Todo #14226
open
Feedback on Packages — IDS / IPS — Configuring the Snort Package
0%
Description
Page: https://docs.netgate.com/pfsense/en/latest/packages/snort/setup.html
Feedback: The docs seem to unnecessarily instruct "...If a paid subscription is available for the Snort VRT rules, then all of the Snort GPLv2 Community rules are automatically included within the file downloaded with the Snort VRT rules; therefore, do not enable the GPLv2 Community rules if a paid-subscriber account is used for the Snort VRT rules. ..."
I am a Snort "personal" level rule paying subscriber and have both "Enable Snort VRT" and "Enable Snort GPLv2" checked. I see both paid subscriber and community rules downloaded, but the per-interface usage of those rules seems to consolidate them (i.e., duplicates do not appear). It therefore seems harmless to check both.
Background:
I read the docs, must have missed that, had both checked since day one. I did not want to leave it in a "bad" state, yet I was concerned about unchecking community, perhaps losing out on goodness (i.e., in case docs were dated/incorrect).
Reading into the docs, it seems as though something is bad about selecting both. I wanted to verify...
I ended up downloading all 3 rule sets, paid, free/reg, GPL/community, directly from the Snort site, grepping for one known community rule which did appear in all 3 rule sets.
When running "cat /usr/local/etc/snort/snort_<interface>/rules/snort.rules, it seems only one made it into the final per-interface set.
I'm guessing the worse case is there is extra unnecessary processing and disk space used when unnecessary selecting community as a registered user... but that it ultimately will not harm the end result. While I would actually prefer to remove any unnecessary processing and disk space usage, being uncertain per above led me down the above useful rabbit hole of sorts.
I'm wondering if it's reasonable to either remove that clarification (if truly unnecessary... maybe my one-off test was not comprehensive and you know something otherwise), or to update the UI to force disable GPL/community for selections the negate its necessity.
Definitely not a high priority since it seems no harm if a paid subscriber user deselects community or not... but since a user cannot know what's at stake for certain without investigating per above, I was thinking the clarification (removed/augmented, or UI tweaked) might just make things overall easier to understand that the early stage of reading about rules, trying to gain understanding of them, the various options, downloads, selections, and so forth.
No data to display