tag:itus.accessinnov.com,2006:forum-220Nabble - Snort rules, tuning, and info2024-03-28T18:31:50Ztag:itus.accessinnov.com,2006:post-2162Re: What speeds are you getting while IDS / IPS is turned on2020-09-11T20:18:19Z2020-09-11T20:18:19ZGrommish
And, just like that, by turning it to Active rather than Passive, I picked up a a bit of through-put
<br/><br/><img src="https://itus.accessinnov.com/file/n2162/Screenshot_from_2020-09-11_23-16-04.png" border="0"/><br/><br/><blockquote class="quote dark-border-color"><div class="quote light-border-color">
<div class="quote-message"><pre>
root@OpenWrt:/etc/snort# snort -v -c /etc/snort/snort.lua -i eth0:br-lan --daq-d
ir /usr/lib/daq --daq afpacket --daq-var debug --daq-var fanout_type=hash --daq-
var fanout_flag=defrag -A alert_full --tweaks talos -Q -D
--------------------------------------------------
o")~ Snort++ 3.0.0-247
--------------------------------------------------
Loading /etc/snort/snort.lua:
ips
dce_http_proxy
wizard
pop
ftp_server
ssl
stream_icmp
ftp_data
dnp3
alerts
telnet
latency
profiler
dce_udp
alert_fast
daq
classifications
imap
references
binder
appid
ftp_client
smtp
gtp_inspect
port_scan
dce_tcp
back_orifice
ssh
rpc_decode
normalizer
stream_tcp
modbus
http2_inspect
http_inspect
arp_spoof
stream_user
stream_udp
stream_ip
stream_file
stream
dce_http_server
dce_smb
sip
file_id
dns
Finished /etc/snort/snort.lua.
Loading builtin:
Finished builtin.
Loading /etc/snort/snort3-community-rules/snort3-community.rules:
Finished /etc/snort/snort3-community-rules/snort3-community.rules.
--------------------------------------------------
rule counts
total rules loaded: 1300
text rules: 829
builtin rules: 471
option chains: 1300
chain headers: 46
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 534 3 0 0
src 124 3 0 0
dst 539 98 0 0
both 0 1 0 0
total 1197 105 0 0
--------------------------------------------------
flowbits
defined: 20
not checked: 11
not set: 3
--------------------------------------------------
service rule counts - tcp to-srv to-cli
dns: 1 0
ftp: 7 2
ftp-data: 0 8
http: 485 92
imap: 0 8
irc: 4 1
netbios-ssn: 15 1
pop3: 0 8
smtp: 16 0
ssl: 14 31
telnet: 1 0
total: 543 151
--------------------------------------------------
service rule counts - udp to-srv to-cli
dns: 88 2
http: 4 0
total: 92 2
--------------------------------------------------
fast pattern port groups src dst any
packet: 13 24 2
--------------------------------------------------
fast pattern service groups to-srv to-cli
packet: 10 6
key: 1 0
header: 1 4
body: 1 0
file: 2 4
--------------------------------------------------
search engine
instances: 65
patterns: 2719
pattern chars: 49786
num states: 38972
num match states: 2649
memory scale: MB
total memory: 1.04895
pattern memory: 0.151139
match list memory: 0.384735
transition memory: 0.505138
Binder
Wizard
Normalizer config:
ip4.base: on
ip4.df: off
ip4.rf: off
ip4.tos: off
ip4.trim: off
ip4.ttl: on (min=1, new=5)
icmp4: off
icmp6: off
tcp.ecn: off
tcp.block: on
tcp.rsv: on
tcp.pad: on
tcp.req_urg: on
tcp.req_pay: on
tcp.req_urp: on
tcp.urp: on
tcp.opt: on (allow )
tcp.ips: on
tcp.trim_syn: off
tcp.trim_rst: off
tcp.trim_win: off
tcp.trim_mss: off
Stream ICMP config:
Timeout: 30 seconds
Stream IP config:
Timeout: 30 seconds
Defrag engine config:
engine-based policy: LINUX
Fragment timeout: 30 seconds
Fragment min_ttl: 1
Max frags: 8192
Max overlaps: 0
Min fragment Length: 0
Stream UDP config:
Timeout: 30 seconds
Stream user config:
Timeout: 30 seconds
Stream TCP Policy config:
Reassembly Policy: bsd
Timeout: 30 seconds
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Require 3-Way Handshake: NO
back_orifice
arpspoof configured
HttpInspect
DNS
POP config:
Base64 Decoding: Enabled
Base64 Decoding Depth: 1460
Quoted-Printable Decoding: Enabled
Quoted-Printable Decoding Depth: 1460
Unix-to-Unix Decoding: Enabled
Unix-to-Unix Decoding Depth: 1460
Non-Encoded MIME attachment Extraction: Enabled
Non-Encoded MIME attachment Extraction Depth: 1460
SIP config:
Max number of dialogs in a session: 4 (Default)
Ignore media channel: DISABLED
Max URI length: 256 (Default)
Max Call ID length: 256 (Default)
Max Request name length: 20 (Default)
Max From length: 256 (Default)
Max To length: 256 (Default)
Max Via length: 1024 (Default)
Max Contact length: 256 (Default)
Max Content length: 1024 (Default)
Methods:
invite cancel ack bye register options
DCE SMB config:
Defragmentation: ENABLED
Max Fragment length: 65535
Policy : WinXP
Reassemble Threshold : 0
SMB fingerprint policy : Disabled
Maximum SMB command chaining: 3
Maximum SMB compounded requests: 3
SMB file inspection: Disabled
SMB valid versions : all
ftp_server:
Check for Telnet Cmds: OFF
Ignore Telnet Cmd Operations: OFF
Ignore open data channels: NO
Check for Encrypted Traffic: OFF
Continue to check encrypted data: NO
SSL config:
DNP3 config:
Check CRC: DISABLED
TELNET CONFIG:
Are You There Threshold: -1
Normalize: NO
Check for Encrypted Traffic: OFF
Continue to check encrypted data: NO
DCE UDP config:
Defragmentation: ENABLED
Max Fragment length: 65535
SMTP Config:
Normalize: none
Ignore Data: No
Ignore TLS Data: No
Max Command Line Length: Unlimited
Max Specific Command Line Length: None
Max Header Line Length: Unlimited
Max Auth Command Line Length: 1000
Max Response Line Length: Unlimited
X-Link2State Enabled: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
Base64 Decoding: Enabled
Base64 Decoding Depth: 1464
Quoted-Printable Decoding: Enabled
Quoted-Printable Decoding Depth: 1464
Unix-to-Unix Decoding: Enabled
Unix-to-Unix Decoding Depth: 1464
Non-Encoded MIME attachment Extraction: Enabled
Non-Encoded MIME attachment Extraction Depth: 1464
Log Attachment filename: Enabled
Log MAIL FROM Address: Not Enabled
Log RCPT TO Addresses: Not Enabled
Log Email Headers: Not Enabled
Http2Inspect
IMAP config:
Base64 Decoding: Enabled
Base64 Decoding Depth: 1460
Quoted-Printable Decoding: Enabled
Quoted-Printable Decoding Depth: 1460
Unix-to-Unix Decoding: Enabled
Unix-to-Unix Decoding Depth: 1460
Non-Encoded MIME attachment Extraction: Enabled
Non-Encoded MIME attachment Extraction Depth: 1460
rpc_decode
SSH config:
Max Encrypted Packets: 25
Max Server Version String Length: 80
MaxClientBytes: 19600
DCE TCP config:
Defragmentation: ENABLED
Max Fragment length: 65535
Policy : WinXP
Reassemble Threshold : 0
AppId Configuration
Detector Path: (null)
appSt[ 3181.127107] device br-lan entered promiscuous mode
ats Logging: disabled
appStats Period: 300 secs
appStats Rollover Size: 20971520 bytes
appStats Rollover time: 86400 secs
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Memcap (in bytes): 1048576
Number of Nodes: 6898
--------------------------------------------------
afpacket DAQ configured to inline.
initializing daemon mode
child process is 4051
Commencing packet processing
++ [0] eth0:br-lan
root@OpenWrt:/etc/snort# Version: 1
Header Length: 32
AFPacket Layout:
Frame Size: 1584
Frames: 21180
Block Size: 32768 (Order 3)
Blocks: 1059
Created a ring of type 5 with total size of 34701312
AFPacket Layout:
Frame Size: 1584
Frames: 21180
Block Size: 32768 (Order 3)
Blocks: 1059
Created a ring of [ 3181.211105] device eth0 entered promiscuous mode
type 13 with total size of 34701312
Version: 1
Header Length: 32
AFPacket Layout:
Frame Size: 1584
Frames: 21180
Block Size: 32768 (Order 3)
Blocks: 1059
Created a ring of type 5 with total size of 34701312
AFPacket Layout:
Frame Size: 1584
Frames: 21180
Block Size: 32768 (Order 3)
Blocks: 1059
Created a ring of type 13 with total size of 34701312
</pre></div>
</div></blockquote>
<div class="signature weak-color">
Running Itus Shield v2 Firmware
</div>
tag:itus.accessinnov.com,2006:post-2161Re: What speeds are you getting while IDS / IPS is turned on2020-09-11T20:09:57Z2020-09-11T20:09:57ZGrommish
Without Snort3
<br/><br/><img src="https://itus.accessinnov.com/file/n2161/Screenshot_from_2020-09-11_23-04-08.png" border="0"/><br/><br/>With Snort3
<br/><br/><img src="https://itus.accessinnov.com/file/n2161/Screenshot_from_2020-09-11_23-06-28.png" border="0"/><br/><br/>Below is the console output..
<br/><br/>That being said, it's in no way optimized, and the rules are the straight community ruleset.
<br/><br/><blockquote class="quote dark-border-color"><div class="quote light-border-color">
<div class="quote-message"><pre>
root@OpenWrt:/etc/snort# snort -v -c /etc/snort/snort.lua -i eth0:br-lan --daq-d
ir /usr/lib/daq --daq afpacket --daq-var debug --daq-var fanout_type=hash --daq-
var fanout_flag=defrag -A alert_full -D
--------------------------------------------------
o")~ Snort++ 3.0.0-247
--------------------------------------------------
Loading /etc/snort/snort.lua:
ips
dce_http_proxy
wizard
pop
ftp_server
ssl
stream_icmp
ftp_data
dnp3
telnet
latency
dce_udp
imap
classifications
references
binder
appid
ftp_client
smtp
gtp_inspect
port_scan
back_orifice
dce_tcp
ssh
rpc_decode
stream_tcp
normalizer
modbus
http2_inspect
http_inspect
arp_spoof
stream_user
stream_udp
stream_ip
stream_file
stream
dce_http_server
dce_smb
sip
file_id
dns
Finished /etc/snort/snort.lua.
Loading builtin:
Finished builtin.
Loading /etc/snort/snort3-community-rules/snort3-community.rules:
Finished /etc/snort/snort3-community-rules/snort3-community.rules.
--------------------------------------------------
rule counts
total rules loaded: 1300
text rules: 829
builtin rules: 471
option chains: 1300
chain headers: 46
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 534 3 0 0
src 124 3 0 0
dst 539 98 0 0
both 0 1 0 0
total 1197 105 0 0
--------------------------------------------------
flowbits
defined: 20
not checked: 11
not set: 3
--------------------------------------------------
service rule counts - tcp to-srv to-cli
dns: 1 0
ftp: 7 2
ftp-data: 0 8
http: 485 92
imap: 0 8
irc: 4 1
netbios-ssn: 15 1
pop3: 0 8
smtp: 16 0
ssl: 14 31
telnet: 1 0
total: 543 151
--------------------------------------------------
service rule counts - udp to-srv to-cli
dns: 88 2
http: 4 0
total: 92 2
--------------------------------------------------
fast pattern port groups src dst any
packet: 13 24 2
--------------------------------------------------
fast pattern service groups to-srv to-cli
packet: 10 6
key: 1 0
header: 1 4
body: 1 0
file: 2 4
--------------------------------------------------
search engine
instances: 65
patterns: 2719
pattern chars: 49786
num states: 38972
num match states: 2649
memory scale: MB
total memory: 1.04895
pattern memory: 0.151139
match list memory: 0.384735
transition memory: 0.505138
Binder
Wizard
Normalizer config:
ip4.base: on
ip4.df: off
ip4.rf: off
ip4.tos: off
ip4.trim: off
ip4.ttl: on (min=1, new=5)
icmp4: off
icmp6: off
tcp.ecn: off
tcp.block: on
tcp.rsv: on
tcp.pad: on
tcp.req_urg: on
tcp.req_pay: on
tcp.req_urp: on
tcp.urp: on
tcp.opt: on (allow )
tcp.ips: off
tcp.trim_syn: off
tcp.trim_rst: off
tcp.trim_win: off
tcp.trim_mss: off
Stream ICMP config:
Timeout: 30 seconds
Stream TCP Policy config:
Reassembly Policy: bsd
Timeout: 30 seconds
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Require 3-Way Handshake: NO
Stream user config:
Timeout: 30 seconds
Stream UDP config:
Timeout: 30 seconds
Stream IP config:
Timeout: 30 seconds
Defrag engine config:
engine-based policy: LINUX
Fragment timeout: 30 seconds
Fragment min_ttl: 1
Max frags: 8192
Max overlaps: 0
Min fragment Length: 0
arpspoof configured
back_orifice
DNS
HttpInspect
Http2Inspect
DCE SMB config:
Defragmentation: ENABLED
Max Fragment length: 65535
Policy : WinXP
Reassemble Threshold : 0
SMB fingerprint policy : Disabled
Maximum SMB command chaining: 3
Maximum SMB compounded requests: 3
SMB file inspection: Disabled
SMB valid versions : all
SIP config:
Max number of dialogs in a session: 4 (Default)
Ignore media channel: DISABLED
Max URI length: 256 (Default)
Max Call ID length: 256 (Default)
Max Request name length: 20 (Default)
Max From length: 256 (Default)
Max To length: 256 (Default)
Max Via length: 1024 (Default)
Max Contact length: 256 (Default)
Max Content length: 1024 (Default)
Methods:
invite cancel ack bye register options
rpc_decode
SSH config:
Max Encrypted Packets: 25
Max Server Version String Length: 80
MaxClientBytes: 19600
DCE TCP config:
Defragmentation: ENABLED
Max Fragment length: 65535
Policy : WinXP
Reassemble Threshold : 0
SMTP Config:
Normalize: none
Ignore Data: No
Ignore TLS Data: No
Max Command Line Length: Unlimited
Max Specific Command Line Length: None
Max Header Line Length: Unlimited
Max Auth Command Line Length: 1000
Max Response Line Length: Unlimited
X-Link2State Enabled: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
Base64 Decoding: Enabled
Base64 Decoding Depth: 1464
Quoted-Printable Decoding: Enabled
Quoted-Printable Decoding Depth: 1464
Unix-to-Unix Decoding: Enabled
Unix-to-Unix Decoding Depth: 1464
Non-Encoded MIME attachment Extraction: Enabled
Non-Encoded MIME attachment Extraction Depth: 1464
Log Attachment filename: Enabled
Log MAIL FROM Address: Not Enabled
Log RCPT TO Addresses: Not Enabled
Log Email Headers: Not Enabled
IMAP config:
Base64 Decoding: Enabled
Base64 Decoding Depth: 1460
Quoted-Printable Decoding: Enabled
Quoted-Printable Decoding Depth: 1460
Unix-to-Unix Decoding: Enabled
Unix-to-Unix Decoding Depth: 1460
Non-Encoded MIME attachment Extraction: Enabled
Non-Encoded MIME attachment Extraction Depth: 1460
DCE UDP config:
Defragmentation: ENABLED
Max Fragment length: 65535
TELNET CONFIG:
Are You There Threshold: -1
Normalize: NO
Check for Encrypted Traffic: OFF
Continue to check encrypted data: NO
DNP3 config:
Check CRC: DISABLED
SSL config:
ftp_server:
Check for Telnet Cmds: OFF
Ignore Telnet Cmd Operations: OFF
Ignore open data channels: NO
Check for Encrypted Traffic: OFF
Continue to check encrypted data: NO
POP config:
Base64 Decoding: Enabled
Base64 Decoding Depth: 1460
Quoted-Printable Decoding: Enabled
Quoted-Printable Decoding Depth: 1460
Unix-to-Unix Decoding: Enabled
Unix-to-Unix Decoding Depth: 1460
Non-Encoded MIME attachment Extraction: Enabled
Non-Encoded MIME attachment Extraction Depth: 1460
AppId Configuration
Detector Path: (null)
appStats Logging: disabled
appStats Period: 300 secs
appStats Rollover Size: 20971520 bytes
appStats Rol[ 2509.558321] device br-lan entered promiscuous mode
lover time: 86400 secs
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Memcap (in bytes): 1048576
Number of Nodes: 6898
--------------------------------------------------
afpacket DAQ configured to passive.
initializing daemon mode
child process is 3621
Commencing packet processing
++ [0] eth0:br-lan
root@OpenWrt:/etc/snort# Version: 1
Header Length: 32
AFPacket Layout:
Frame Size: 1584
Frames: 42360
Block Size: 32768 (Order 3)
Blocks: 2118
Created a ring of type 5 with total size of 69402624
[ 2509.630323] device eth0 entered promiscuous mode
Version: 1
Header Length: 32
AFPacket Layout:
Frame Size: 1584
Frames: 42360
Block Size: 32768 (Order 3)
Blocks: 2118
Created a ring of type 5 with total size of 69402624
...
[ 2618.453677] device br-lan left promiscuous mode
[ 2618.521680] device eth0 left promiscuous mode
-- [0] eth0:br-lan
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 2549898
analyzed: 2549890
outstanding: 8
allow: 2549890
idle: 1
rx_bytes: 2848172610
--------------------------------------------------
codec
total: 2549890 (100.000%)
other: 2549890 (100.000%)
eth: 2549890 (100.000%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
analyzed: 2549890
--------------------------------------------------
latency
total_packets: 2549890
total_usecs: 5441171
max_usecs: 2643
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
signals: 1
--------------------------------------------------
timing
runtime: 00:01:49
seconds: 109.34465
packets: 2549898
pkts/sec: 23393
o")~ Snort exiting
</pre></div>
</div></blockquote>
<div class="signature weak-color">
Running Itus Shield v2 Firmware
</div>
tag:itus.accessinnov.com,2006:post-2160Re: What speeds are you getting while IDS / IPS is turned on2020-09-11T14:27:55Z2020-09-11T14:27:55ZGrommish
When i was messing with snort++(snort3) I was seeing nearly full throughput and was loading a MASSIVE amount of rules..
<br/><br/>If you are willing to work with me, we can test Snort++. I have never worked with IDS/IPS and was working with Snort3 because it was a challenge and Itus was using snort2.x originally.
<br/><br/>Suricata I'm also working on, However.... It seems Suricata is completely broken for mips64 (<a href="https://forum.suricata.io/t/suricata6-0-0-beta1-on-openwrt-illegal-instruction-error/572/12" target="_top" rel="nofollow" link="external">https://forum.suricata.io/t/suricata6-0-0-beta1-on-openwrt-illegal-instruction-error/572/12</a>, so I'm just now pivot'ing back to Snort3.
<br/><br/>If you are interested, let me know.. You can find me on Google Hangouts (grommish@gmail.com) or on the Discord I setup (<a href="https://discord.gg/mnrmUaa" target="_top" rel="nofollow" link="external">https://discord.gg/mnrmUaa</a>)
<div class="signature weak-color">
Running Itus Shield v2 Firmware
</div>
tag:itus.accessinnov.com,2006:post-2159What speeds are you getting while IDS / IPS is turned on2020-09-09T06:00:23Z2020-09-09T06:00:23ZCapeTown2015
When I saw <a href="http://itus.accessinnov.com/Reminders-regarding-OpenWrt-on-Itus-Shield-td2157.html" target="_top" rel="nofollow" link="external">Grommish’s reminder to turn on hardware acceleration</a>, because of the impact on throughput, it made me wonder what performance people are getting with IDS / IPS enabled. I remember that I had to enter a rule to exclude deep packet inspection of https traffic from my news server, because back then the Shield was unable to process this much traffic.
<br/><br/>Please post what throughput you get with what settings of IDS / IPS (Snort or Suricata) you are using (preferably the command). I can imagine that you actually optimize the settings so that the Shield is able to perform with maximum inspection, while still hitting the maximum bandwidth of your broadband.
<br/>
<div class="signature weak-color">
Running Itus Shield v2 Firmware
</div>
tag:itus.accessinnov.com,2006:post-2135Snort3/Snort+ under Firmware v22020-07-25T22:26:38Z2020-07-25T22:26:38ZGrommish
Does anyone have snort knowledge who wants to work on getting Snort properly working under the v2 firmware?? I've got the files you'll need, and it does start, but I don't know much about snort, and frankly, I've got things to do rather than learn, if that makes sense :)
<br/><br/>If anyone wants to volunteer, let me know!
<div class="signature weak-color">
Running Itus Shield v2 Firmware
</div>
tag:itus.accessinnov.com,2006:post-1986Octeon III network driver2020-05-03T00:54:10Z2020-06-15T04:53:03ZGrommish
In case anyone needs it for something, this is driver code for the Octeon III SoC.
<br/>this is also the kernel config.
<br/><a href="https://itus.accessinnov.com/file/n1986/700-octeon-ethernet.patch" target="_top" rel="nofollow" link="external">700-octeon-ethernet.patch</a><br/><a href="https://itus.accessinnov.com/file/n1986/703-v3-usb-dwc3-OCTEON-add-support-for-device-tree.patch" target="_top" rel="nofollow" link="external">703-v3-usb-dwc3-OCTEON-add-support-for-device-tree.patch</a><br/><a href="https://itus.accessinnov.com/file/n1986/704-octeon-ethernet-ii.patch" target="_top" rel="nofollow" link="external">704-octeon-ethernet-ii.patch</a><br/><a href="https://itus.accessinnov.com/file/n1986/706-mm-vmstat.patch" target="_top" rel="nofollow" link="external">706-mm-vmstat.patch</a><br/><a href="https://itus.accessinnov.com/file/n1986/config-4.19" target="_top" rel="nofollow" link="external">config-4.19</a>
<div class="signature weak-color">
Running Itus Shield v2 Firmware
</div>
tag:itus.accessinnov.com,2006:post-1709Make your own rule in a graphical way2019-01-13T09:25:42Z2019-01-13T09:25:42Zuser8446
Just came across this - you can make your own Snort rule in a graphical way in a web based tool called Snorpy and then add it to your custom rules:
<br/><br/><a href="https://isc.sans.edu/diary/rss/24522" target="_top" rel="nofollow" link="external">https://isc.sans.edu/diary/rss/24522</a>
<div class="signature weak-color">
Running in bridge mode, 1.51 SP1 fw
</div>
tag:itus.accessinnov.com,2006:post-1533Re: Exempt rules2018-04-23T12:40:05Z2018-04-23T12:40:05ZRandymandy
Thanks for the Tip, my biggest fear is leaving something out on the rules. So I'm not going to tinker too much...
<br/>As a former Plumber I've come up with a plumbing solution... I will use a two GbE A/B switchs (Wan in A or B out) that way I can bypass the Shield quickly by pressing two buttons.
<br/>The cool thing is I don't need to do any restarts of Cabel modems/router/ or shield and it's almost instant! Works a treat and as a bonus I have a physical internet KILL switch! No need to upgrade from the Shield... Happy for now<img class='smiley' src='/images/smiley/anim_claps.gif' />
tag:itus.accessinnov.com,2006:post-1532Re: Exempt rules2018-04-22T18:34:01Z2018-04-22T18:34:01Zuser8446
Have you tried the new snort config from this thread: <a href="http://itus.accessinnov.com/Shield-update-Version-8-3-5-with-snort-2-9-9-0-2-td1510.html" target="_top" rel="nofollow" link="external">http://itus.accessinnov.com/Shield-update-Version-8-3-5-with-snort-2-9-9-0-2-td1510.html</a><br/><br/>Also go to /usr/lib/snort_dynamicpreprocessor/ and delete all but the three libsf_ssl*
<br/><br/>Then restart snort and do another speed test. You are also probably running rules you don't need
<div class="signature weak-color">
Running in bridge mode, 1.51 SP1 fw
</div>
tag:itus.accessinnov.com,2006:post-1529Re: Exempt rules2018-04-14T09:19:48Z2018-04-14T09:19:48ZTurrican
Yeah, that’s about the going rate. It should run xg as well. There’s lots of support online for installing the home license version on that hardware. Be aware though this is by no means plug and play, takes som Config. I would recommend installing on a spare pc or Vm first to get to know it.
<br/><br/>
<div class="signature weak-color">
Running v2 Firmware
<br/>
</div>
tag:itus.accessinnov.com,2006:post-1528Re: Exempt rules2018-04-14T01:39:52Z2018-04-14T01:39:52ZRandymandy
Forgot to say 110 Euro's
tag:itus.accessinnov.com,2006:post-1527Re: Exempt rules2018-04-14T01:38:50Z2018-04-14T01:38:50ZRandymandy
Sounds like what I'm really after, so I had a quick look on ebay and found this...
<br/><br/>Sophos UTM 120 Hardware Appliance rev. 5 OS Version 9.508-10.1 year 2013
<br/>Home licence ready
<br/>Network, Web-, Email-,Wireless- und Webserver-Protection, RED, Site-2-Site- and Remote Access-VPN
<br/><br/>Sounds good to me... But I really don't have a clue <img class='smiley' src='/images/smiley/smiley_whistling.gif' /><br/>What do you reckon?
tag:itus.accessinnov.com,2006:post-1526Re: Exempt rules2018-04-13T23:36:11Z2018-04-13T23:36:11ZTurrican
For now, utm 9. Actually running it on sg 120 hardware which I got cheap off Ebay. I really like it. Now I get 180mbps from my 200mbps connection.
<br/><br/>The 50 IP license restriction is challenging though so I’m looking to migrate to sophos xg firewall sometime as that has no restrictions other than hardware. It’s quite different though so running it on a test machine to get my head around it first.
<br/>
<div class="signature weak-color">
Running v2 Firmware
<br/>
</div>
tag:itus.accessinnov.com,2006:post-1525Re: Exempt rules2018-04-13T23:27:36Z2018-04-13T23:27:36ZRandymandy
Thanks I'll give that a try...
<br/>btw what Sophos solution are you now using?
tag:itus.accessinnov.com,2006:post-1524Re: Exempt rules2018-04-13T14:55:25Z2018-04-13T14:55:25ZTurrican
Hi,
<br/><br/>Try tuning snort, you may find it improves things significantly. It did for me. I was getting around 80mbps.
<br/><br/><a href="http://itus.accessinnov.com/More-bugfixes-performance-improvements-td1402.html" target="_top" rel="nofollow" link="external">http://itus.accessinnov.com/More-bugfixes-performance-improvements-td1402.html</a><br/><br/><a href="http://itus.accessinnov.com/Internet-speed-slower-in-bridge-mode-tp1123p1399.html" target="_top" rel="nofollow" link="external">http://itus.accessinnov.com/Internet-speed-slower-in-bridge-mode-tp1123p1399.html</a><br/><br/>Don’t use the shield any more since I moved to sophos, still keep them around though just in case.
<div class="signature weak-color">
Running v2 Firmware
<br/>
</div>
tag:itus.accessinnov.com,2006:post-1523Re: Exempt rules2018-04-13T08:35:02Z2018-04-13T08:35:02ZRoadrunnere42
Hi Randmandy
<br/>The Shield works at the package level, so has no idea of file formats this is exactly what you want when doing intrusion prevention, I don’t think you can tell the Shield to ignore move formats. The top I get on my Shield is about 50Mb with a 100Mb download connection, you could try stopping the snort program then download your film then restart the snort program (system, startup), but if your download via torrent sites I would not switch Snort off, as the films sites are a haven for hackers just waiting to attack.
<br/>When Itus bought the Shield out there plan was to get it working, which they did and then to optimise it for speed which they sadly didn’t do before going under. With 1Gb Ethernet connection and the cpu it has the scope to improve all that needed is some experts, I can’t remember the firm at screwed Itus over but they bought out a device that looked exactly the same but in Red, maybe this firm has improved the speed.
<br/><br/>Roadrunnere42
<br/>
tag:itus.accessinnov.com,2006:post-1518Exempt rules2018-04-13T01:02:54Z2018-04-13T01:02:54ZRandymandy
Hi All,
<br/><br/>After finally managing to register into the forum, I have a question that I can't seem to find a answer to.
<br/>Not here or on the Snort site/help files.
<br/>Is it possible to exempt video files (.avi .mkv. mp4 ect) from the inspection process?
<br/>The reason I would like to do this is to speed up my internet connection, I have 200Mb down and I only get about 50Mb through the Shield.
<br/>For normal web stuff 50Mb is fine, but downloading large videos is a pain...
tag:itus.accessinnov.com,2006:post-1277Re: New rules category for SSL Black List2016-11-14T02:56:38Z2016-11-14T13:31:53ZTurrican
Roadrunnere42 - thanks so much, this really helps.
<br/><br/>edit: Successfully Added the two entries above, thanks for the explanation.
<div class="signature weak-color">
Running v2 Firmware
<br/>
</div>
tag:itus.accessinnov.com,2006:post-1276Re: New rules category for SSL Black List2016-11-14T01:45:21Z2016-11-14T01:45:21ZRoadrunnere42
How to change which snort rules to use.
<br/><br/>In the folder sbin you will see the fw_upgrade script which every night goes and download and upgrade with the latest snort rules and web filter rules.
<br/><br/>Using either winscp or the command prompt in linux which every you prefer to open and edit files.
<br/><br/>Open the file fw_upgrade (sbin/fw_upgrade) and scroll down till you see the following, as you can see if the line begins with # this means that its a commented out and the line is ignored when run. Each line that begins with <b>curl</b> is a snort rules set, the first 16 lines are what was the original sets that itus had set up, below these line are a few comments explaining what the new rule suggested by wisiwyg does and then the new rule
<br/>set curl -k -1 -m 40 -o /tmp/ramdisk/abuse-sslbl.rules <a href="https://sslbl.abuse.ch/blacklist/sslipblacklist.rules" target="_top" rel="nofollow" link="external">https://sslbl.abuse.ch/blacklist/sslipblacklist.rules</a><br/><br/>just copy and paste in file as I have below, save file, then rule fw_upgrade either in command line sh /sbin/fw_upgrade or via gui (status -->
<br/>itus setting --> upgrade shield)
<br/><br/>if you what to disable a rule set just put a # at the begin of the line.
<br/>The rule set # curl -k -1 -m 40 -o /tmp/ramdisk/emerging-trojan.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-trojan.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-trojan.rules</a> ,if you decide to uncomment it so that it becomes active then you have to modified the snort conf files because of the number of rules contained in that set will crash snort
<br/><br/>echo "Starting SNORT rule download..."
<br/> curl -k -1 -m 40 -o /tmp/ramdisk/botcc.portgrouped.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-botcc.portgrouped.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-botcc.portgrouped.rules</a><br/> curl -k -1 -m 40 -o /tmp/ramdisk/botcc.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-botcc.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-botcc.rules</a><br/> curl -k -1 -m 40 -o /tmp/ramdisk/ciarmy.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-ciarmy.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-ciarmy.rules</a><br/> curl -k -1 -m 40 -o /tmp/ramdisk/compromised.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-compromised.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-compromised.rules</a><br/> curl -k -1 -m 40 -o /tmp/ramdisk/dshield.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-dshield.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-dshield.rules</a><br/> curl -k -1 -m 40 -o /tmp/ramdisk/emerging-exploit.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-exploit.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-exploit.rules</a><br/> curl -k -1 -m 40 -o /tmp/ramdisk/emerging-malware.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-malware.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-malware.rules</a><br/> curl -k -1 -m 40 -o /tmp/ramdisk/emerging-mobile_malware.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-mobile_malware.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-mobile_malware.rules</a><br/> curl -k -1 -m 40 -o /tmp/ramdisk/emerging-user_agents.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-user_agents.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-user_agents.rules</a><br/> curl -k -1 -m 40 -o /tmp/ramdisk/emerging-web_client.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-web_client.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-web_client.rules</a><br/> curl -k -1 -m 40 -o /tmp/ramdisk/emerging-worm.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-worm.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-worm.rules</a><br/> curl -k -1 -m 40 -o /tmp/ramdisk/emerging-current_events.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-current_events.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-current_events.rules</a><br/># curl -k -1 -m 40 -o /tmp/ramdisk/emerging-trojan.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-trojan.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-trojan.rules</a><br/># curl -k -1 -m 40 -o /tmp/ramdisk/drop.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-drop.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-drop.rules</a><br/># curl -k -1 -m 40 -o /tmp/ramdisk/emerging-web_specific_apps.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-web_specific_apps.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-web_specific_apps.rules</a><br/># curl -k -1 -m 40 -o /tmp/ramdisk/emerging-scan.rules <a href="https://rules.emergingthreats.net/open/snort-edge/rules/emerging-scan.rules" target="_top" rel="nofollow" link="external">https://rules.emergingthreats.net/open/snort-edge/rules/emerging-scan.rules</a><br/><br/># new rule site as suggested SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified
<br/># by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates
<br/># and offers various blacklists that can found in the SSL Blacklist section.
<br/> <b>curl -k -1 -m 40 -o /tmp/ramdisk/abuse-sslbl.rules <a href="https://sslbl.abuse.ch/blacklist/sslipblacklist.rules" target="_top" rel="nofollow" link="external">https://sslbl.abuse.ch/blacklist/sslipblacklist.rules</a></b><br/><br/>
<br/>echo " "
<br/>echo "Working on snort rules, please wait... may take up to a minute"
<br/><br/><br/><br/>Hope this helps
<br/><br/>Roadrunnere42
tag:itus.accessinnov.com,2006:post-1272Re: New rules category for SSL Black List2016-11-13T15:19:36Z2016-11-13T15:19:36ZTurrican
Guys,
<br/><br/>Any chance you could give a brief how-to to apply these updates? Just a little bit more detail would be great.
<br/><br/>Thanks in advance
<div class="signature weak-color">
Running v2 Firmware
<br/>
</div>
tag:itus.accessinnov.com,2006:post-1213Re: New rules category for SSL Black List2016-10-16T15:57:49Z2016-10-16T15:57:49ZWisiwyg
<blockquote class="quote dark-border-color"><div class="quote light-border-color">
<div class="quote-author" style="font-weight: bold;">user8446 wrote</div>
<div class="quote-message">Just noticed at <a href="https://sslbl.abuse.ch/blacklist/" target="_top" rel="nofollow" link="external">https://sslbl.abuse.ch/blacklist/</a> that it mentions that the Dyre C&C botnet is a separate list so add this one too:
<br/><br/>curl -k -1 -m 40 -o /tmp/ramdisk/abuse-dyre.rules <a href="https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.rules" target="_top" rel="nofollow" link="external">https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.rules</a><br/><br/><br/>Note that depending on which version udpate script you are on change tmp to mnt
</div>
</div></blockquote>
Thank you! Updated!
<div class="signature weak-color">
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
</div>
tag:itus.accessinnov.com,2006:post-1210Re: New rules category for SSL Black List2016-10-16T11:56:19Z2016-10-16T11:56:19Zuser8446
Just noticed at <a href="https://sslbl.abuse.ch/blacklist/" target="_top" rel="nofollow" link="external">https://sslbl.abuse.ch/blacklist/</a> that it mentions that the Dyre C&C botnet is a separate list so add this one too:
<br/><br/>curl -k -1 -m 40 -o /tmp/ramdisk/abuse-dyre.rules <a href="https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.rules" target="_top" rel="nofollow" link="external">https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.rules</a><br/><br/><br/>Note that depending on which version udpate script you are on change tmp to mnt
<div class="signature weak-color">
Running in bridge mode, 1.51 SP1 fw
</div>
tag:itus.accessinnov.com,2006:post-1194Re: New rules category for SSL Black List2016-09-26T18:15:05Z2016-09-26T18:15:05Zuser8446
Just added to my ruleset, thank you!
<div class="signature weak-color">
Running in bridge mode, 1.51 SP1 fw
</div>
tag:itus.accessinnov.com,2006:post-1191Re: New rules category for SSL Black List2016-09-26T10:26:07Z2016-09-26T10:26:07ZRoadrunnere42
Nice find, added and now problems found.
<br/><br/>Roadrunnere42
tag:itus.accessinnov.com,2006:post-1190New rules category for SSL Black List2016-09-25T08:21:51Z2016-09-25T08:21:51ZWisiwyg
Just added this to my fw_upgrade sh batch file in the update rules section:
<br/><br/> curl -k -1 -m 40 -o /tmp/ramdisk/abuse-sslbl.rules <a href="https://sslbl.abuse.ch/blacklist/sslipblacklist.rules" target="_top" rel="nofollow" link="external">https://sslbl.abuse.ch/blacklist/sslipblacklist.rules</a><br/><br/><br/>Info from their website (<a href="https://sslbl.abuse.ch" target="_top" rel="nofollow" link="external">https://sslbl.abuse.ch</a> ):
<br/><br/>SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists that can found in the SSL Blacklist section.
<br/><br/>After adding, I ran fw_upgrade and everything worked as expected and finished without error messages.
<div class="signature weak-color">
Shield Pro v1, Chaos Calmer, FW 1.51 SP1, v8.3.2, Bridge Mode
</div>
tag:itus.accessinnov.com,2006:post-1064Re: Speed issue due to log size too big SOLUTION2016-06-29T13:42:21Z2016-06-29T13:42:21Zuser8446
All you have to do is change:
<br/><br/>output alert_fast: alert.fast
<br/><br/>to....
<br/><br/>output alert_fast: alert.fast 64K
<br/><br/>You have to do this in both Snort7 and Snort8.
<div class="signature weak-color">
Running in bridge mode, 1.51 SP1 fw
</div>
tag:itus.accessinnov.com,2006:post-1063Re: Rules tuning categories2016-06-29T12:48:15Z2016-06-29T12:48:15Zuser8446
That fix isn't in the hotfix. Just copy and paste it in and you'll be all set.
<div class="signature weak-color">
Running in bridge mode, 1.51 SP1 fw
</div>
tag:itus.accessinnov.com,2006:post-1056Re: Rules tuning categories2016-06-26T08:08:30Z2016-06-26T08:08:30ZRonniem1
<b>CONTENTS DELETED</b>
<div class="weak-color">The author has deleted this message.</div>
tag:itus.accessinnov.com,2006:post-1054Re: Speed issue due to log size too big SOLUTION2016-06-26T07:57:02Z2016-06-26T07:57:02ZRonniem1
<b>CONTENTS DELETED</b>
<div class="weak-color">The author has deleted this message.</div>
tag:itus.accessinnov.com,2006:post-1046Re: paid subscription to snort rules?2016-06-23T12:18:57Z2016-06-23T12:18:57Zuser8446
Oinkmaster and pulledpork will both work with the talos rules. I haven't tried them though on the shield.
<div class="signature weak-color">
Running in bridge mode, 1.51 SP1 fw
</div>
tag:itus.accessinnov.com,2006:post-1040Re: paid subscription to snort rules?2016-06-15T10:01:23Z2016-06-15T10:01:23Zbearda
I talked to Emerging Threats around 2 years ago (before they got bought by Looking Glass) at Black Hat, and they were pretty against offering personal subscriptions. Apparently they did at some point, but there was enough abuse from businesses that they discontinued the option.
<br/><br/>I would consider ETPro a dead end for most users. Getting the Talos Snort rules in place may not be as difficult, though. Does anyone know what's downloading the rules, and if they're using pulledpork or a different script?
tag:itus.accessinnov.com,2006:post-1007Re: snort 3.02016-06-01T08:35:41Z2016-06-01T08:35:41Zuser8446
Snort 3.0 is still in Alpha.. we should probably try to upgrade to 2.9.8.2 which is the latest. The shield as well as the OpenWRT repo is on 2.9.7.2 which is EOL and was released Dec 2014. I had someone try to make a package of 2.9.8.2 but was having compiling errors and couldn't get it. Anyone knowledgeable in building OpenWRT packages out there?
<div class="signature weak-color">
Running in bridge mode, 1.51 SP1 fw
</div>
tag:itus.accessinnov.com,2006:post-1005Re: snort 3.02016-06-01T02:37:40Z2016-06-01T02:37:40Zharpss1ngh
I would assume it would break until it has been tailored to the Shield.
tag:itus.accessinnov.com,2006:post-987snort 3.02016-05-27T12:18:08Z2016-05-27T12:18:08ZRoadrunnere42
Hi
<br/><br/>Has anyone tried installing and running snort 3.0? and if so is it easy to install and configure?
<br/><br/>roadrunnere42<img class='smiley' src='/images/smiley/smiley_whistling.gif' />
tag:itus.accessinnov.com,2006:post-706Re: Snort Rule from US-CERT to Protect Against DRDoS2016-04-16T11:15:32Z2016-04-16T11:15:32Zuser8446
Thanks for that... the services > intrusion prevention > custom rules would be the perfect place to put those two rules for users that have public facing networks.
<div class="signature weak-color">
Running in bridge mode, 1.51 SP1 fw
</div>