OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: unipacket on December 07, 2018, 03:58:07 am

Title: snort Compatibility
Post by: unipacket on December 07, 2018, 03:58:07 am

Hi everyone,

What is the general consensus on snort rule compatibility with suricata?   Is purchasing the VRT rules worth it being not all rules are compatible?

thanks

Title: Re: snort Compatibility
Post by: franco on December 07, 2018, 07:20:26 am

Some have asked for it a while back. It needs manual tweaking, but otherwise this use case went under the radar. Hopefully someone using the ruleset can share experience with us...


Cheers,
Franco

Title: Re: snort Compatibility
Post by: unipacket on December 17, 2018, 02:23:01 pm

Thanks franco!

Title: Re: snort Compatibility
Post by: franco on January 02, 2019, 05:54:34 pm

Haven't been able to help much so no thanks needed. Bumping this once more to see if anybody can help and respond.


Cheers,
Franco

Title: Re: snort Compatibility
Post by: Redyr on January 17, 2019, 02:25:15 am

Quote from: unipacket on December 07, 2018, 03:58:07 am

Hi everyone,

What is the general consensus on snort rule compatibility with suricata?   Is purchasing the VRT rules worth it being not all rules are compatible?

thanks

I bought the Snort Subscriber Rules and I'm using them with the "other" project. I cannot test on OPNsense, because the Snort license, only let's you use only one sensor (appliance) for personal use.

You are right, many of the rules are not recognized by Suricata due to different syntax, keywords, etc.

You will get errors like this:

17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 48771 setup buffer file_data but didn't add matches to it
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; content:"content1.addEventListener(|22|DOMNodeRemoved|22|, f)|3B 0D 0A|"; fast_pattern:only; file_data; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0565; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0565; classtype:attempted-user; sid:48771; rev:1;)" from file /usr/local/etc/suricata/suricata_27404_igb0/rules/suricata.rules at line 19027
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 48770 setup buffer file_data but didn't add matches to it
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; content:"content1.addEventListener(|22|DOMNodeRemoved|22|, f)|3B 0D 0A|"; fast_pattern:only; file_data; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0565; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0565; classtype:attempted-user; sid:48770; rev:1;)" from file /usr/local/etc/suricata/suricata_27404_igb0/rules/suricata.rules at line 19028
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"<html><body><script>"; content:"var"; within:3; distance:1; content:"document.createElement"; content:"iframe"; within:6; distance:2; content:".setAttribute("; distance:0; content:"document.body.appendChild("; distance:0; fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26961; rev:3;)" from file /usr/local/etc/suricata/suricata_27404_igb0/rules/suricata.rules at line 19069
17/1/2019 -- 02:11:20 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'

But some of them will work. Please bear in mind not to use, for know, rules above Snort version 2. The rules for Snort version 3 are not functional with Suricata yet. As an example choose "snortrules-snapshot-29120.tar.gz" for "Snort rules filename". If you pay, the paid rules will be downloaded with the same OINK code.

Hope this helps.

@franco I don't know if you are involved in OPNids, but keep up the good work. Machine learning...wow :)

Can you please also add in the IDS/IPS sub forum a history of changes or improvements, only related to OPNsense Suricata package.

For example:
- added rules management
- code from OPNids included, please read OPNids realease notes
- changes to the OPNsense Suricata GUI package (if performed)

It will help to track the changes and find out when something like "rule management" will be implemented.

Thank you