Snort rules order

Antibiotic

@bmeeks Hello, how to resolve this errors (using snort rules on suricata) , its example have a lot like this

[100508 - Suricata-Main] 2024-04-29 00:59:33 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ivanti multiple products server side request forgery attempt"; flow:to_server,established; content:"SAMLResponse="; nocase; http_uri; base64_decode:bytes 1000,relative; base64_data; content:"RetrievalMethod"; nocase; content:"URI"; nocase; pcre:"/RetrievalMethod[^>]?\sURI\s=/i"; content:"/dana-na/auth/saml"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-21893; reference:url,forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways; classtype:web-application-attack; sid:63099; rev:1;)" from file /usr/local/etc/suricata/suricata_40578_igc2/rules/suricata.rules at line 14962
[100508 - Suricata-Main] 2024-04-29 00:59:31 Error: detect: previous sticky buffer has no matches

and this

[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs
[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs

Here a thousands of rules, how to even found by number?
as i know exist special soft to resolve this typical errors but how and could be not free of charge

At the end have also

[100508 - Suricata-Main] 2024-04-29 00:59:34 Info: detect: 2 rule files processed. 15356 rules successfully loaded, 34 rules failed, 0
[100508 - Suricata-Main] 2024-04-29 00:59:34 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[100508 - Suricata-Main] 2024-04-29 00:59:34 Info: detect: 15356 signatures processed. 14 are IP-only rules, 1025 are inspecting packet payload, 7986 inspect application layer, 0 are decoder event only

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks Hello, how to resolve this errors (using snort rules on suricata) , its example have a lot like this

[100508 - Suricata-Main] 2024-04-29 00:59:33 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ivanti multiple products server side request forgery attempt"; flow:to_server,established; content:"SAMLResponse="; nocase; http_uri; base64_decode:bytes 1000,relative; base64_data; content:"RetrievalMethod"; nocase; content:"URI"; nocase; pcre:"/RetrievalMethod[^>]?\sURI\s=/i"; content:"/dana-na/auth/saml"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-21893; reference:url,forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways; classtype:web-application-attack; sid:63099; rev:1;)" from file /usr/local/etc/suricata/suricata_40578_igc2/rules/suricata.rules at line 14962
[100508 - Suricata-Main] 2024-04-29 00:59:31 Error: detect: previous sticky buffer has no matches

and this

[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs
[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs

Here a thousands of rules, how to even found by number?
as i know exist special soft to resolve this typical errors but how and could be not free of charge

At the end have also

[100508 - Suricata-Main] 2024-04-29 00:59:34 Info: detect: 2 rule files processed. 15356 rules successfully loaded, 34 rules failed, 0
[100508 - Suricata-Main] 2024-04-29 00:59:34 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[100508 - Suricata-Main] 2024-04-29 00:59:34 Info: detect: 15356 signatures processed. 14 are IP-only rules, 1025 are inspecting packet payload, 7986 inspect application layer, 0 are decoder event only

Did you not read this line I posted in an earlier reply?

Just be aware that Suricata does not honor all the same rules syntax as Snort, so many of the Snort rules will not load into Suricata. Suricata will log a syntax error for those rules and not load them.

For reference, here is a link to that earlier reply: https://forum.netgate.com/topic/187763/snort-rules-order/4?_=1714347945655.

Suricata does not recognize the same rules syntax as Snort. It does some things differently, and as a result certain Snort rules will not load in Suricata. Attempting to run the Snort rules tarball on Suricata will result in errors like this for many of the Snort rules (not all, but many of them).

The flowbit errors are normal and are just warnings. They can be a combination of mistakes the rule authors have made and failure to enable particular rules that set those flowbits.

Antibiotic

@bmeeks Ah ok, but its possible to resolve?

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks Ah ok, but its possible to resolve?

Certainly you can resolve it. All you need to do is clone the Suricata binary GitHub repo here, and then rewrite the C and Rust source code so that Suricata can fully understand all of the Snort rules syntax. Once you finish editing the Suricata binary code, you will need to recompile the package so that it loads on pfSense. For that you will need a Poudriere package builder based on the current pfSense kernel.

Sorry if this sounds a bit harsh, but your level of understanding here seems to be lacking. Suricata is NOT Snort. Therefore it CANNOT and DOES NOT use the exact same rules syntax. You cannot resolve this problem. It's just the way the two DIFFERENT products behave.

If you do not want to see the Snort rule errors, then do not attempt to run Snort rules on Suricata. Run only Emerging Threats rules there.

Antibiotic

@bmeeks Ok, than possible to keep this rules off?How to found them?

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks Ok, than possible to keep this rules off?How to found them?

If you want to use the Snort rules package, then just ignore the errors. Suricata is not loading the rules. Other than the log message, there is no harm and no foul in terms of operability.

You can disable rules by GID:SID, but personally I would not go to that amount of trouble. Just ignore the log errors.

Antibiotic

@bmeeks Ok,thanks)))

Antibiotic

@bmeeks I wiil try to use snort rules on snort , when in an one day may be snort become to multithreading on pfSense)))

Antibiotic

@bmeeks Hi,
How often snort snapshot updating, I mean period of time between releases? or when ready than pushing to public snapshot. Last one 29200 when should be next release?

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks Hi,
How often snort snapshot updating, I mean period of time between releases? or when ready than pushing to public snapshot. Last one 29200 when should be next release?

The Snort 2.9.x binary is effectively at end-of-life. It has been superseded for the most part by Snort3. But there is no effort at present to create a Snort3 package for pfSense. I tried at least two different times to create a Snort3 package and gave up very frustrated each time.

Snort3 is the multithreaded variant of Snort. But it was completely rewritten from the ground up in C++, has a new and different plugin API, and uses Lua for conf files instead of plaintext like previous Snort versions. For these and several other reasons, I abandoned creating a Snort3 package for pfSense. So far as I know, no one else is working on such a package either. That means when the upstream Snort team officially pulls support for the legacy 2.9.x Snort branch, Snort will be effectively dead on pfSense.

Suricata is the way forward on pfSense -- not Snort.

To answer your question about Snort 2.9.x, the last update was over two years ago and that was the release of the 2.9.20 binary. Nothing has happened in that branch since then. Only the rules themselves are getting updated, but I suspect at some point in the future even that will cease. That means I doubt there will ever be an update past the 29200 rules version.

You CANNOT use Snort3 rules with the current Snort 2.9.x package on pfSense nor can you use them on Suricata. Attempting to download and install Snort3 rules on pfSense will totally break the IDS/IPS installation.

Antibiotic

@bmeeks So, please confirm that. Can me use snort3 rules snapshot on pfsense Suricata?or can not use at all on pfsesnse ( both snort and suricata)?

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks So, please confirm that. Can me use snort3 rules snapshot on pfsense Suricata?or can not use at all on pfsesnse ( both snort and suricata)?

Did you not read what I just posted above? I've copied and pasted it again immediately below--

@bmeeks said in Snort rules order:

You CANNOT use Snort3 rules with the current Snort 2.9.x package on pfSense nor can you use them on Suricata. Attempting to download and install Snort3 rules on pfSense will totally break the IDS/IPS installation.

I tried to be as clear as possible. You CANNOT use Snort3 rules for anything on pfSense.

Antibiotic

@bmeeks OK. now clear but if have snort subscribe rules not registered. IPS Policy Mode in suricata for snort rules will work in auto drop? Connectivity , balanced and security?

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks OK. now clear but if have snort subscribe rules not registered. IPS Policy Mode in suricata for snort rules will work in auto drop? Connectivity , balances and security?

Yes, but with the same caveat I mentioned earlier. Not all Snort rules have syntax that is compatible with Suricata. So, don't be surprised if a number of the Snort rules produce load errors and get ignored and not loaded by Suricata.

For example, if you choose IPS Policy Balanced, I would expect potentially a hundred or more Snort rules to generate syntax errors and be ignored and not loaded by Suricata. I don't recall the exact number. But I do know that if you select all Snort rules in Suricata, somewhere around 700 or more will not load due to syntax errors. This is expected behavior because like I said before, Suricata was developed for Emerging Threats rules and not Snort rules. Some Snort rules work, but that is more of a coincidence and not a design goal.

bmeeks

@Antibiotic said in Snort rules order:

if have snort subscribe rules not registered. IPS Policy Mode in suricata for snort rules will work in auto drop?

Registered versus Subscriber has absolutely nothing to do with IPS Policy metadata. The only difference in those two rules packages is the age of the included rules. No newly developed Snort rule will get put into the Registered User package until at least 30 days have passed since it was added to the Subscriber Rules package. That's what you pay for in the Subscriber Rules package -- newly released rules at the time they are created. In the free Registered User package, you don't get newly released rules until they are at a minimum 30 days old.

Antibiotic

@bmeeks said in Snort rules order:

Emerging Threats rules

But what about Emerging Threats rules in snort? Working well or the same problem with syntax as snort rules in suricata?

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks said in Snort rules order:

Emerging Threats rules

But what about Emerging Threats rules in snort? Working well or the same problem with syntax as snort rules in suricata?

In one of our previous conversations I said Emerging Threats created a special set of rules for Suricata. When you enable those in the Suricata package, it automatically downloads the correct set of ET rules for Suricata.

Similarly for Snort, Emerging Threats produces a set of rules tailored for Snort. When you enable ET rules in Snort, the package automatically downloads the matching set.

That is not the case for Snort VRT rules. The Snort VRT and Suricata (OISF) are basically competitors like Microsoft versus Apple. They do not go out of their way to "support" each other . Snort could care less if their rules work on Suricata or not. They see Suricata as a competitor - not as a friendly platform they want to support. And conversely, the Suricata developer team has zero interest in making sure their product supports every Snort rule syntax.

Antibiotic

@bmeeks But snort is more integrated in pfsense than suricata? any profit or doesnt matter ,except multitreading

bmeeks

@Antibiotic said in Snort rules order:

@bmeeks But snort is more integrated in pfsense than suricata? any profit or doesnt matter ,except multitreading

I do not understand your question. What do you mean by "more integrated" and "any profit"?

The translation to English does not appear to be working well.

Antibiotic

@bmeeks I mean, suricata also well tested as snort before put to pfsense repo?You are doing snort. who is making suricata for pfsense?