Suricata 7.0.8 not loading Snort2 ruleset, error upon load

Help
,
1

Hello Suricata Community,

I am currently attempting to run Suricata 6.0.10 Release with Snort subscriber rules 2.9.16.0, and am running into issues with importing the ruleset. I have read in many places online that the rules are not written for Suricata specifically, but that Suricata would load most of the rules and skip the ones that are incompatible. When attempting to create a superset ruleset with suricata-update and load the ruleset into /var/lib/suricata/rules/suricata.rules, Suricata generates about 500 errors for specific rules (out of ~40,000), refuses to load any ruies, and results in the following error:

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert ( msg: “CIP_NON_CONFORMING”; sid:2; gid: 148; rev: 2; metadata: rule-type preproc; classtype:protocol-command-decode;)” from file /var/lib/suricata/rules/suricata.rules at line 34899

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol “(” cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.(.detection-enabled

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert ( msg: “CIP_CONNECTION_LIMIT”; sid:3; gid: 148; rev: 3; metadata: rule-type preproc; classtype:protocol-command-decode; )” from file /var/lib/suricata/rules/suricata.rules at line 34900

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol “(” cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.(.detection-enabled

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert ( msg: “CIP_REQUEST_LIMIT”; sid:4; gid: 148; rev: 2; metadata: rule-type preproc; classtype:protocol-command-decode;)” from file /var/lib/suricata/rules/suricata.rules at line 34901

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol “(” cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.(.detection-enabled

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert ( msg: “TAG_LOG_PKT”; sid: 1; gid: 2; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; )” from file /var/lib/suricata/rules/suricata.rules at line 34902

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword ‘sd_pattern’.

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert tcp $HOME_NET any → $EXTERNAL_NET [80,20,25,143,110] (msg:“SENSITIVE-DATA Credit Card Numbers”; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)” from file /var/lib/suricata/rules/suricata.rules at line 37693

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword ‘sd_pattern’.

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert tcp $HOME_NET any → $EXTERNAL_NET [80,20,25,143,110] (msg:“SENSITIVE-DATA U.S. Social Security Numbers (with dashes)”; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;)” from file /var/lib/suricata/rules/suricata.rules at line 37694

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword ‘sd_pattern’.

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert tcp $HOME_NET any → $EXTERNAL_NET [80,20,25,143,110] (msg:“SENSITIVE-DATA Email Addresses”; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid:138; rev:1;)” from file /var/lib/suricata/rules/suricata.rules at line 37696

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword ‘sd_pattern’.

5/3/2025 – 09:29:59 - <Error> – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert tcp $HOME_NET any → $EXTERNAL_NET [80,20,25,143,110] (msg:“SENSITIVE-DATA U.S. Phone Numbers”; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,(\d{3}) ?\d{3}-\d{4}; classtype:sdf; sid:6; gid:138; rev:1;)” from file /var/lib/suricata/rules/suricata.rules at line 37697

5/3/2025 – 09:30:06 - <Error> – [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.

5/3/2025 – 09:30:06 - <Error> – Suricata test failed, aborting.

5/3/2025 – 09:30:06 - <Error> – Restoring previous rules.
Could somebody help me either disable these rules, or get suricata to ignore them and run anyways? I have a disable.conf, but I don’t know that I’ve written it correctly. I am also importing the following rulesets if that makes a difference to the loading:

  • et/open
  • tgreen/hunting
  • aleksibovellan/nmap
  • ptrules/open
  • stamus/lateral
  • pawpatrules

Any help with this? I don’t even really care to keep the rules that are having errors, I just want Suricata to skip them.

2

Suricata 6 is EOL, first upgrade to Suricata 7.

In addition you can disable based on sids, see suricata-update - Update — suricata-update 1.3.3 documentation

2 Likes
3

Andreas, Thanks for the suggestions, I’ve updated to Suircata 7 and compiled the newest version (7.0.8 RELEASE) and am attempting this again. I’ve written a python program to extract the SID & GID for each of the rules that suricata is giving me from the errors of the Snort2 ruleset, however it is still giving me many similar errors, and reverting to previous rules. I do not seem to be able to reliably disable any rules? When I put a rule in to disable.conf, it is still coming up as an error in suricata when parsing the rules:
Suricata Error: 5/3/2025 – 11:21:36 - <Error> – error parsing signature “alert ( msg: “SMTP_XLINK2STATE_OVERFLOW”; sid: 8; gid: 124; rev: 2; metadata: policy max-detect-ips drop, rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; )” from file /var/lib/suricata/rules/suricata.rules at line 34666
line from disable.conf: 8:124

Final errors:
5/3/2025 – 11:21:37 - <Error> – Loading signatures failed.

5/3/2025 – 11:21:38 - <Error> – Suricata test failed, aborting.

5/3/2025 – 11:21:38 - <Error> – Restoring previous rules.

Is it possible to reconcile this?

Thanks,
Andrew

4

When suricata-update is setup properly, including values in disable.conf, it will disable accordingly.

Perhaps double-check your file and before launching suricata, validate that the rule(s) you don’t want are disabled?

See 9.1. Rule Management with Suricata-Update — Suricata 7.0.8 documentation

After you do this, if you still encounter unexpected behavior, you can post your disable.conf.