Suricata-update and snort 2 rules

So before I manually create a process to do this…will suricata-update (from the 6.0.0 tarball) update snort rules? I know the so rules aren’t supported, which is fine…thank you.

It should mostly work. The .so rules will not be extracted. And its not a use case we test so your mileage may vary. Best bet is to try it out.

Ok cool…soo…just add with add-source? And the code?

Yeah, add-source. You’ll have to embed the code into the URL, last I checked they had URL examples.

Awesome…thank you!

Per the PP docs this:

https:// www. snort. org/reg-rules/ |snortrules-snapshot.tar.gz| oinkcode

does not appear to work.

You’ll have to use a valid URL, something like:

https://www.snort.org/rules/<file_name>?oinkcode=<oinkcode>

and replace <file_name> and <oinkcode> with your values.

Got this to fly…sadly it looks like there’s a difference in keywords:

6/11/2020 – 13:29:09 - – [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword ‘http_raw_cookie’.

Yeah, we haven’t been keeping in sync with Snort rules for some years now and no real plans to do so again.

That’s too bad…looks like users are the ones out of luck soon then…once snort3 is released and snort2 goes away people will have to make a choice of one or the other, but not both. Thanks Jason!