* SNORT rules not working

Hi,

 

We are trying to combine the WAF rules with SNORT and for some reason when testing, no rules in the snort community rules are working. As a result I have even edited the community-rules file performed an "alert IP any any -> any any (msg:"TEST";) rule which basically triggers nothing in any of the audit logs.

The current configuration is as follows:

  • Detection Level is set to Paranoid
  • WAF is enabled in Block Mode and Audit Mode set to Audit All.
  • Detect Malicious Requests is Enabled with Intrusion Handling set to Drop Connection and Warnings switched on.

 

I have some question which would appreciate if someone can answer them:

  1. Having worked with SNORT, the snort.conf file needs to be edited to point the rules file to the relevant file being used. Should the path in snort.conf be configured, and if yes how, given that there's no actual relative path?
  2. Does editing the "action" in community rules make a difference or is the action only performed in KEMP? What happens if I set an "alert" rule but then Intrusion Handling is set to Drop/Reject?
  3. Are rule matches logged in any of the logging files or are they sent only in Syslog?

 

0

4 comments

Avatar

Permanently deleted user

Hello Robert,

The SNORT and WAF rules are doing the same thing and interfere with each other. It is recommended to only enable one or the other.

SNORT rules can be downloaded and installed including the config files from here

https://www.snort.org/downloads

https://support.kemptechnologies.com/hc/en-us/articles/360005118711-How-to-configure-Intrusion-Protection-on-KEMP-Loadmaster-IPS-SNORT-

 

WAF is a better more up-to-date engine with rules downloaded automatically if you have a subscription every 24hrs. It is maintained by Mod-Security. it is recommended to use WAF if available.

0

Avatar

Robert Muscat

Hi Mark,

Thanks for the feedback provided.

To my knowledge in nowhere does KEMP state that you can't use both.

My current aim is to match a particular string in a tcp packet which could cause the packet to drop.

0

Avatar

Permanently deleted user

https://support.kemptechnologies.com/hc/en-us/articles/203876289-KEMP-Intrusion-Protection-IPS-

"It should be noted that this IPS is not meant to replace a full network IPS. KEMP also have a much more complete security offering - a Web Application Firewall (WAF) component. This is probably more suitable for most Application Security requirements than the legacy IPS feature"

0

Avatar

Permanently deleted user

Hello Robert,

Can i ask you to open a support ticket so we can better understand what are you trying to accomplish with the WAF.

Regards

0

Please to leave a comment.

Didn't find what you were looking for?