Re: Understanding usage to LightSPD rules

["Patrick Mullen \(pamullen\) via Snort-sigs" <snort-sigs () lists snort org>]

Dheeraj,

Thank you for your query.  It’s great seeing someone asking about using lightSPD!  It’s much better than the old-style 
single-use packages in my opinion, as it’s intended to handle everything all at once and be easier to manage.

There’s a blog post about its usage here: https://blog.snort.org/2020/12/soft-release-lightspd-new-rules-package.html 
but I’ll also address your questions directly here.

Regarding the “old style” package names, you are correct that we don’t change them for every release anymore since the 
releases come out every two weeks.  We only add a new package/package name when something has changed that requires it, 
whether it’s a new SO API requiring new SO module builds, new features requiring new configuration options, or 
something else.  Which is a great segue to why lightSPD exists – lightSPD supports *every* version of Snort 3 
concurrently.

I’m glad you’re using the manifest.  The way it’s used, which you’ve probably figured out, is you select the version 
that is the highest version that is less than or equal to the version of snort that you are running.  Inside the 
manifest, you will find the policy (configuration) files to use and what modules (plugins-path) directory to use.

Now, on to your questions –


  1.  Rule groups and “extended” rule groups are a product feature, not currently released to Open Source.  They are 
another way of grouping rules together by type, beyond the classic rule categories we’ve used for the past many, many 
years.  Maybe someday we’ll release that information to Open Source.  In the meantime, it probably wouldn’t be a bad 
idea to clean those entries out of the OS manifest file.  For now, you can just ignore them.
  2.   I’m not sure what you mean by “gather the non-SO rules.”  I suspect this might mean you’re using lightSPD as a 
source of getting files to then load snort the “old way” as opposed to loading the configuration out of lightSPD 
directly.  If you load the configuration in lightSPD as you would traditionally, everything is handled internally 
through the use of the include files.
  3.  Regarding best practices for rule management -- That’s a really good question.  Historically, I would say “enable 
rules that apply to your environment, disable rules that you feel create ‘noise’ in your environment,” but in this 
context I see what you’re asking for.  I suppose the honest answer is, regarding lightSPD and OS users, the answer is 
“no, not really” but you’ve sparked some thoughts about some enhancements that could possibly be made to the OS release 
of lightSPD (btw, the reason I keep talking about “OS release of lightSPD” and “product features in lightSPD” is 
because unlike the old days of monolithic packages, what you are receiving when you download lightSPD from snort.org is 
literally the same package as we use in Cisco products.  That’s why now there are all four policies (connectivity, 
balanced, security, max detect) in both configuration and ruleset located within it) to make life easier for our OS 
users.  Let me put some thought into this and talk to the team about it.  There are some other features for OS users 
that I also need to hand off, so I can hopefully bring in an easier-to-use rule management system at the same time.


Thanks,

~Patrick


---------- Forwarded message ---------
From: 'Dheeraj Gupta via Snort-sigs' via Research (VRT) <research () sourcefire com<mailto:research () sourcefire com>>
Date: Thu, Mar 21, 2024 at 1:43 AM
Subject: [Snort-sigs] Understanding usage to LightSPD rules
To: <snort-users () lists snort org<mailto:snort-users () lists snort org>>, <snort-sigs () lists snort 
org<mailto:snort-sigs () lists snort org>>

Hi,

We have been using the snapshot ruleset for Snort since last many years with pulledpork (the original perl script which 
has been patched to support Snort3). With Snort3 and its accelerated release cycle, snapshots are no longer generated 
for each version. So these days we download the latest snapshot and just rename it to whatever version we are using for 
pulledpork to pick it up.

The available guidance on official site points to using the LightSPD rules and I have seen that the stated goal of 
pulledpork3 Python project is to support Snort3 rule management using traditional snapshot or new LightSPD rules.

My understanding is that LightSPD rules basically bundle all the rules for all the versions together and use a 
`manifest.json` to allow users to choose the correct ruleset based on their version. However, I have a few queries:

1. In manifest.json in LightSPD, under each version, there is a key called "extended_rule_groups" which points to a 
bunch of `extended_rule_groups.json` files. However, these JSON files do not exist at their purported paths. Is this a 
bug or are these files part of a future improvement which is not yet implemented?

2. How are we supposed to gather the non-SO rules? Should we just recurse under all directories and gather all the 
rules or is manifest.json to be used there as well?

3. The last commit to Pulledpork3 project was almost a year ago. Since then it appears that rule directory structure 
has been updated. E.g. new rulesets have subdirectories other than 3.0.0.0 (3.1.35.0 etc.). But the code has only a 
single sub-directory (3.0.0.0) hard-coded in it. Thus, it doesn't seem that newer rulesets will be processed correctly 
by Pulledpork3. Old pulledpork (perl one) while able to support Snort3 has no concept of LightSPD rules. So how are we 
supposed to apply these rules while running Snort?

3. Is there an up-to-date general documentation about best practices for Snort signature management?

Regards,
Dheeraj
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!