How to import 3rd party IDS rulesets' URLs into Snort?

xelibri

I'm not sure is it possible to add additional IDS/IPS ruleset URLs without copying them manually into custom.rules config?

Eg. this one could be worth adding:

https://urlhaus.abuse.ch/api/

Thanks in advance!

bmeeks

@xelibri:

I'm not sure is it possible to add additional IDS/IPS ruleset URLs without copying them manually into custom.rules config?

Eg. this one could be worth adding:

https://urlhaus.abuse.ch/api/

Thanks in advance!

At the moment neither the Snort nor Suricata packages support adding of third-party rulesets outside of the current built-in defaults.  That is something that is being looked into, but there are some obstacles to overcome within the GUI itself to make the feature useful.  For now, copying and pasting them into a custom rules configuration as you state is the only way.

Bill

rebytr

After copying and pasting them in the custom rules panel, what's the trick to get around the error below?

Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_8066_em1/rules/custom.rules(1) Bad protocol: http.

bmeeks

@rebman77:

After copying and pasting them in the custom rules panel, what's the trick to get around the error below?

Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_8066_em1/rules/custom.rules(1) Bad protocol: http.

Have you changed the enabled/disabled state of any preprocessors?  Is the HTTP_INSPECT preprocessor enabled?

Bill

rebytr

Preprocessors are all default settings.  Only additional one I have enabled is the Application ID Detection preprocessor.

bmeeks

Well, according to the current Snort documentation here:  http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node29.html#SECTION00422000000000000000

Snort does not currently support HTTP as a protocol in the rule header.  Suricata does, but not Snort.  Perhaps the 3rd party ruleset you are using is really for Suricata?  I would check with the provider and see if they have a different version for Snort.  Sorry I did not catch this in my earlier reply.  I sometimes get Snort and Suricata confused since I get questions about both packages …  :-[

Bill

rebytr

Yep, thats the problem. Interesting thing is urlhaus has the IDS ruleset labeled for both Snort and Suricata. (They even tweet when they make updates to the ruleset that it is for both).  I have to assume they have never tried their ruleset in Snort.

bmeeks

@rebman77:

I have to assume they have never tried their ruleset in Snort.

I would agree …  :)

Bill