IDS rulesets

2,248 views
Skip to first unread message

Devlin

unread,
Jun 27, 2016, 6:39:04 AM6/27/16
to security-onion
Hi,
sorry for maybe stupid question, but I can't find answer nowhere... I got lost in ruleset options and I can't find any article explaining these four options. I even can't find which oinkcode I got from Snort website. Could you help me please?

- Emerging Threats GPL (no oinkcode required)
- Emerging Threats PRO (requires ETPRO oinkcode)
- Snort VRT ruleset and Emerging Threats NoGPL ruleset (requires Snort VRT oinkcode)
- Snort VRT ruleset only and set a VRT policy (requires Snort VRT oinkcode)


Thanks!

Wes

unread,
Jun 27, 2016, 7:59:09 AM6/27/16
to security-onion

Devlin,

The community ruleset (Emerging Threats GPL (no oinkcode required)) does not require an oinkcode, however, the others require an oinkcode, obtained via a paid subscription.

Each ruleset may have different/additional/more rules not available in the community ruleset.

You can see more about the rulesets here:

https://www.snort.org/downloads
https://www.snort.org/talos
http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ
https://www.proofpoint.com/us/solutions/products/threat-intelligence/ET-Pro-Ruleset

You can find out which ruleset(s) you currently have enabled (it wil be un-commented), by navigating to /etc/nsm/pulledpork/pulledpork.conf

Thanks,
Wes

Devlin

unread,
Jun 28, 2016, 9:45:32 AM6/28/16
to security-onion
Hi Wes,
thank you for your response. So you're saying, that without paying some sort of subscription is oinkcode I have on the snort.org website useless? Or it's oinkcode for community rules, but I can't insert it into installation wizard?

Thank you,
D.

Wes Lambert

unread,
Jun 28, 2016, 9:49:54 AM6/28/16
to securit...@googlegroups.com

Devlin,

You shouldn't need an oinkcode for the community rules. 

You can just select the first ruleset during setup and you should be good to go.

Otherwise, if you wish to use the other rulesets, you will need to pay for the ruleset subscription.

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Jeff H

unread,
Jun 28, 2016, 10:00:22 AM6/28/16
to securit...@googlegroups.com
Is "Emerging Threats GPL" the same as Emerging Threats Open?

What does "Emerging Threats NoGPL" refer to?

Outside of Security Onion I have seen references to:

Emerging Threats Open (free)
Emerging Threats Pro (paid)
Snort Community (free)
Snort VRT Registered (free with registration)
Snort VRT Subscription (paid)

I'm fairly new to IDS, and have seen references to GPL rules, but don't know exactly what products those rules are included in.

Do the options available in Security Onion's rule selection line up with the products above?

Jeff

Wes

unread,
Jun 28, 2016, 10:22:17 AM6/28/16
to security-onion
Jeff,

You can have a look here about the difference between Open/GPL/NoGPL:

http://doc.emergingthreats.net/bin/view/Main/NewUserGuide

I believe the GPL rules were moved into the Open rules and the name during Setup has not been updated to reflect this, although I may be mistaken.

Security Onion currently uses Emerging Threats Open as it's default free ruleset in pulledpork.conf.

Security Onion Setup provides you with several choices, but that does not limit you to specifying the rulesets you would like to use--this is configurable within /etc/nsm/pulledpork/pulledpork.conf (you should be able to use any of the ones you specified above).

Thanks,
Wes

Shane

unread,
Jun 28, 2016, 10:52:44 AM6/28/16
to securit...@googlegroups.com

I think you still need an oinkcode for the community Sourcefire rules.  You can get one by creating a login. 

 

Shane

Kyle Hable

unread,
Feb 2, 2017, 12:22:47 PM2/2/17
to security-onion
I believe I am having the same misunderstanding of this.

On the snort website there are 3 options for rules, Community/Registered/Subscription

I have registered on snort.com and received an oinkcode. This option is not described in the sosetup.conf.

From the snort.com description:
"There are two sets of rules distributed on the Snort.org web site.
The "Community Ruleset" is freely available to all users, and is licensed under the GPLv2.


The "Snort Subscriber Rule Set" will be made available to users in the following ways:
Subscribers will receive rulesets in real-time as they are released to Cisco customers - 30 days ahead of registered users
Registered users will receive rulesets 30 days after Subscribers.
Unregistered users will receive access to the community ruleset."

It would seem that the registered option is between the community and subscriber rules - but maybe not?

Wes

unread,
Feb 2, 2017, 10:26:29 PM2/2/17
to security-onion

Kyle,

In the future, please start a new thread before replying to an old one:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MailingLists#start-a-new-thread-instead-of-replying-to-an-old-one

The registered option, as described, requires an oinkcode, which can be entered during setup or in /etc/nsm/pulledpork/pulledpork.conf.

The subscriber option also requires an oinkcode, which can be entered during setup or in /etc/nsm/pulledpork/pulledpork.conf.

The community ruleset does not require an oinkcode, and should be enabled (/etc/nsm/pulledpork/pulledpork.conf) when a registered option is used.

You could consider the registered option in-between that of subscriber and community ruleset -- it does not cost anything to use, but it requires registration.

Thanks,
Wes

Reply all
Reply to author
Forward
0 new messages