At some point in time, Cisco is going to pull the plug on snort 2. I’m hoping by the time that happens suricata will support snort 3 rules (or at least have a conversion app). Just trying to get ahead of this now as I don’t want to be forced into choosing one app for one ruleset, or another app for another ruleset.
There are currently no plans for a (official) conversion tool, or extra support for Snort 3 rules.
Well let’s make it happen then Because seriously, the folks who will get hosed are us users who just want the all the rulesets. It’s kind of a race really…the first app to support snort3 rules AND emerging threats rules wins. Thanks Jason.
Are you able to specify a bit more what the differences between the old and the new syntax are? In general we’ve not had snort compatibility as a major goal for quite a few years, but I see no reason not to at least consider the low hanging fruits.
Thanks Victor…for starters here’s an example error:
[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert ( gid:2; sid:1; rev:1; msg:“TAG_LOG_PKT”; metadata:rule-type preproc; classtype:not-suspicious; )” from file /opt/suricata/etc/snortrules/builtins/builtins.rules at line 1
and a comparison of rules; snort 2
alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.LokiBot”; flow:to_server,established; content:“User-Agent|3A| Mozilla/4.08 (Charon|3B| Inferno)”; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/682fa75de9a2c11d5bdc9545ebc914af00921c807be5bb86296321bc55e08c86/analysis/; classtype:trojan-activity; sid:40066; rev:4;)
alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS ( msg:“MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.LokiBot”; flow:to_server,established; http_header; content:“User-Agent|3A| Mozilla/4.08 (Charon|3B| Inferno)”,fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; reference:url,www.virustotal.com/en/file/682fa75de9a2c11d5bdc9545ebc914af00921c807be5bb86296321bc55e08c86/analysis/; classtype:trojan-activity; sid:40066; rev:4; )
And from the reference doc:
- all rules must have a sid
- sid == 0 not allowed
- deleted activate / dynamic rules
- deleted metadata engine shared
- deleted metadata: rule-flushing (with PDU flushing rule flushing can cause missed attacks, the opposite of its intent)
- changed metadata:service one[, service two]; to service:one[, two];
- soid is now a non-metadata option
- metadata is now truly metadata with no impact on detection (Snort doesn’t care about metadata internal structure / syntax)
- deleted fast_pattern:only; use fast_pattern, nocase (option is not added to detection tree if not required)
- changed fast_pattern:, to fast_pattern,fast_pattern_offset ,fast_pattern_length
- fast pattern sensitive data with sd_pattern using hyperscan
- hyperscan regex fast patterns with regex:"", fast_pattern;
- no ; separated content suboptions
- offset, depth, distance, and within must use a space separator not colon (e.g. offset:5; becomes offset 5;)
- content suboptions http_* are now full options
- added sticky buffers: buffer selector options must precede contents and remain in effect until changed
- the following pcre options have been deleted: use sticky buffers instead B, U, P, H, M, C, I, D, K, S, Y
- deleted uricontent option; use sticky buffer uricontent:“foo” -→ http_uri; content:“foo”
- deleted urilen raw and norm; must use http_raw_uri and http_uri instead
- deleted unused http_encode option
- urilen replaced with generic bufferlen which applies to current sticky buffer
- added optional selector to http_header, e.g. http_header:User-Agent;
- the all new http_inspect has new buffers and rule options
- added alert file and alert service rules (service in body not required if there is only one and it is in header; alert service / file rules disable fast pattern searching of raw packets)
- rule option sequence: soid
- arbitrary whitespace and multiline rules w/o \n
- #begin … #end comments to easily comment out multiple lines
- add rule remarks option with rem:“arbitrary comment”
- nets and/or ports may be omitted from rule headers (matches any)
- parse all rules and output all errors before quitting
- read rules from conf, separate rules file, or stdin
- The symbol =< in a byte test is recognized as a syntax error. The correct symbol is <=.
Hope that helps…thanks again!
Where can I find the complete documentation of the differences between snort3 and snort2 rules?