Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
IDS/IPS with snort VRT rules
« previous
next »
Print
Pages: [
1
]
Author
Topic: IDS/IPS with snort VRT rules (Read 15303 times)
SecAficionado
Newbie
Posts: 42
Karma: 4
IDS/IPS with snort VRT rules
«
on:
June 24, 2017, 06:57:57 pm »
Hello there,
I am new to OPNSense and I have been running it in VMs. I like it so far, but I really wish I had the option to use snort over suricata. I am a long time snort user and I am very comfortable administering it for my needs.
I am willing to try suricata, but I haven't found an option to use snort VRT rules. As you may know, there is a personal subscription for snort rules for US$30, which gives access to the latest rules. ET, by contrast, only has community rules for personal use, which are at least 30 days old (an eternity in cyber security terms).
Is there a plugin to download and configure VRT rules for suricata? I think it may be fairly straightforward to create, but I don't want to get into that if someone else has already created it. Perhaps more importantly, is there a reason why I shouldn't use snort VRT rules with suricata?
Thanks in advance!
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: IDS/IPS with snort VRT rules
«
Reply #1 on:
June 28, 2017, 11:01:37 am »
Havent worked with VRT yet, but it seems to be quite complicated with Suricata:
https://forum.pfsense.org/index.php?topic=124054.0
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
SecAficionado
Newbie
Posts: 42
Karma: 4
Re: IDS/IPS with snort VRT rules
«
Reply #2 on:
June 29, 2017, 01:53:55 am »
Thanks for replying and for the link. Yes, this is definitely not a "fire-and-forget" type of setting. Loading and tuning IDS rules requires constant attention, perhaps a lot more than the average user is willing to pay.
I am aware of the differences between snort and suricata and, although I do not expect a 1 to 1 correspondence, I hope suricata can read and act upon a good portion of new snort rules. I just wanted an automated way to load the VRT rules each day. There is no automated way to pick and choose which rules make sense for one's network, so that part will be pretty much the same as with snort.
I'll check the way pfsense deals with the rules and see if there is a way to port that to opnsense. That is probably the best place to start.
Thanks!!!
Logged
bobbythomas
Full Member
Posts: 134
Karma: 5
Re: IDS/IPS with snort VRT rules
«
Reply #3 on:
July 29, 2017, 12:20:10 am »
I agree to SecAficionado, is it possible to add a snort ruleset to the existing rule set?
Thank you,
Regards,
Bobby Thomas
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: IDS/IPS with snort VRT rules
«
Reply #4 on:
July 29, 2017, 10:48:08 am »
yes, you can use this file as a sample:
https://github.com/opnsense/plugins/blob/master/security/intrusion-detection-content-pt-open/src/opnsense/scripts/suricata/metadata/rules/pt-research.xml
If you do it this way, OPNsense will keep your ruleset up to date if desired.
Logged
SecAficionado
Newbie
Posts: 42
Karma: 4
Re: IDS/IPS with snort VRT rules
«
Reply #5 on:
August 30, 2017, 03:47:39 am »
This is really cool. Thanks!!
I will give it a try to see if I can get it to work in my test firewall.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.1 Legacy Series
»
IDS/IPS with snort VRT rules