snort rules useless?

[siga75]

I never had a match on a snort rule despite having subscribed and having a LOT of them enabled
ET rules detect stuff, so suricata is working

Are snort rules so useless?

[siga75]

can someone just tell me if they get alerts from snort rules?

[aUser]

Sorry to bring back a post from long ago. I'm new to Opnsense and found this from google so thought I'd add a comment. I had the same experience (no snort rules triggered with the VRT ruleset, even when many are installed and enabled). There are around 100 rule loading errors, and the ET Open rules fire on mostly IP based rules so the install is ok. There are Snort VRT / Suricata 5 compatibility issues but to what extent I have not yet investigated. I have now enabled nearly every snort rule (except appID and deleted) to see the if it triggers alerts. Also intending to take a look at the ET Pro telemetry edition to see if there is any difference.

In general, if you are not going to be doing SSL decryption (but assuming you are using the web proxy and SNI) are any of the IDS rulesets worth having? I'm mostly interested in seeing IoC on any of the IoT devices, as well as keeping the bots to a minimum.

[aUser]

After enabling all the snort rules; no alerts. I did a nmap scan which triggered both ET Open scan and PT research, but no snort. I have applied for the pro telemetry rules to compare. I'm wondering, does anyone know if there are any tweaks needed to suricata to get the snort rules working, or is it not worth it?

[siga75]

I have since a couple of months some snort rules triggers, I don't know exactly why and when happened

[hushcoden]

I'm testing IDS with snort rules only (133k entries) since 8 days and not a single alert: I will keep testing for another week or two...

Quick one: if I'm running the IDS on the WAN interface only, in the 'home networks' section should I enter the WAN address only or WAN address + LAN networks ?

[Vilhonator]

This IS NOT MY AREA OF EXPERTISE, SO CORRECT IF I AM WRONG!!!!!!!!!!!!!!!!!!!

But way I understand IDS and IPS, is that they won't block just any connection which firewall blocks without IDS or IPS getting involved in it.

If you haven't forwarded ports to LAN, have set IDS for WAN Interface and try to test it out with simple connection attempt, then it is working as it should.

IDS won't react to connections which firewall manages to block all by it own, IDS reacts to connections, which for one reason or another get through firewall (either becuase port is forwarded or due to brute force or because some device from LAN is connected to source IP, and yes, LAN being connected to source IP. By default, all ports are blocked on WAN interface untill you either set port forwarding rule or firewall rule allowing connection to WAN address).

Way you test out if IDS and IPS both respectively work, is to expose your network to public and run different intrusion techniques and see if they get through or not.

[siga75]

IDS/IPS happens before firewall rules are applied, so there's no correlation between firewall rules and IPS

[aUser]

Update - I put both snort and ET pro (telemetry) rules on then prodded it with nmap / nikto. Both snort and ET fired at different times, so they are working I was just impatient.

Hushcoden, I don't know the answer to that sorry, I would have thought just the WAN interface. Turn on the ET scan rules and you should pick up plenty of sip scans. The snort set doesn't generate as many alerts, at least for me.