Hi all, Apologies for bumping a very old topic, but I was wondering whether anything had changed with this with the latest version of PacketFence? I didn't ever get snort integration set up in my version 3 production environment, but I now have a working version 4 dev environment that I can play around with.
As stated below, it would be an incredibly handy feature to be able to easily integrate the snort categories into a violation, rather than using individual triggers. Or, is there a better way to stay on top of the emerging threats updates? I mean I could set oinkmaster to run daily, then pay attention to the ET mailing list, and add in any new IDs from categories that I'm interested in, but there would then of course be no testing of false positives etc. What do other people on the list that utilise PacketFence's snort integration do to keep your rules up-to-date with current threats? Cheers, Andi -----Original Message----- From: Olivier Bilodeau [mailto:[email protected]] Sent: 03 May 2012 15:59 To: [email protected] Subject: Re: [PacketFence-users] Snort integration and updates Thanks for your feedback! You clearly show experience in managing IDS. On 05/02/2012 12:28 PM, Rich Graves wrote: > None/all of the above. > > If you're going to do this, you could get the broadest reach with a regular > expression match of the alert. I could imagine an organization other than > mine blacklisting clients based on / ET (P2P|POLICY) .+Priority: 1/, for > example. Providing a regex-match would be useful but I'm afraid it's a little complex for end-users and it would have to be crippled because we already use the comma to split the triggers and so it would need to be escaped if trying to match but comma aren't escaped in normal regex.. leading to more confusion. Since you can combine triggers, something more simple like snort-ruleset::ET Policy:1,snort-ruleset::ET P2P:1 to accomplish a similar goal. Where the 1 would be the priority. I know it's a though call. I know how to write regex but most people don't and I'm thinking about them for the trigger formats. snort-ruleset-regex could still exist for the power users though. However there are security implication with user-controlled regexes but in this case it's administrator-controlled so I'm not too concerned. > > VRT is 90% done changing the classification of most rules. ET went through a > similar mass reclassification a couple years ago. This doesn't mean that > classifications are not useful -- it just means that you'd have to pay > attention when they change. Do you know if the priority similar to the classifications in the way that they can change and that their meaning can't be relied upon too much? > > I don't think I would ever use such a feature. False positives are too high > with new rules. Consider reviewing your snort alerts in something like > Snorby, Placid, or Aanval instead, and archive everything to ELSA. If you see > something interesting, create a generic malware violation manually. > Agreed but you could arguably do the same thing from within packetfence. You only log violations at first, comment the noisy rules and then once you feel in control, open the gates to mass isolation. > High-confidence proprietary VRT rules have this sort of thing in the rule > file: > > metadata:policy balanced-ips drop, policy security-ips drop; > > SourceFire appliances use that for default policy, based on VRT's estimation > of the risk/reward. Most rules are alert only. The suggested action appears > only in the rule, not in the alert message. -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
