How to select Rulesets for LAN interface?



  • I'm trying to set up snort as an IPS with 2 interfaces: WAN with a minimal set of rules, and LAN with the bulk of the rules.  When I set up the WAN interface, I was able to choose categories from all 3 rulesets (ET Open, Snort Text Rules, and Snort SO Rules).  But when I try to select rule categories for the LAN interface, the screen displays all 3 Rulesets, but I can only enable categories that are included as part of ET Open Ruleset.  Is this normal behavior, or did I mess something up?  Any insight or tips would be greatly appreciated.  Thanks!


  • Banned

    If you are using one of the pre-defined policies (Use IPS Policy checkbox and the list below), it won't let you pick the Snort VRT categories.



  • The IPS policy settings do a pretty good job of automatically selecting an appropriate rule set for the chosen security posture: (1) connectivity, (2) balanced or (3) security.  If you really must have other Snort VRT rules, you can always manually paste them into the Custom Rules screen (but that would be quite tedious).

    You can still mix Emerging Threats rule categories with an IPS policy.  That could be a decent substitute.

    Bill



  • Thank you both for your replies.  I was concerned that I was doing something wrong, but it appears this is normal behavior.  That leads to another question:  If selecting one of the 3 IPS security postures automatically selects an appropriate set of rules, is there any advantage in subscribing to the VRT premium rules (other than supporting a good cause)?  Or, looking at this from a different point of view, would it be better to leave the IPS mode disabled, so I could have access to the more current rules available through the premium VRT subscription?  Thanks again.



  • The premium subscription gets you new rules when they are released.  The free registered user Oinkcode only gets you new rules after they have been posted for paying subscribers for 30 days.  Or restated, you only get new rules after they are 30 days old.

    So if that risk/reward works for you, then the free rules are OK.  For me, I don't mind the $30/year to get current rules and also support the guys doing the research and writing the rules.

    All an IPS policy does is select various rules from amongst all the VRT rule categories.  The difference between the paid and free VRT rule subscriptions is that the former (paid) gets updated 30 days ahead of the latter (free) VRT package.

    Bill



  • Thank you again for your reply.  I also subscribed to the premium VRT rules because I want to protect against new threats as soon as possible.  I still have a few questions about what happens if we check the IPS option: will Snort select an appropriate set of rules from the default (i.e., free) VRT rules, or will Snort use rules based on the premium VRT rules?  Also, when Snort periodically checks for new rules, are all new rules automatically enabled?  Does Snort's decision whether or not to enable a new rule have anything to do with the IPS option?  I guess in a way, the IPS option is seductive; it's like, "Trust me, I know what's good for you, and I'm going to make all these complicated choices for you."  I don't think any of us have time to be checking Snort after every update.  I just want to make sure I understand the trade-offs before I drink the IPS kool-aid.  Thanks!



  • @shull:

    Thank you again for your reply.  I also subscribed to the premium VRT rules because I want to protect against new threats as soon as possible.  I still have a few questions about what happens if we check the IPS option: will Snort select an appropriate set of rules from the default (i.e., free) VRT rules, or will Snort use rules based on the premium VRT rules?  Also, when Snort periodically checks for new rules, are all new rules automatically enabled?  Does Snort's decision whether or not to enable a new rule have anything to do with the IPS option?  I guess in a way, the IPS option is seductive; it's like, "Trust me, I know what's good for you, and I'm going to make all these complicated choices for you."  I don't think any of us have time to be checking Snort after every update.  I just want to make sure I understand the trade-offs before I drink the IPS kool-aid.  Thanks!

    Paid or free determines which tar ball (zip file) of rules you can download.  Your Oinkmaster code determines which of the two rules tar ball files your box will download.  Stated another way, if you have the paid subscription, then your firewall always downloads "paid" and "free" rules.  What may be confusing you is how rules transition from "paid" to "free".  If the VRT made zero changes to any rules for 30 days, then the contents of the "free" and "paid" rules files would be identical.  That's because all the rules would be 30 days old and thus available to all users.  However, the VRT makes updates twice weekly, so in each update there may be some new rules that only paid users can get until those rules are also 30 days old.  The paid subscription files contain all the "free" rules plus any new rules that are less than 30 days old.  The category names are identical in each set.

    I think you need to do some Google research on the IPS Policy options in VRT rules.  The policies are defined by the Snort team.  They pick the rules that go into each policy and flag them with special rule keywords.  The Snort package on pfSense looks for those matching keywords in rules to select which ones to use for a given IPS policy selection by the user.  As the rules are updated by the VRT, so is the policy metadata that the pfSense Snort package uses to select rules.  So if a new rule is added and is assigned by the VRT to a policy you have selected, then on the next rule update your Snort install will start using that rule.  The reverse is also true.  If the VRT removes a policy label from a rule, then on the next update your Snort install will stop using that rule.

    None of the VRT rules categories have all their rules enabled.  Some are considered to be specialized and come default "disabled" and can be "enabled" by admins who want to use them in their environment.  The converse is also true.  Some admins disable rules that come default enabled.  This may be because those rules "false positive" in their environment.  An IDS/IPS always requires monitoring by an experienced administrator.  The IPS Policy metadata can help ease the burden, though, by delegating rule selection to the VRT experts.

    Bill



  • Thank you for taking time to clarify this for me.


Log in to reply