We are trying to combine the WAF rules with SNORT and for some reason when testing, no rules in the snort community rules are working. As a result I have even edited the community-rules file performed an "alert IP any any -> any any (msg:"TEST";) rule which basically triggers nothing in any of the audit logs.
The current configuration is as follows:
- Detection Level is set to Paranoid
- WAF is enabled in Block Mode and Audit Mode set to Audit All.
- Detect Malicious Requests is Enabled with Intrusion Handling set to Drop Connection and Warnings switched on.
I have some question which would appreciate if someone can answer them:
- Having worked with SNORT, the snort.conf file needs to be edited to point the rules file to the relevant file being used. Should the path in snort.conf be configured, and if yes how, given that there's no actual relative path?
- Does editing the "action" in community rules make a difference or is the action only performed in KEMP? What happens if I set an "alert" rule but then Intrusion Handling is set to Drop/Reject?
- Are rule matches logged in any of the logging files or are they sent only in Syslog?
The SNORT and WAF rules are doing the same thing and interfere with each other. It is recommended to only enable one or the other.
SNORT rules can be downloaded and installed including the config files from here
WAF is a better more up-to-date engine with rules downloaded automatically if you have a subscription every 24hrs. It is maintained by Mod-Security. it is recommended to use WAF if available.