Monday, December 7, 2020

Soft Release: lightSPD, the new rules package for Snort 3



By Patrick Mullen.

Today, we released a new rules and configurations package style, named lightSPD, for Snort 3. 

This is only a "soft" release at this time, so information will be light, but we at Talos wanted to give users the opportunity to take a sneak peek at what is to come. This blog post assumes a basic understanding of running Snort 3. If you need to get up to speed, please download and install Snort 3 and read the documentation for running Snort 3 located on GitHub here. As always, you can find the basics of Snort on our Resources page.

One of the biggest features of the lightSPD package is that it contains configurations for all versions of Snort 3 in one package, and, new to open-source users, it contains multiple policy configurations, rather than just rule sets. Using lightSPD, users can select Snort configurations that are tailored more toward speed or more toward detection and depth of inspection.  

We’ll go into this in greater detail in a future blog post, such as how to mix and match configurations and rule sets, but for now, Talos recommends open-source users select the security-ips policy for a balance of security and speed, with an emphasis on security. If the device being used is light on resources, try balanced-ips, or if the network being protected is light on traffic and/or the device running Snort is really powerful, give max-detect-ips a try. But what does this mean, and how do you select a policy?

In the root directory of the lightSPD package, look for a file named “manifest.json.” Open that file and look for the Snort version specification that is the most recent version that is less than or equal to the version you are running.  If you are running the Snort 3 Release Candidate version, that simply means select the version labeled "3.0.3-1," which is an exact match. However, if in the future you were running "3.0.3-5," for example, you would use "3.0.3-4," since that is the greatest version that is less than or equal to 3.0.3-5.

Once you have found the appropriate entry in manifest.json, there are two entries — "policies_path" and "architectures" — where "architectures" contains a list of different operating systems and hardware platforms for which precompiled binaries such as Shared Object rules are stored. The "architectures" specifier is the easiest: simply specify the OS and architecture appropriate for your installation as the `--plugin-path` argument to Snort 3.  This will load all of the required supplemental binaries in the lightSPD package for Shared Object rules.  

The "policies" specifier is only slightly more complicated. To specify which policy you wish to use from lightSPD, look in the directory specified in the appropriate "policies" element for the version of Snort you are running. In it, you will see a list of Lua files, each representing the different available policies (configuration and ruleset combinations) provided by Talos. Simply select one of them using the guidelines above, and specify that file (with path) as the `-c` parameter for Snort 3. Note that these configuration files will handle loading all plaintext rules, builtin rules (what were called "preprocessor and decoder rules" in Snort 2), and Shared Object (SO) rules automatically.

Here’s a quick review:

  • Open manifest.json.
  • Find the version of Snort that is the most recent version that is less than or equal to the version you have installed.
  • Find your operating system and architecture in the "architectures" list, and specify the "modules_path" as `--plugin-path` command line parameter to Snort.
  • Determine which policy you wish to use, and specify that LUA file in the "policies_path" as the `-c` command line parameter to Snort.
  • Specify other Snort command-line parameters as appropriate for your install.

We’ll have more information in the future on how to use this new package as well as tools to make working with this package even easier, such as enabling and disabling Talos rules, adding local (user) rules, etc.  

Please check out this new package and let us know what you think. And, of course, the "traditional" package, which should work with all existing tools created for Snort 2, such as Pulled Pork is also available for those who want to continue using that mechanism.

We hope to have the official Snort 3 release out to you soon. We appreciate all users’ feedback on the release candidate to make this the best product possible. If you’d like to know more about Snort 3, check out our page on Snort.org here.