FR:Snort3 rules

At some point in time, Cisco is going to pull the plug on snort 2. I’m hoping by the time that happens suricata will support snort 3 rules (or at least have a conversion app). Just trying to get ahead of this now as I don’t want to be forced into choosing one app for one ruleset, or another app for another ruleset.

There are currently no plans for a (official) conversion tool, or extra support for Snort 3 rules.

Well let’s make it happen then :slight_smile: Because seriously, the folks who will get hosed are us users who just want the all the rulesets. It’s kind of a race really…the first app to support snort3 rules AND emerging threats rules wins. Thanks Jason.

Are you able to specify a bit more what the differences between the old and the new syntax are? In general we’ve not had snort compatibility as a major goal for quite a few years, but I see no reason not to at least consider the low hanging fruits.

Thanks Victor…for starters here’s an example error:

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert ( gid:2; sid:1; rev:1; msg:“TAG_LOG_PKT”; metadata:rule-type preproc; classtype:not-suspicious; )” from file /opt/suricata/etc/snortrules/builtins/builtins.rules at line 1

and a comparison of rules; snort 2
alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.LokiBot”; flow:to_server,established; content:“User-Agent|3A| Mozilla/4.08 (Charon|3B| Inferno)”; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,; classtype:trojan-activity; sid:40066; rev:4;)

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS ( msg:“MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.LokiBot”; flow:to_server,established; http_header; content:“User-Agent|3A| Mozilla/4.08 (Charon|3B| Inferno)”,fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,; classtype:trojan-activity; sid:40066; rev:4; )

And from the reference doc:

  • all rules must have a sid
  • sid == 0 not allowed
  • deleted activate / dynamic rules
  • deleted metadata engine shared
  • deleted metadata: rule-flushing (with PDU flushing rule flushing can cause missed attacks, the opposite of its intent)
  • changed metadata:service one[, service two]; to service:one[, two];
  • soid is now a non-metadata option
  • metadata is now truly metadata with no impact on detection (Snort doesn’t care about metadata internal structure / syntax)
  • deleted fast_pattern:only; use fast_pattern, nocase (option is not added to detection tree if not required)
  • changed fast_pattern:, to fast_pattern,fast_pattern_offset ,fast_pattern_length
  • fast pattern sensitive data with sd_pattern using hyperscan
  • hyperscan regex fast patterns with regex:"", fast_pattern;
  • no ; separated content suboptions
  • offset, depth, distance, and within must use a space separator not colon (e.g. offset:5; becomes offset 5;)
  • content suboptions http_* are now full options
  • added sticky buffers: buffer selector options must precede contents and remain in effect until changed
  • the following pcre options have been deleted: use sticky buffers instead B, U, P, H, M, C, I, D, K, S, Y
  • deleted uricontent option; use sticky buffer uricontent:“foo” -→ http_uri; content:“foo”
  • deleted urilen raw and norm; must use http_raw_uri and http_uri instead
  • deleted unused http_encode option
  • urilen replaced with generic bufferlen which applies to current sticky buffer
  • added optional selector to http_header, e.g. http_header:User-Agent;
  • the all new http_inspect has new buffers and rule options
  • added alert file and alert service rules (service in body not required if there is only one and it is in header; alert service / file rules disable fast pattern searching of raw packets)
  • rule option sequence: soid
  • arbitrary whitespace and multiline rules w/o \n
  • #begin#end comments to easily comment out multiple lines
  • add rule remarks option with rem:“arbitrary comment”
  • nets and/or ports may be omitted from rule headers (matches any)
  • parse all rules and output all errors before quitting
  • read rules from conf, separate rules file, or stdin
  • The symbol =< in a byte test is recognized as a syntax error. The correct symbol is <=.

Hope that helps…thanks again!

Where can I find the complete documentation of the differences between snort3 and snort2 rules?