Using Snort VRT Rules With Suricata and Keeping Them Updated

bmeeks

Warning: do not attempt to use the Snort3 rules with Suricata! If you enable the Snort 3.0 rules download, you will break your Suricata package install completely and the only way to recover will be to delete the package and install it again. You've been warned ... .

Suricata is compatible with most of the Snort VRT rules, and thus many users like to include the Snort VRT rules in their collection of rule signatures used with Suricata.  However, using Snort VRT rules with Suricata requires understanding and working with two key points.  First, obviously Suricata is not Snort; and thus while it is compatible with most legacy Snort rule options, there are some newer Snort rule keywords/options that Suricata will not recognize.  Suricata will print errors in the suricata.log file when encountering rules like this.  Luckily, unlike Snort which will quit when encountering a rule syntax error, Suricata will skip the offending rule and keep on loading the next one.  The second major point to understand is that Snort VRT rules are versioned and tied to a specific Snort binary version.  So you must run 2.9.20.0 rules with the 2.9.20 Snort binary.  The only rules package that will work with Snort version 2.9.20 is snortrules-snapshot-29200.tar.gz.  If you manually download a different rules snapshot version and attempt to use it with the Snort 2.9.20 binary, the rules load will fail when you attempt to start Snort. Suricata is different, it is not tied to specific Snort rules versions (but note the warning above about Snort3 and the 3.x rules, those are NOT compatible with Suricata).

The Snort package on pfSense automatically determines the correct Snort VRT rules snapshot update to use because it knows what version of the Snort binary is running.  Suricata can't know that.  Nor does Suricata have any way of determining what the "latest" version of Snort might be.  The Suricata package depends on you to tell it what Snort VRT rules snapshot file to download.  You do this on the GLOBAL SETTINGS tab when you enable use of the Snort VRT rules.  There is an input box where you should type in the Snort VRT rules snapshot filename.  Enter just the filename.  Do not enter a URL and do not enter your Oinkcode here!  This filename parameter tells Suricata which snapshot file to download for the daily rule updates.

It follows from the above that it is also incumbent upon the admin user to keep up with changes in the Snort binary and resulting rules snapshots so the rules snapshot filename Suricata uses is updated when necessary.  For instance, recently Snort has posted a new 2.9.20 binary version and associated rules snapshot.  Suricata can use the updated rules in the new 2.9.209 rules snapshot file (snortrules-snapshot-29200.tar.gz for the 2.9.20 Snort binary), but it won't download that file until you tell it the name on the GLOBAL SETTINGS tab.  Also, if you forget to change the value on the GLOBAL SETTINGS tab, then when the file version specified there goes end-of-life and is pulled by the Snort team, Suricata's Snort Subscriber Rules updates will start failing.  So if you are using Snort Subscriber Rules with Suricata, set some kind of external reminder in your email or on your smartphone to prompt you to check the www.snort.org site once a month to see if updated versions of the Snort Subscriber Rules snapshot files have been posted and update the Snort Subscriber Rules snapshot filename on the GLOBAL SETTINGS tab in Suricata..

Bill

OsrRon

Question for you Bill.

Can Suricata use the Snort 3.0 rules?

Thanks in advance.

Thank you for all of you hard work on these packages.

barakah

Hi OsrRon,
I have upgraded rules already and working like a charm

Mar 14 12:08:43 pf php: /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-3000.tar.gz...
Mar 14 12:08:48 pf php: /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Snort VRT rules file update downloaded successfully.

rules 3 same as rule 2.990 and they only removed "snort_blacklist.rules" and "snort_local.rules"

OsrRon

Thank you for the info!

bmeeks

@barakah:

Hi OsrRon,
I have upgraded rules already and working like a charm

Mar 14 12:08:43 pf php: /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-3000.tar.gz...
Mar 14 12:08:48 pf php: /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Snort VRT rules file update downloaded successfully.

rules 3 same as rule 2.990 and they only removed "snort_blacklist.rules" and "snort_local.rules"

This is good to know. I had not tested Suricata with the Snort-3.0 rules.  I have been waiting on Snort-3.0 to get closer to RELEASE status before investigating creating a GUI package to support it.

UPDATED INFORMATION ABOUT SNORT3 RULES
Do not enable download of the Snort3 rules with Suricata. The internal structure of the reference.config file is different, and this will break the 4.x version of Suricata!

Bill

boobletins

@osrron said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

Question for you Bill.

Can Suricata use the Snort 3.0 rules?

Thanks in advance.

Thank you for all of you hard work on these packages.

In case someone else stumbles on this pinned post.

You can enable Snort3 rules with Suricata and it may seem like they are enabled, but a look at the logs will reveal that almost none of the Snort3 rules are valid for Suricata:

With Snort3 (+ET) rules file:
3/12/2018 -- 18:54:14 - <Info> -- 2 rule files processed. 16107 rules successfully loaded, 12873 rules failed

With Snort2 (+ET) rules file:
3/12/2018 -- 18:59:44 - <Info> -- 2 rule files processed. 26848 rules successfully loaded, 2132 rules failed

With just ET Suricata rules:
3/12/2018 -- 19:01:22 - <Info> -- 2 rule files processed. 16087 rules successfully loaded, 2077 rules failed

Most of the failures come from ET's Suricata rules. Most of the failures are a result of missing references (eg "md5") which are in the ET rules but not in the reference files after processing by pfSense's Suricata package.

MxcZXAKM

This thread is quite old, can you please advise/update if Suricata 5.0.3 is now compatible with Snort 3.0 (snortrules-snapshot-3000.tar.gz)?

bmeeks

@MxcZXAKM said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

This thread is quite old, can you please advise/update if Suricata 5.0.3 is now compatible with Snort 3.0 (snortrules-snapshot-3000.tar.gz)?

No, Suricata 5 is not compatible with Snort 3.0. I suspect it will be a very long time before Suricata can use the Snort 3.0 rules. Snort 3.0 is still in beta. It has not been released to production. There certainly is not likely to be any compatibility for Snort3 rules in Suricata until after Snort3 goes to RELEASE and production.

There is no need to worry about Snort3 rules. They are not "better" than the Snort 2.9.x rules currently available. Both versions detect the same threats. Snort3 rules are designed to work with the new Snort3 binary which is totally different internally than the current Snort 2.9.x binary. And as I mentioned, Snort3 is still not RELEASE. It has been in BETA for a very long time, and still is.

MxcZXAKM

@bmeeks So is this the best release to reference for now?

snortrules-snapshot-29160.tar.gz

bmeeks

@MxcZXAKM said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

@bmeeks So is this the best release to reference for now?

snortrules-snapshot-29160.tar.gz

Yes. You want to use the most current version of the Snort 2.9.x rules with Suricata. Since Snort 2.9.16 is the current release, then the snortrules-snapshot-29160.tar.gz rules archive contains the latest ones.

MxcZXAKM

@bmeeks said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

@MxcZXAKM said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

@bmeeks So is this the best release to reference for now?

snortrules-snapshot-29160.tar.gz

Yes. You want to use the most current version of the Snort 2.9.x rules with Suricata. Since Snort 2.9.16 is the current release, then the snortrules-snapshot-29160.tar.gz rules archive contains the latest ones.

Very helpful, Thank you!