Certain Snort2 official rules cannot be triggered while the same rule can be trigged in snort3

Please include the following information with your help request:

• Suricata version : 8.0.0
• Operating system and/or Linux distribution : WSL2.0 , ubuntu 22.04
• How you installed Suricata : from source
  I have recently been testing a Network Intrusion Detection System (NIDS) and have used both Snort3 and Suricata to test the same HTTP network traffic. These packets were generated based on the official Snort rule set. However, after testing, I found that the same packet can trigger an alert in Snort3, but not in Suricata.
  For example, the following rule exists in the official Snort2 rule set (snort2-browser-plugins.rules):

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Image Acquisition Logger ActiveX clsid access"; flow:to_client,established; file_data; content:"A1E75357-881A-419E-83E2-BB16DB197C68"; fast_pattern:only; pcre:"/(<object\s*[^>]\sid\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]\sclassid\s*=\s*(?P<q1>\x22|\x27|)\sclsid\s\x3a\s*{?\sA1E75357-881A-419E-83E2-BB16DB197C68\s}?\s*(?P=q1)(\s|>).(?P=id1)\s.\s*(Save)|<object\s*[^>]\sclassid\s*=\s*(?P<q2>\x22|\x27|)\sclsid\s\x3a\s*{?\sA1E75357-881A-419E-83E2-BB16DB197C68\s}?\s*(?P=q2)(\s|>)[^>]\sid\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).(?P=id2).(Save))\s(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31069; reference:cve,2008-3957; classtype:attempted-user; sid:14266; rev:12;)

And the Snort3 version of the same rule is:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Microsoft Windows Image Acquisition Logger ActiveX clsid access"; flow:to_client,established; file_data; content:"A1E75357-881A-419E-83E2-BB16DB197C68",fast_pattern,nocase; pcre:"/(<object\s*[^>]\sid\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]\sclassid\s*=\s*(?P<q1>\x22|\x27|)\sclsid\s\x3a\s*{?\sA1E75357-881A-419E-83E2-BB16DB197C68\s}?\s*(?P=q1)(\s|>).(?P=id1)\s.\s*(Save)|<object\s*[^>]\sclassid\s*=\s*(?P<q2>\x22|\x27|)\sclsid\s\x3a\s*{?\sA1E75357-881A-419E-83E2-BB16DB197C68\s}?\s*(?P=q2)(\s|>)[^>]\sid\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).(?P=id2).(Save))\s(/Ois"; metadata:policy max-detect-ips drop; service:http; reference:bugtraq,31069; reference:cve,2008-3957; classtype:attempted-user; sid:14266; rev:12; )

The HTTP packet that should trigger these two alerts is:

GET /connecttest.txt HTTP/1.1
Connection: Close
User-Agent: Microsoft NCSI
Host: www.msftconnecttest.com
Content-Type: text
Content-Length: 227

<object
 
    bPREYRU^2  
    id=      fn+6e)*NE_B  
    classid =   
        clsid:
         A1E75357-881A-419E-83E2-BB16DB197C68
     }
    <T;HBS:1FgQdW'C_fn+6e)*NE_B . \x53\x61\x76\x65

When using this HTTP packet for testing, I found that Snort3 can trigger the alert normally, but Snort2 cannot. Snort2 is using the default configuration.

I would like to ask if this is due to a problem with my environment setup, or if there are other reasons for this situations?

I appreciate you taking the time reading this topic . Please let me know if you have any insights or suggestions regarding the issue I’m facing with the Snort2 rule not being triggered. I sincerely appreciate any comments and I’m willing to provide more detailed informations if you need.

Is your question about Suricata alerting or not with Snort 2 and 3 rules?

When using this HTTP packet for testing, I found that Snort3 can trigger the alert normally, but Snort2 cannot
Or, are you asking a question about Snort 2 vs Snort 3?

Snort questions are better addressed here: Snort Community & Blog Network - Snort.org

THX for replying. I used snort2 rules for suricata and snort3 rules for snort3 software itself , which means that i set snort3 as an control condition. So the problem is that some http packets can be triggered by snort3 but not by suricata, and I was wandering that why this happened. Sorry that i haven’t explained clearly before.

Suricata’s refusing to load the first rule with an issue regarding the pcre content:

Error: detect-pcre: pcre2 compile of "/(<object\s*[^>]\sid\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]\sclassid\s*=\s*(?P<q1>\x22|\x27|)\sclsid\s\x3a\s*{?\sA1E75357-881A-419E-83E2-BB16DB197C68\s}?\s*(?P=q1)(\s|>).(?P=id1)\s.\s*(Save)|<object\s*[^>]\sclassid\s*=\s*(?P<q2>\x22|\x27|)\sclsid\s\x3a\s*{?\sA1E75357-881A-419E-83E2-BB16DB197C68\s}?\s*(?P=q2)(\s|>)[^>]\sid\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).(?P=id2).(Save))\s(/Osi" failed at offset 407: missing closing parenthesis [DetectPcreParse:detect-pcre.c:656]

I used the rule as-is (no-changes) from your post. Are you seeing this rule successfully load?

Can you run suricata -T -S /path/to/rule-file?

i am so sorry that it seems i uploaded a wrong rule. The correct rule could be successfully loaded by suricata. And here is the correct one.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Microsoft Windows Image Acquisition Logger ActiveX clsid access"; flow:to_client,established; file_data; content:"A1E75357-881A-419E-83E2-BB16DB197C68"; fast_pattern:only; pcre:"/(<object\s*[^>]*\s*id\s*=\s*(?P<m1>\x22|\x27|)(?P<id1>.+?)(?P=m1)(\s|>)[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A1E75357-881A-419E-83E2-BB16DB197C68\s*}?\s*(?P=q1)(\s|>).*(?P=id1)\s*\.\s*(Save)|<object\s*[^>]*\s*classid\s*=\s*(?P<q2>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*A1E75357-881A-419E-83E2-BB16DB197C68\s*}?\s*(?P=q2)(\s|>)[^>]*\s*id\s*=\s*(?P<m2>\x22|\x27|)(?P<id2>.+?)(?P=m2)(\s|>).*(?P=id2)\.(Save))\s*\(/Osi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31069; reference:cve,2008-3957; classtype:attempted-user; sid:14266; rev:12;)

This one could be loaded by suricata successfully, but still cannot trigger the alarm of the packet.

Notice: suricata: This is Suricata version 8.0.0-dev running in SYSTEM mode [LogVersion:suricata.c:1156]
Notice: suricata: Configuration provided was successfully loaded. Exiting. [SuricataInit:suricata.c:2966]