Hand Super Tired Clicking Few Thousand Snort IDS Rules

General questions.
Post Reply
Teo En Ming
Posts: 38
Joined: January 6th, 2018, 4:43 pm

Hand Super Tired Clicking Few Thousand Snort IDS Rules

Post by Teo En Ming » January 7th, 2018, 4:38 pm

My hand is super tired clicking a few thousand Snort IDS rules! I literally spent a few hours clicking and enabling all the thousands of Snort IDS rules. This is very time consuming!

Can we have a new feature in the next ipfire release allowing us to select/unselect all the Snort IDS rules with just one click?
Image
Image

Teo En Ming
Posts: 38
Joined: January 6th, 2018, 4:43 pm

Re: Hand Super Tired Clicking Few Thousand Snort IDS Rules

Post by Teo En Ming » January 7th, 2018, 4:40 pm

2nd question:

How can I download the ruleset for "Snort VRT Rules for Registered Users"?

When I click "Download new ruleset", I get the following errors:

--2018-01-08 00:38:57-- https://www.snort.org/rules/snortrules- ... ?oinkcode=
Resolving www.snort.org... 104.16.64.75, 104.16.66.75, 104.16.62.75, ...
Connecting to www.snort.org|104.16.64.75|:443... connected.
HTTP request sent, awaiting response... 422 Unprocessable Entity
2018-01-08 00:38:59 ERROR 422: Unprocessable Entity.
Image
Image

Teo En Ming
Posts: 38
Joined: January 6th, 2018, 4:43 pm

Re: Hand Super Tired Clicking Few Thousand Snort IDS Rules

Post by Teo En Ming » January 7th, 2018, 4:42 pm

3rd question:

I understand that all the rules in emerging-deleted.rules are deprecated/obsolete. So this means that I don't have to enable any rule in emerging-deleted.rules at all?
Image
Image

silverknight
Posts: 15
Joined: June 27th, 2010, 2:01 pm

Re: Hand Super Tired Clicking Few Thousand Snort IDS Rules

Post by silverknight » January 8th, 2018, 1:02 am

It sounds like you are trying to enable every single rule in every single ruleset. This is a common mistake for folks new to IPFire and IDS in general so if this is not the case you can ignore this.

You only need to enable rules that have value to your network. For example if you don't host a web server on your network than rulesets like emerging-web_server.rules, server-iis.rules and server-apache.rules aren't doing you any good and only wasting system resources and slowing down packet flow by checking them against all these unneeded rules. Maintaining the IDS can be quite intensive as old rules aren't catching the latest threats which requires updating often and the more rules you add the more work it becomes. I read your other post about slow internet download speeds and if you are enabling a ton of IDS rules you do not need, than it would explain your speed issues.

Here are some rulesets from Emergingthreats that will provide a good starting point for protecting a general home network:

emerging-attack_response.rules
emerging-compromised.rules
emerging-current_events.rules
emerging-dos.rules
emerging-dshield.rules
emerging-exploit.rules
emerging-malware.rules
emerging-mobile_malware.rules
emerging-rbn-malvertisers.rules
emerging-rbn.rules
emerging-shellcode.rules
merging-trojan.rules

Note that this list isn't comprehensive at all, IDS setup is always tailored to the needs of the network its protecting.

Teo En Ming
Posts: 38
Joined: January 6th, 2018, 4:43 pm

Re: Hand Super Tired Clicking Few Thousand Snort IDS Rules

Post by Teo En Ming » January 8th, 2018, 2:02 am

silverknight wrote:
January 8th, 2018, 1:02 am
It sounds like you are trying to enable every single rule in every single ruleset. This is a common mistake for folks new to IPFire and IDS in general so if this is not the case you can ignore this.

You only need to enable rules that have value to your network. For example if you don't host a web server on your network than rulesets like emerging-web_server.rules, server-iis.rules and server-apache.rules aren't doing you any good and only wasting system resources and slowing down packet flow by checking them against all these unneeded rules. Maintaining the IDS can be quite intensive as old rules aren't catching the latest threats which requires updating often and the more rules you add the more work it becomes. I read your other post about slow internet download speeds and if you are enabling a ton of IDS rules you do not need, than it would explain your speed issues.

Here are some rulesets from Emergingthreats that will provide a good starting point for protecting a general home network:

emerging-attack_response.rules
emerging-compromised.rules
emerging-current_events.rules
emerging-dos.rules
emerging-dshield.rules
emerging-exploit.rules
emerging-malware.rules
emerging-mobile_malware.rules
emerging-rbn-malvertisers.rules
emerging-rbn.rules
emerging-shellcode.rules
merging-trojan.rules

Note that this list isn't comprehensive at all, IDS setup is always tailored to the needs of the network its protecting.
Hi Silverknight,

I am trying to create a versatile, comprehensive, and general purpose firewall appliance. This is why I am enabling all the Snort IDS rules in all the rulesets as far as possible.

After that, I can going to clone my ipfire machine using Clonezilla or other cloning software. When I restore the harddisk image on any number of similar hardware machines, it can be deployed immediately in any environment without further fine-tuning, like home, SOHO, or small business. Something like "mass production".
Image
Image

Hellfire
Posts: 697
Joined: November 8th, 2015, 8:54 am

Re: Hand Super Tired Clicking Few Thousand Snort IDS Rules

Post by Hellfire » January 8th, 2018, 11:20 am

silverknight wrote:
January 8th, 2018, 1:02 am
It sounds like you are trying to enable every single rule in every single ruleset. This is a common mistake for folks new to IPFire and IDS in general so if this is not the case you can ignore this.

You only need to enable rules that have value to your network.
However, when using browsers like Chrome, IE or Firefox one HAS to active each single ruleset and this is indeed annoying and time consumptive. Of course this is just an example and YMMV, OTH I fully understand the pain of the OP.

Btw, I already started editing the rules files themselves using an external editor. I remove the comment char (#) from each single rule line and uploading the file to IPFire again.

A restart of IDS is necessary of course.

Michael
Image

bloater99
Posts: 482
Joined: October 13th, 2014, 3:47 pm

Re: Hand Super Tired Clicking Few Thousand Snort IDS Rules

Post by bloater99 » January 8th, 2018, 8:47 pm

If I remember correctly, the IDS rules when updated default to certain rules in each ruleset being activated, and certain rules disabled. Here's the rub: each time you update the rulesets, they are RESET to these defaults. So it makes no sense to customize the rules within each set. Just click the rulesets you want enabled, and go with whatever the default individual rules are within each set.
Image

Image

Post Reply