OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: SecAficionado on June 24, 2017, 06:57:57 pm

Title: IDS/IPS with snort VRT rules
Post by: SecAficionado on June 24, 2017, 06:57:57 pm
Hello there,

I am new to OPNSense and I have been running it in VMs. I like it so far, but I really wish I had the option to use snort over suricata. I am a long time snort user and I am very comfortable administering it for my needs.

I am willing to try suricata, but I haven't found an option to use snort VRT rules. As you may know, there is a personal subscription for snort rules for US$30, which gives access to the latest rules. ET, by contrast, only has community rules for personal use, which are at least 30 days old (an eternity in cyber security terms).

Is there a plugin to download and configure VRT rules for suricata? I think it may be fairly straightforward to create, but I don't want to get into that if someone else has already created it. Perhaps more importantly, is there a reason why I shouldn't use snort VRT rules with suricata?

Thanks in advance!
Title: Re: IDS/IPS with snort VRT rules
Post by: mimugmail on June 28, 2017, 11:01:37 am
Havent worked with VRT yet, but it seems to be quite complicated with Suricata:

https://forum.pfsense.org/index.php?topic=124054.0
Title: Re: IDS/IPS with snort VRT rules
Post by: SecAficionado on June 29, 2017, 01:53:55 am
Thanks for replying and for the link. Yes, this is definitely not a "fire-and-forget" type of setting. Loading and tuning IDS rules requires constant attention, perhaps a lot more than the average user is willing to pay.

I am aware of the differences between snort and suricata and, although I do not expect a 1 to 1 correspondence, I hope suricata can read and act upon a good portion of new snort rules. I just wanted an automated way to load the VRT rules each day. There is no automated way to pick and choose which rules make sense for one's network, so that part will be pretty much the same as with snort.

I'll check the way pfsense deals with the rules and see if there is a way to port that to opnsense. That is probably the best place to start.

Thanks!!!
Title: Re: IDS/IPS with snort VRT rules
Post by: bobbythomas on July 29, 2017, 12:20:10 am
I agree to SecAficionado, is it possible to add a snort ruleset to the existing rule set?

Thank you,
Regards,
Bobby Thomas
Title: Re: IDS/IPS with snort VRT rules
Post by: fabian on July 29, 2017, 10:48:08 am
yes, you can use this file as a sample:
https://github.com/opnsense/plugins/blob/master/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-research.xml

If you do it this way, OPNsense will keep your ruleset up to date if desired.
Title: Re: IDS/IPS with snort VRT rules
Post by: SecAficionado on August 30, 2017, 03:47:39 am
This is really cool. Thanks!!

I will give it a try to see if I can get it to work in my test firewall.