Snort rules v3

Started by MakesSense, February 20, 2018, 11:20:13 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 20, 2018, 11:20:13 AM
Hi,

I'm using OpnSense 18.2_2. I've been using snort rules set snortrules-snapshot-29111.tar.gz for a while now and all has been fine.

When downloading the new snort rules set snortrules-snapshot-3000.tar.gz no snort rules load. If I look at the download page they seem to be downloaded fine, but looking at the rules tab no snort rules appear. So my question is: Are the new rules not compatible with Suricata, anyone know?
February 20, 2018, 11:34:46 AM #1
Look at the Suricata logs in the GUI. Are there any errors loading the rules? If not, can you find the rules if searching for their IDs?
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
February 20, 2018, 11:38:21 AM #2
Yes, I got these errors (and a bunch more...):

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-other.rules at line 44

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4199

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content

All of them had the [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]

February 20, 2018, 11:49:53 AM #3
A quick Google search returned this: https://redmine.openinfosecfoundation.org/issues/1826

So I guess these Snort rules are not compatible with Suricata anymore (?).
I would create a custom rule, containing one rule and try to find the culprit by editing the original rule, just to be sure.


OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
February 22, 2018, 10:18:48 PM #4
Problem is, the issue returns when the rules are updated.
I would just disable the rulesets that have the incompatible rules in them.
Snort rules have become worse over time working with Suricata. I bet that is on purpose. But over time Suricata may add the code needed for all the snort rules. Personally I have abandoned the snort rules altogether.
Print
Go Up Pages1
User actions