OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • IDS/IPS with snort VRT rules
« previous next »
  • Print
Pages: [1]

Author Topic: IDS/IPS with snort VRT rules  (Read 15159 times)

SecAficionado

  • Newbie
  • *
  • Posts: 42
  • Karma: 4
    • View Profile
IDS/IPS with snort VRT rules
« on: June 24, 2017, 06:57:57 pm »
Hello there,

I am new to OPNSense and I have been running it in VMs. I like it so far, but I really wish I had the option to use snort over suricata. I am a long time snort user and I am very comfortable administering it for my needs.

I am willing to try suricata, but I haven't found an option to use snort VRT rules. As you may know, there is a personal subscription for snort rules for US$30, which gives access to the latest rules. ET, by contrast, only has community rules for personal use, which are at least 30 days old (an eternity in cyber security terms).

Is there a plugin to download and configure VRT rules for suricata? I think it may be fairly straightforward to create, but I don't want to get into that if someone else has already created it. Perhaps more importantly, is there a reason why I shouldn't use snort VRT rules with suricata?

Thanks in advance!
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6765
  • Karma: 494
    • View Profile
Re: IDS/IPS with snort VRT rules
« Reply #1 on: June 28, 2017, 11:01:37 am »
Havent worked with VRT yet, but it seems to be quite complicated with Suricata:

https://forum.pfsense.org/index.php?topic=124054.0
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

SecAficionado

  • Newbie
  • *
  • Posts: 42
  • Karma: 4
    • View Profile
Re: IDS/IPS with snort VRT rules
« Reply #2 on: June 29, 2017, 01:53:55 am »
Thanks for replying and for the link. Yes, this is definitely not a "fire-and-forget" type of setting. Loading and tuning IDS rules requires constant attention, perhaps a lot more than the average user is willing to pay.

I am aware of the differences between snort and suricata and, although I do not expect a 1 to 1 correspondence, I hope suricata can read and act upon a good portion of new snort rules. I just wanted an automated way to load the VRT rules each day. There is no automated way to pick and choose which rules make sense for one's network, so that part will be pretty much the same as with snort.

I'll check the way pfsense deals with the rules and see if there is a way to port that to opnsense. That is probably the best place to start.

Thanks!!!
Logged

bobbythomas

  • Full Member
  • ***
  • Posts: 134
  • Karma: 5
    • View Profile
Re: IDS/IPS with snort VRT rules
« Reply #3 on: July 29, 2017, 12:20:10 am »
I agree to SecAficionado, is it possible to add a snort ruleset to the existing rule set?

Thank you,
Regards,
Bobby Thomas
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2769
  • Karma: 200
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: IDS/IPS with snort VRT rules
« Reply #4 on: July 29, 2017, 10:48:08 am »
yes, you can use this file as a sample:
https://github.com/opnsense/plugins/blob/master/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-research.xml

If you do it this way, OPNsense will keep your ruleset up to date if desired.
Logged

SecAficionado

  • Newbie
  • *
  • Posts: 42
  • Karma: 4
    • View Profile
Re: IDS/IPS with snort VRT rules
« Reply #5 on: August 30, 2017, 03:47:39 am »
This is really cool. Thanks!!

I will give it a try to see if I can get it to work in my test firewall.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • IDS/IPS with snort VRT rules
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2