags match your chosen IPS Policy setting.

    There is really no correlation between IPS Policies and enabling all the rule sets like you mentioned.  Why some rules are default enabled and some are default disabled is known mainly only by the vendors themselves.  Some other folks here on the board likely have some more info, but it's largely a type of mystery to me… :).

    Let me mention one other point with regards to the Suricata package and using the Snort VRT rules.  Suricata can decode and recognize most of the Snort rule options and keywords, but there are still several new keywords and rule options in Snort rules that Suricata does not understand.  When loading those rules, Suricata will print an error message and skip loading that rule.  There are over 700 Snort VRT rules that Suricata will thus skip loading (at my last count).  So just be aware of that fact when you use Snort VRT rules with Suricata.  Since IPS policy data is only present in the Snort VRT rules, then it is very possible that some of the rules will be ignored and not loaded due to the problem mentioned.

    I don't push either IDS package (Suricata or Snort) over the other.  I currently maintain both of them.  I just like to make folks aware that when Snort VRT rule packages are used with Suricata, it is likely not all of the included rules will actually be loaded and used by Suricata.  Check the Suricata log for the interface (on the LOGS tab) to see if any of your Snort VRT rules were skipped due to unsupported rule options or keywords.

    Bill



  • Thank you bmeeks ! Now I understand the main goal.  :D
    So my question was not so stupid  ;D
    Well, I did not deeply look for VRT rules skipped by suricata in the logs. Going to take care about this now.  ::)
    Basically, I wondered how it was possible to enforce a specific snort rule, not belonging to the 3 pre-established VRT policies, when one of these policies is enabled. As far as I know, I can't : the snort categories are hidden in the rules view, and replaced by the policy chosen.
    However, it's not so important… and probably useless ! Just to be sure I understand the system !  ;)
    Thanks again bmeeks



  • @tipiewot:

    Thank you bmeeks ! Now I understand the main goal.  :D
    So my question was not so stupid  ;D
    Well, I did not deeply look for VRT rules skipped by suricata in the logs. Going to take care about this now.  ::)
    Basically, I wondered how it was possible to enforce a specific snort rule, not belonging to the 3 pre-established VRT policies, when one of these policies is enabled. As far as I know, I can't : the snort categories are hidden in the rules view, and replaced by the policy chosen.
    However, it's not so important… and probably useless ! Just to be sure I understand the system !  ;)
    Thanks again bmeeks

    Within the GUI, when an IPS Policy is chosen, the other Snort rule selections are grayed-out.  That's because the chosen policy is given priority.  You can still enable or disable specific rules two ways.  If you want to disable a rule that IPS Policy has enabled, just load the IPS Policy as the "category" in the drop-down on the RULES tab for the interface.  Click the icons beside the rules to force disable any.  Another way is to use the relatively new SID MGMT tab and the features there.  Open and view the three example configuration files shown on that tab to get an idea of how they work.

    Bill



  • Hello,
    I had a closer look on these settings. Great !  :) Very good and impressive job.
    Thank you for your answers, Bill.
    Bye !


Log in to reply