Snort rules for Suricata-IDS

Hello,
Is it possible to use Snort rules file for Suricata-IDS?

Thank you.

It depends on what version of snort you are loading.

If you load 2.9.x Snort rules into Suricata, some rules will work, but will not run as well as rules that have been written specifically for Suricata. Snort rules that use the Shared Object features will not work in Suricata. Rules written specifically for Snort 3 will not work.

ET/ETPRO rules support both Suricata and Snort rule engines, so if using those, just make sure you are using the right rule file.

2 Likes

How do I know Iā€™m using the right rule file? If Iā€™m using Suricata 6.x, which snort rules are equivalent? What about Suricata 7.x?

I tried loading Snort Subscription rules snort-snapshot-29xxx.tar.gz and received a bunch of errors when loading the rules with suricata-update. What did I do wrong? Should I use --no-test?

As was mentioned above, many of the Snort rules will not compile properly in the Suricata rules engine. This is because Suricata is not Snort :slightly_smiling_face:. The rules syntax differs in certain ways. It is normal to see a number of the Snort rules produce errors when Suricata attempts to load them. Suricata discards those rules and does not load them after printing the error in the log.