Snort is a commonly used format for writing IPS signatures that is very poplar in the industry.
CloudGuard WAF provides the option for an administrator to provide a set of Snort signatures and have them enforced in the same way that CloudGuard WAF enforces the regular IPS signatures update from Check Point. Enforcement of IPS and Snort signatures (if configured) happens in parallel on all HTTP/S traffic.
Why import Snort rules to IPS?
It allows a security administrator to write their own signatures:
To block specific unique traffic that they see in their network and wish to prevent it.
As part of the testing of the product without running actual malicious attacks inside their environments.
A security administrator might want to deploy rules from 3rd party sources such as National/Governmental CERTs.
How to set Snort Signatures
Step 1: Browse to Policy->Assets and edit the Web Application / API asset
Once the asset edit window opens, select the Web Attacks tab and scroll to the Snort Signatures sub-practice.
Step 2: Make sure the Mode of the Snort Signatures sub-practice is as desired
Setting the Mode to As Top Level means inheriting the primary mode of the practice.
Otherwise you can override it only for this specific sub-practice to Detect/Prevent/Disable.
When making the first change to the default Web Application/API Best Practice's configuration such as uploading your unique Snort signatures file, you will be prompted to change the name of the Practice to your own custom practice name.
Step 3: Upload a Snort signature file
Press the Upload button to add a new Snort signatures file and the file selection window will appear:
Click the "Add File" icon to add a new file.
Optionally - you can click the "Download" icon to verify an existing file's content.
Select the file containing the SNORT signatures you wish to enforce.
Click OK.
Step 4: Enforce Policy
Click Enforce on the top banner of the Infinity Portal.
How to PoC the Snort Signatures feature?
Step 1: Create an example Signature file
Create a test file with a simple Snort rule. For example:
Step 2: Import the signature file into your policy
Save the file and use the above instructions to enforce policy using this file
Step 3: Trigger the signature
Trigger the signature that you have just written. For example by using a curl command:
Browse to Monitor -> All Events and make sure you see a log issued for this traffic
FAQ
Can you help me get started with a few signatures?
Of course, here are a couple of them:
Can I use any available Snort Signatures?
You can use version 3 Snort signatures from any source, however please be mindful of the list known limitations below. If you load a file containing unsupported signatures, then the unsupported signatures will be ignored (with warnings) but they will not stop the loading of those signatures that are valid.
What will be the performance impact if I add many Snort signatures?
Enforcing Snort signatures uses the same mechanisms as other CloudGuard WAF security apps, so just adding the Snort security app doesn't have any performance impact.
There is also the performance impact that each additional signature generates. This differs from one signature to the next, but as a rule-of-thumb Snort signatures typically have a performance rating equivalent to IPS "Medium" performance.
Is there a maximum number of Snort signatures that can be added?
In the this EA version, we support up to 1500 active signatures.
Is there an API available?
Will be published soon.
Would any type of existing Snort signatures be compatible?
Unfortunately, no. Snort version 3 has made some significant changes from previous versions. This means that Snort signatures from older versions may not work as intended.
What are the known limitations?
Explicit context must be provided
The following keywords are not fully supported:
"flow" - only supports "to_server" (see above).
Low level keywords ("flags", "ack", etc.) - not supported (see above).
