Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Snort rules v3
« previous
next »
Print
Pages: [
1
]
Author
Topic: Snort rules v3 (Read 8007 times)
MakesSense
Newbie
Posts: 17
Karma: 2
Snort rules v3
«
on:
February 20, 2018, 11:20:13 am »
Hi,
I'm using OpnSense 18.2_2. I've been using snort rules set snortrules-snapshot-29111.tar.gz for a while now and all has been fine.
When downloading the new snort rules set snortrules-snapshot-3000.tar.gz no snort rules load. If I look at the download page they seem to be downloaded fine, but looking at the rules tab no snort rules appear. So my question is: Are the new rules not compatible with Suricata, anyone know?
Logged
elektroinside
Hero Member
Posts: 574
Karma: 51
Re: Snort rules v3
«
Reply #1 on:
February 20, 2018, 11:34:46 am »
Look at the Suricata logs in the GUI. Are there any errors loading the rules? If not, can you find the rules if searching for their IDs?
Logged
OPNsense v18
| HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s
Team Rebellion Member
MakesSense
Newbie
Posts: 17
Karma: 2
Re: Snort rules v3
«
Reply #2 on:
February 20, 2018, 11:38:21 am »
Yes, I got these errors (and a bunch more...):
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-other.rules at line 44
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 4199
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
All of them had the [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
Logged
elektroinside
Hero Member
Posts: 574
Karma: 51
Re: Snort rules v3
«
Reply #3 on:
February 20, 2018, 11:49:53 am »
A quick Google search returned this:
https://redmine.openinfosecfoundation.org/issues/1826
So I guess these Snort rules are not compatible with Suricata anymore (?).
I would create a custom rule, containing one rule and try to find the culprit by editing the original rule, just to be sure.
Logged
OPNsense v18
| HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s
Team Rebellion Member
dcol
Hero Member
Posts: 635
Karma: 51
Re: Snort rules v3
«
Reply #4 on:
February 22, 2018, 10:18:48 pm »
Problem is, the issue returns when the rules are updated.
I would just disable the rulesets that have the incompatible rules in them.
Snort rules have become worse over time working with Suricata. I bet that is on purpose. But over time Suricata may add the code needed for all the snort rules. Personally I have abandoned the snort rules altogether.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Snort rules v3