Re: Questions on Snort 3 rulesets

["Russ Combs \(rucombs\) via Snort-devel" <snort-devel () lists snort org>]

Thanks Noah.  Talos will get the first one.  Comments on the rest inline.

Russ

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Noah Dietrich <noah_dietrich () 86penny org>
Date: Sunday, April 26, 2020 at 1:28 AM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] Questions on Snort 3 rulesets


1. Are community rulesets included in the registered ruleset?
From the snort FAQ (https://www.snort.org/faq/what-are-the-differences-in-the-rule-sets), it sounds like the community 
ruleset is included in the registered ruleset, however the included snort.lua in the registered ruleset looks to 
reference a seperate community ruleset (--include = 'snort3_community.rules'), i'm not sure if this is just because 
it's an example or if we need to include it explicitly as well.

2. is pulledpork going to be updated for snort 3?
I'm not sure if this is the correct place to ask, but I'm not seeing any mention of snort 3 on the pulled pork github 
site.

CRC: I would ask there but you can shirkdog is on snort-users if not here.

3. Question on Built-in rules
What's the difference between the builtin rules in the registered ruleset (./builtin/builtin.rules) and the 
"enable_builtin_rules = true" IPS option?  Is the builtin.rules file just to provide additional information when alerts 
are being output (when the enable_builtin_rules is enabled)?

CRC: ips.enable_builtin_rules is just a convenience for turning on all builtin rules that is primarily used for 
testing.  Normally builtin rules would be configured the same way as text rules and, as you point out, they may include 
additional meta data like classtype and references.  Builtin rules enabled via Lua or rule stubs behave the same.

4. Configuring which rules are loaded in snort.lua:
I see that in snort.lua's IPS section, there are a few ways to configure rules:
the rules array (rules = [[ ... ]] )
the include option (include = '..')
can the 'include' option be used more than once, or do we have to use the rules array or an include.ips file?

CRC: ips.rules accepts a multiline string which may contain the same stuff you put in a rules file.  You may only 
specify ips.rules and/or ips.include once each; additional values override earlier values.  Either way you can 
configure a single include file that contains other includes.  Up to you if you want to just put all the includes in 
ips.rules or in a separate file.

4. Is the sid-msg.map still needed?
This file is still included with the snort3 community rules, but not with the registered rules. Is this file still 
necessary with snort 3 rules?

CRC: sid-msg.map is for legacy event databases.  You can generate one like this:

$ snort --rule-path <path/to/rules/> --gen-msg-map > sid-msg.map

If you aren’t using it now you can safely ignore it.

Thanks
Noah

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!