FR:Snort3 rules

DigiAngel · May 3, 2021, 5:31pm

At some point in time, Cisco is going to pull the plug on snort 2. I’m hoping by the time that happens suricata will support snort 3 rules (or at least have a conversion app). Just trying to get ahead of this now as I don’t want to be forced into choosing one app for one ruleset, or another app for another ruleset.

ish · May 4, 2021, 1:58pm

There are currently no plans for a (official) conversion tool, or extra support for Snort 3 rules.

DigiAngel · May 4, 2021, 2:30pm

Well let’s make it happen then Because seriously, the folks who will get hosed are us users who just want the all the rulesets. It’s kind of a race really…the first app to support snort3 rules AND emerging threats rules wins. Thanks Jason.

vjulien · May 5, 2021, 7:09am

Are you able to specify a bit more what the differences between the old and the new syntax are? In general we’ve not had snort compatibility as a major goal for quite a few years, but I see no reason not to at least consider the low hanging fruits.

DigiAngel · May 5, 2021, 7:19pm

Thanks Victor…for starters here’s an example error:

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert ( gid:2; sid:1; rev:1; msg:“TAG_LOG_PKT”; metadata:rule-type preproc; classtype:not-suspicious; )” from file /opt/suricata/etc/snortrules/builtins/builtins.rules at line 1

and a comparison of rules; snort 2
alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.LokiBot”; flow:to_server,established; content:“User-Agent|3A| Mozilla/4.08 (Charon|3B| Inferno)”; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/682fa75de9a2c11d5bdc9545ebc914af00921c807be5bb86296321bc55e08c86/analysis/; classtype:trojan-activity; sid:40066; rev:4;)

snort3:
alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS ( msg:“MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.LokiBot”; flow:to_server,established; http_header; content:“User-Agent|3A| Mozilla/4.08 (Charon|3B| Inferno)”,fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/682fa75de9a2c11d5bdc9545ebc914af00921c807be5bb86296321bc55e08c86/analysis/; classtype:trojan-activity; sid:40066; rev:4; )

And from the reference doc:

all rules must have a sid
sid == 0 not allowed
deleted activate / dynamic rules
deleted metadata engine shared
deleted metadata: rule-flushing (with PDU flushing rule flushing can cause missed attacks, the opposite of its intent)
changed metadata:service one[, service two]; to service:one[, two];
soid is now a non-metadata option
metadata is now truly metadata with no impact on detection (Snort doesn’t care about metadata internal structure / syntax)
deleted fast_pattern:only; use fast_pattern, nocase (option is not added to detection tree if not required)
changed fast_pattern:, to fast_pattern,fast_pattern_offset ,fast_pattern_length
fast pattern sensitive data with sd_pattern using hyperscan
hyperscan regex fast patterns with regex:"", fast_pattern;
no ; separated content suboptions
offset, depth, distance, and within must use a space separator not colon (e.g. offset:5; becomes offset 5;)
content suboptions http_* are now full options
added sticky buffers: buffer selector options must precede contents and remain in effect until changed
the following pcre options have been deleted: use sticky buffers instead B, U, P, H, M, C, I, D, K, S, Y
deleted uricontent option; use sticky buffer uricontent:“foo” -→ http_uri; content:“foo”
deleted urilen raw and norm; must use http_raw_uri and http_uri instead
deleted unused http_encode option
urilen replaced with generic bufferlen which applies to current sticky buffer
added optional selector to http_header, e.g. http_header:User-Agent;
the all new http_inspect has new buffers and rule options
added alert file and alert service rules (service in body not required if there is only one and it is in header; alert service / file rules disable fast pattern searching of raw packets)
rule option sequence: soid
arbitrary whitespace and multiline rules w/o \n
#begin … #end comments to easily comment out multiple lines
add rule remarks option with rem:“arbitrary comment”
nets and/or ports may be omitted from rule headers (matches any)
parse all rules and output all errors before quitting
read rules from conf, separate rules file, or stdin
The symbol =< in a byte test is recognized as a syntax error. The correct symbol is <=.

Hope that helps…thanks again!

zwb1991318 · August 2, 2021, 3:01am

Where can I find the complete documentation of the differences between snort3 and snort2 rules?

Topic		Replies	Views
Convert Snort rules to Suricata rules and vice versa Rules	1	3956	June 18, 2020
Suricata Rules to Snort 2 Rules Help	3	401	July 4, 2023
Suricata default rules Rules	3	2207	May 21, 2021
JA3 integration Help rules	5	785	December 17, 2021
Suricaa doesn't capture JA3 hashes of TLS packets Help rules , suricata	1	107	February 28, 2024

FR:Snort3 rules

Related Topics