Snort paid rules configuration



  • I have got the paid subscription for snort rules I can not find anywhere if I need to change any settings or if the current settings and currant oinkcode will automatically give me up do date rules without changing anything.



  • Only thing you might want to configure is disable the Snort community rules as those are included in the paid download. No need to change anything else, just make sure you have your Oinkmaster code set.

    Note: If you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the Snort VRT rules, and there is no benefit in adding this rule set.



  • It probably depends on how you configured the IDS before adding the Oinkcode, and if you are intending to take advantage of OpenAppID.  I'm no expert, but this is what I'd check.

    Once you've entered and saved your Oinkcode, click over to Updates and make sure you have a copy of the SnortVRT Rules - if not, click Update.  If you want to see when it's downloading, click the "View' button under MANAGE RULE SET LOG.

    Once you've got rules, go back to the Snort Interface tab, and edit one of the interfaces you have SNORT applied to. The way i've seen recommended in other posts to run the SNORT rules is to click over to the Categories tab (LAN Categories, WAN Categories, etc., whichever interface you edited), choose "Use IPS Policy", and choose from Connectivity, Balanced, or Security, save the change.  Rinse and repeat for any interfaces you have Snort examining.

    If you also added OpenAppID, you'll need to click over to the interface's Preprocs tab, scroll down about 1/3 of the way, and tick the box for "Use OpenAppID to detect various applications" and save the change.

    I have not written any rules for the OpenPpID stuff yet, I am currently happy to go to the WAN Logs tab, select app-stats.log, and see what apps are identified.



  • Thanks for the answers!!! One last question is there a way to see when you updated if the rules are free or paid subscription ? When I log at the view the MANAGE RULE SET LOG I cant see anything that shows that the rules are paid or not. Its probably there but I do not see it.



  • @dgall:

    Thanks for the answers!!! One last question is there a way to see when you updated if the rules are free or paid subscription ? When I log at the view the MANAGE RULE SET LOG I cant see anything that shows that the rules are paid or not. Its probably there but I do not see it.

    No, you can't tell because the file names from the VRT web site are identical.  Your Oinkcode is read by the VRT rules download server and it decides which package of rules to send down to you.  It gets them from one of two directories depending on "paid" or "free" subscription.  There is nothing you need to do on your end other than disabling the Snort GPLv2 Community Rules if you were using those.  They are already bundled into the paid VRT rules.

    Bill


Log in to reply