Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
snort rules useless?
« previous
next »
Print
Pages: [
1
]
Author
Topic: snort rules useless? (Read 5174 times)
siga75
Full Member
Posts: 185
Karma: 11
snort rules useless?
«
on:
November 12, 2019, 12:25:35 pm »
I never had a match on a snort rule despite having subscribed and having a LOT of them enabled
ET rules detect stuff, so suricata is working
Are snort rules so useless?
Logged
https://www.signorini.ch
Protectli Pfsense Mi7500L6 Intel 7Th Gen Core I7 7500U 16Gb Ddr4 Ram
512Gb Msata Ssd
6 X Intel Gigabit Ethernet
siga75
Full Member
Posts: 185
Karma: 11
Re: snort rules useless?
«
Reply #1 on:
November 16, 2019, 02:50:23 pm »
can someone just tell me if they get alerts from snort rules?
Logged
https://www.signorini.ch
Protectli Pfsense Mi7500L6 Intel 7Th Gen Core I7 7500U 16Gb Ddr4 Ram
512Gb Msata Ssd
6 X Intel Gigabit Ethernet
aUser
Newbie
Posts: 6
Karma: 1
Re: snort rules useless?
«
Reply #2 on:
September 14, 2020, 01:54:33 pm »
Sorry to bring back a post from long ago. I'm new to Opnsense and found this from google so thought I'd add a comment. I had the same experience (no snort rules triggered with the VRT ruleset, even when many are installed and enabled). There are around 100 rule loading errors, and the ET Open rules fire on mostly IP based rules so the install is ok. There are Snort VRT / Suricata 5 compatibility issues but to what extent I have not yet investigated. I have now enabled nearly every snort rule (except appID and deleted) to see the if it triggers alerts. Also intending to take a look at the ET Pro telemetry edition to see if there is any difference.
In general, if you are not going to be doing SSL decryption (but assuming you are using the web proxy and SNI) are any of the IDS rulesets worth having? I'm mostly interested in seeing IoC on any of the IoT devices, as well as keeping the bots to a minimum.
Logged
aUser
Newbie
Posts: 6
Karma: 1
Re: snort rules useless?
«
Reply #3 on:
September 15, 2020, 11:02:37 am »
After enabling all the snort rules; no alerts. I did a nmap scan which triggered both ET Open scan and PT research, but no snort. I have applied for the pro telemetry rules to compare. I'm wondering, does anyone know if there are any tweaks needed to suricata to get the snort rules working, or is it not worth it?
Logged
siga75
Full Member
Posts: 185
Karma: 11
Re: snort rules useless?
«
Reply #4 on:
September 15, 2020, 04:09:46 pm »
I have since a couple of months some snort rules triggers, I don't know exactly why and when happened
Logged
https://www.signorini.ch
Protectli Pfsense Mi7500L6 Intel 7Th Gen Core I7 7500U 16Gb Ddr4 Ram
512Gb Msata Ssd
6 X Intel Gigabit Ethernet
hushcoden
Hero Member
Posts: 544
Karma: 23
Re: snort rules useless?
«
Reply #5 on:
September 19, 2020, 01:29:06 pm »
I'm testing IDS with snort rules only (133k entries) since 8 days and not a single alert: I will keep testing for another week or two...
Quick one: if I'm running the IDS on the WAN interface only, in the 'home networks' section should I enter the WAN address only or WAN address + LAN networks ?
«
Last Edit: September 19, 2020, 01:56:50 pm by hushcoden
»
Logged
Vilhonator
Full Member
Posts: 245
Karma: 13
Re: snort rules useless?
«
Reply #6 on:
September 19, 2020, 07:23:54 pm »
This IS NOT MY AREA OF EXPERTISE, SO CORRECT IF I AM WRONG!!!!!!!!!!!!!!!!!!!
But way I understand IDS and IPS, is that they won't block just any connection which firewall blocks without IDS or IPS getting involved in it.
If you haven't forwarded ports to LAN, have set IDS for WAN Interface and try to test it out with simple connection attempt, then it is working as it should.
IDS won't react to connections which firewall manages to block all by it own, IDS reacts to connections, which for one reason or another get through firewall (either becuase port is forwarded or due to brute force or because some device from LAN is connected to source IP, and yes, LAN being connected to source IP. By default, all ports are blocked on WAN interface untill you either set port forwarding rule or firewall rule allowing connection to WAN address).
Way you test out if IDS and IPS both respectively work, is to expose your network to public and run different intrusion techniques and see if they get through or not.
Logged
siga75
Full Member
Posts: 185
Karma: 11
Re: snort rules useless?
«
Reply #7 on:
September 20, 2020, 07:33:03 am »
IDS/IPS happens before firewall rules are applied, so there's no correlation between firewall rules and IPS
Logged
https://www.signorini.ch
Protectli Pfsense Mi7500L6 Intel 7Th Gen Core I7 7500U 16Gb Ddr4 Ram
512Gb Msata Ssd
6 X Intel Gigabit Ethernet
aUser
Newbie
Posts: 6
Karma: 1
Re: snort rules useless?
«
Reply #8 on:
September 21, 2020, 12:07:13 pm »
Update - I put both snort and ET pro (telemetry) rules on then prodded it with nmap / nikto. Both snort and ET fired at different times, so they are working I was just impatient.
Hushcoden, I don't know the answer to that sorry, I would have thought just the WAN interface. Turn on the ET scan rules and you should pick up plenty of sip scans. The snort set doesn't generate as many alerts, at least for me.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
snort rules useless?