1
Intrusion Detection and Prevention / Re: snort Compatibility
« on: January 17, 2019, 02:25:15 am »Hi everyone,
What is the general consensus on snort rule compatibility with suricata? Is purchasing the VRT rules worth it being not all rules are compatible?
thanks
I bought the Snort Subscriber Rules and I'm using them with the "other" project. I cannot test on OPNsense, because the Snort license, only let's you use only one sensor (appliance) for personal use.
You are right, many of the rules are not recognized by Suricata due to different syntax, keywords, etc.
You will get errors like this:
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 48771 setup buffer file_data but didn't add matches to it
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; content:"content1.addEventListener(|22|DOMNodeRemoved|22|, f)|3B 0D 0A|"; fast_pattern:only; file_data; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0565; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0565; classtype:attempted-user; sid:48771; rev:1;)" from file /usr/local/etc/suricata/suricata_27404_igb0/rules/suricata.rules at line 19027
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 48770 setup buffer file_data but didn't add matches to it
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; content:"content1.addEventListener(|22|DOMNodeRemoved|22|, f)|3B 0D 0A|"; fast_pattern:only; file_data; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0565; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0565; classtype:attempted-user; sid:48770; rev:1;)" from file /usr/local/etc/suricata/suricata_27404_igb0/rules/suricata.rules at line 19028
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"<html><body><script>"; content:"var"; within:3; distance:1; content:"document.createElement"; content:"iframe"; within:6; distance:2; content:".setAttribute("; distance:0; content:"document.body.appendChild("; distance:0; fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26961; rev:3;)" from file /usr/local/etc/suricata/suricata_27404_igb0/rules/suricata.rules at line 19069
17/1/2019 -- 02:11:20 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'
But some of them will work. Please bear in mind not to use, for know, rules above Snort version 2. The rules for Snort version 3 are not functional with Suricata yet. As an example choose "snortrules-snapshot-29120.tar.gz" for "Snort rules filename". If you pay, the paid rules will be downloaded with the same OINK code.
Hope this helps.
@franco I don't know if you are involved in OPNids, but keep up the good work. Machine learning...wow
Can you please also add in the IDS/IPS sub forum a history of changes or improvements, only related to OPNsense Suricata package.
For example:
- added rules management
- code from OPNids included, please read OPNids realease notes
- changes to the OPNsense Suricata GUI package (if performed)
It will help to track the changes and find out when something like "rule management" will be implemented.
Thank you