Messages

Hi everyone,

What is the general consensus on snort rule compatibility with suricata?   Is purchasing the VRT rules worth it being not all rules are compatible?

thanks

I bought the Snort Subscriber Rules and I'm using them with the "other" project. I cannot test on OPNsense, because the Snort license, only let's you use only one sensor (appliance) for personal use.

You are right, many of the rules are not recognized by Suricata due to different syntax, keywords, etc.

You will get errors like this:

17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 48771 setup buffer file_data but didn't add matches to it
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_server,established; content:"content1.addEventListener(|22|DOMNodeRemoved|22|, f)|3B 0D 0A|"; fast_pattern:only; file_data; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0565; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0565; classtype:attempted-user; sid:48771; rev:1;)" from file /usr/local/etc/suricata/suricata_27404_igb0/rules/suricata.rules at line 19027
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 48770 setup buffer file_data but didn't add matches to it
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Edge memory corruption attempt"; flow:to_client,established; content:"content1.addEventListener(|22|DOMNodeRemoved|22|, f)|3B 0D 0A|"; fast_pattern:only; file_data; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-0565; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0565; classtype:attempted-user; sid:48770; rev:1;)" from file /usr/local/etc/suricata/suricata_27404_igb0/rules/suricata.rules at line 19028
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
17/1/2019 -- 02:11:19 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"<html><body><script>"; content:"var"; within:3; distance:1; content:"document.createElement"; content:"iframe"; within:6; distance:2; content:".setAttribute("; distance:0; content:"document.body.appendChild("; distance:0; fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26961; rev:3;)" from file /usr/local/etc/suricata/suricata_27404_igb0/rules/suricata.rules at line 19069
17/1/2019 -- 02:11:20 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'

But some of them will work. Please bear in mind not to use, for know, rules above Snort version 2. The rules for Snort version 3 are not functional with Suricata yet. As an example choose "snortrules-snapshot-29120.tar.gz" for "Snort rules filename". If you pay, the paid rules will be downloaded with the same OINK code.

Hope this helps.

@franco I don't know if you are involved in OPNids, but keep up the good work. Machine learning...wow :)

Can you please also add in the IDS/IPS sub forum a history of changes or improvements, only related to OPNsense Suricata package.

For example:
- added rules management
- code from OPNids included, please read OPNids realease notes
- changes to the OPNsense Suricata GUI package (if performed)

It will help to track the changes and find out when something like "rule management" will be implemented.

Thank you

Not without the direct involvement of the author of the software. I don't think it is likely.

Hello Franco,

Users are banned for less, what do you think it will happen with BBcan if J. finds out he helps OPNsense? So I don't think he will agree.

But besides that, maybe something like pfblockerNG can be created by OPNsense.

I'm interested because Suricata (or Snort) and pfblockerNG are the most used packages(IMHO) in that other project. These two I'm using myself too.
For Suricata I wan't to thank you that you keep it updated in comparison with that other project.

I thought that by fixing this bug #1844: netmap: IPS mode doesn't set 2nd iface in promisc mode (from suricata 3.1.1 changelog) will fix the em(0) issue. Also alot of bugs were fixed also. So something must work better.

Also I saw that you work with free-bsd on suricata ports from here https://www.freshports.org/security/suricata/, and I thought that you did some code fix for BSD plus the New Suricata code, I thought it will be a winning pair, at least maybe it would work better in comparison with what pfSense has. This was my idea.

I didn't know who you were, but sometimes negative publicity is good in a way ( I meant that Chris mentioned a "Franco" from OPNsense, then I knew in which direction to look). Then I opened OPNsense page looked at the changelogs, and I saw the progress on Suricata, meaning 3.1.2 was implemented.

In comparison to the project that I use, I see at least that here you and others are trying to solve Suricata issues, which is important to me. My question in short is, I'm interested to switch to OPNsense,  can I enable Suricata Inline mode on both of my NICs, and if the other issues are fixed. I'm not asking you for an ETA, but I want to ask when should I switch in order to not have problems? Should I wait for OPNsense next release in january? I mean I'm willing to wait, in order to not be dissapointed like I am with pfSense.

As requested this is the dump from console (pfsense latest production version) :

[2.3.2-RELEASE][root@prod.test]/root: pciconf -lv em0
em0@pci0:0:31:6:        class=0x020000 card=0x00008086 chip=0x15b78086 rev=0x31                                                                                                                                                              hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Connection (2) I219-LM'
    class      = network
    subclass   = ethernet

Thanks

Wow, that's the best explanation I had in years. I have this for my hardware http://global.shuttle.com/main/productsSpec?productId=2007

I have that other project installed on it, and both NICs are Intel, but in there are 2 different drivers, one is igb(4) and  the other is em(4). If I switch inline mode to igb(4) NIC all is well, but if I try to switch to inline mode for em(4), after a few seconds the internet connection dies, and I cannot access my box anymore. Note that this happens on pfsense, and the only way to recover is the restore a backup restore point.

Actually I'm interested if Suricata 3.1.2 is working in Inline mode, not 3.0, and tell me more about intel-em-kmod package or OPNsense os-intel-em, or be so kind and point me to the right thread, if this was discussed before, I don't want to waste your time. Thanks

P.S. Actually I saw this thread https://forum.opnsense.org/index.php?topic=3630 , so I should understand that because of some bugs in FreeBsd netmap it's not working, or can I use those workarounds you mentioned?

Thanks, I submitted a feature request on GitHub for custom rules.

Hello @dcol,

Sorry to write you here, but on that other forum I can't write anymore. I read @jwt's response, that ultimatelly Suricata is not a concern for pfSense. Did you tried Suricata on OPNsense, is it working, I mean the inline mode? Also I did not understand what Franco said about importing the rules? Can we import rules from pfsense easilly if I switch to OPNsense?

Thanks