IDS/IPS with snort VRT rules

Started by SecAficionado, June 24, 2017, 06:57:57 PM

Previous topic - Next topic
Hello there,

I am new to OPNSense and I have been running it in VMs. I like it so far, but I really wish I had the option to use snort over suricata. I am a long time snort user and I am very comfortable administering it for my needs.

I am willing to try suricata, but I haven't found an option to use snort VRT rules. As you may know, there is a personal subscription for snort rules for US$30, which gives access to the latest rules. ET, by contrast, only has community rules for personal use, which are at least 30 days old (an eternity in cyber security terms).

Is there a plugin to download and configure VRT rules for suricata? I think it may be fairly straightforward to create, but I don't want to get into that if someone else has already created it. Perhaps more importantly, is there a reason why I shouldn't use snort VRT rules with suricata?

Thanks in advance!


Thanks for replying and for the link. Yes, this is definitely not a "fire-and-forget" type of setting. Loading and tuning IDS rules requires constant attention, perhaps a lot more than the average user is willing to pay.

I am aware of the differences between snort and suricata and, although I do not expect a 1 to 1 correspondence, I hope suricata can read and act upon a good portion of new snort rules. I just wanted an automated way to load the VRT rules each day. There is no automated way to pick and choose which rules make sense for one's network, so that part will be pretty much the same as with snort.

I'll check the way pfsense deals with the rules and see if there is a way to port that to opnsense. That is probably the best place to start.

Thanks!!!

I agree to SecAficionado, is it possible to add a snort ruleset to the existing rule set?

Thank you,
Regards,
Bobby Thomas


This is really cool. Thanks!!

I will give it a try to see if I can get it to work in my test firewall.