Suricata Rules to Snort 2 Rules

Hello everyone,
How i can convert Suricata Rules to Snort 2 Rules fast, like a tool convert ???, re write take me to much time.
Thanks evryone

Hi,

Which ruleset(s) are you using (Emerging Threats (ET), Stamus, Secure Works, etc.)? If at all possible it would be best to find a Snort version of whatever ruleset(s) you are using.

JT

1 Like

My snort version is 2.9.15.1, Suricata is 6.0.13. How i can conver rules from Suricata to Snort fast that i can like a tool converted ???.
Here is my example Suricata Rule:

alert http any any -> any any (msg:"Detect Suspicious Path Traversal Attack"; flow:established,to_server; http.method; content: "GET"; http.uri.raw; pcre:"/(%2e%2e%2f|\.\.%2f(?!%20)|\.+\/|\/\/\.\.)/i"; classtype:web-application-attack; sid:1000001; rev:1;)

As mentioned, it would be best to find a Snort specific version of the rules you are after.

But more to your question. While Snort and Suricata rules may follow the same format, maintaining compatibility has not been a focus for some time now and I’m not aware of any conversion tools that handle all the options. You’d probably have to review the rule, and the documentation for Suricata and Snort and adapt as needed. I’m not aware of any tooling that will help you out here.

1 Like