Netgate SG-1000 microFirewall

Author Topic: Using Snort VRT Rules With Suricata and Keeping Them Updated  (Read 3318 times)

0 Members and 1 Guest are viewing this topic.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3158
  • Karma: +818/-0
    • View Profile
Using Snort VRT Rules With Suricata and Keeping Them Updated
« on: January 16, 2017, 10:26:40 am »
Suricata is compatible with most of the Snort VRT rules, and thus many users like to include the Snort VRT rules in their collection of rule signatures used with Suricata.  However, using Snort VRT rules with Suricata requires understanding and working with two key points.  First, obviously Suricata is not Snort; and thus while it is compatible with most legacy Snort rule options, there are some newer Snort rule keywords/options that Suricata will not recognize.  Suricata will print errors in the suricata.log file when encountering rules like this.  Luckily, unlike Snort which will quit when encountering a rule syntax error, Suricata will skip the offending rule and keep on loading the next one.  The second major point to understand is that Snort VRT rules are versioned and tied to a specific Snort binary version.  So you must run 2.9.8.3 rules with the 2.9.8.3 Snort binary.  For instance, the only rules package that will work with Snort version 2.9.8.3 is snortrules-snapshot-2983.tar.gz.  If you manually download a different rules snapshot version and attempt to use it with Snort 2.9.8.3, the rules load will fail.

The Snort package on pfSense automatically determines the correct Snort VRT rules snapshot update to use because it knows what version of the Snort binary is running.  Suricata can't know that.  Nor does Suricata have any way of determining what the "latest" version of Snort might be.  The Suricata package depends on you to tell it what Snort VRT rules snapshot file to download.  You do this on the GLOBAL SETTINGS tab when you enable use of the Snort VRT rules.  There is an input box where you should type in the Snort VRT rules snapshot filename.  Enter just the filename.  Do not enter a URL and do not enter your Oinkcode here!  This filename parameter tells Suricata which snapshot file to download for the daily rule updates.

It follows from the above that it is also incumbent upon the admin user to keep up with changes in the Snort binary and resulting rules snapshots so the rules snapshot filename Suricata uses is updated when necessary.  For instance, recently Snort has posted a new 2.9.9.0 binary version and associated rules snapshot.  Suricata can use the updated rules in the new 2.9.9.0 rules snapshot file, but it won't download that file until you tell it the name on the GLOBAL SETTINGS tab.  Also, if you forget to change the value on the GLOBAL SETTINGS tab, then when the file version specified there goes end-of-life and is pulled by the Snort VRT, Suricata VRT updates will start failing.  So if using Snort VRT rules with Suricata, set some kind of external reminder in your email or on your smartphone to prompt you to check the www.snort.org site once a month to see if updated versions of the Snort VRT snapshot files have been posted and update the Snort VRT rules snapshot filename on the GLOBAL SETTINGS tab in Suricata..

Bill
« Last Edit: January 16, 2017, 10:30:29 am by bmeeks »