Using Snort VRT Rules With Suricata and Keeping Them Updated

OsrRon

Question for you Bill.

Can Suricata use the Snort 3.0 rules?

Thanks in advance.

Thank you for all of you hard work on these packages.

barakah

Hi OsrRon,
I have upgraded rules already and working like a charm

Mar 14 12:08:43 pf php: /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-3000.tar.gz...
Mar 14 12:08:48 pf php: /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Snort VRT rules file update downloaded successfully.

rules 3 same as rule 2.990 and they only removed "snort_blacklist.rules" and "snort_local.rules"

OsrRon

Thank you for the info!

bmeeks

@barakah:

Hi OsrRon,
I have upgraded rules already and working like a charm

Mar 14 12:08:43 pf php: /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-3000.tar.gz...
Mar 14 12:08:48 pf php: /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Snort VRT rules file update downloaded successfully.

rules 3 same as rule 2.990 and they only removed "snort_blacklist.rules" and "snort_local.rules"

This is good to know. I had not tested Suricata with the Snort-3.0 rules.  I have been waiting on Snort-3.0 to get closer to RELEASE status before investigating creating a GUI package to support it.

UPDATED INFORMATION ABOUT SNORT3 RULES
Do not enable download of the Snort3 rules with Suricata. The internal structure of the reference.config file is different, and this will break the 4.x version of Suricata!

Bill

boobletins

@osrron said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

Question for you Bill.

Can Suricata use the Snort 3.0 rules?

Thanks in advance.

Thank you for all of you hard work on these packages.

In case someone else stumbles on this pinned post.

You can enable Snort3 rules with Suricata and it may seem like they are enabled, but a look at the logs will reveal that almost none of the Snort3 rules are valid for Suricata:

With Snort3 (+ET) rules file:
3/12/2018 -- 18:54:14 - <Info> -- 2 rule files processed. 16107 rules successfully loaded, 12873 rules failed

With Snort2 (+ET) rules file:
3/12/2018 -- 18:59:44 - <Info> -- 2 rule files processed. 26848 rules successfully loaded, 2132 rules failed

With just ET Suricata rules:
3/12/2018 -- 19:01:22 - <Info> -- 2 rule files processed. 16087 rules successfully loaded, 2077 rules failed

Most of the failures come from ET's Suricata rules. Most of the failures are a result of missing references (eg "md5") which are in the ET rules but not in the reference files after processing by pfSense's Suricata package.

MxcZXAKM

This thread is quite old, can you please advise/update if Suricata 5.0.3 is now compatible with Snort 3.0 (snortrules-snapshot-3000.tar.gz)?

bmeeks

@MxcZXAKM said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

This thread is quite old, can you please advise/update if Suricata 5.0.3 is now compatible with Snort 3.0 (snortrules-snapshot-3000.tar.gz)?

No, Suricata 5 is not compatible with Snort 3.0. I suspect it will be a very long time before Suricata can use the Snort 3.0 rules. Snort 3.0 is still in beta. It has not been released to production. There certainly is not likely to be any compatibility for Snort3 rules in Suricata until after Snort3 goes to RELEASE and production.

There is no need to worry about Snort3 rules. They are not "better" than the Snort 2.9.x rules currently available. Both versions detect the same threats. Snort3 rules are designed to work with the new Snort3 binary which is totally different internally than the current Snort 2.9.x binary. And as I mentioned, Snort3 is still not RELEASE. It has been in BETA for a very long time, and still is.

MxcZXAKM

@bmeeks So is this the best release to reference for now?

snortrules-snapshot-29160.tar.gz

bmeeks

@MxcZXAKM said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

@bmeeks So is this the best release to reference for now?

snortrules-snapshot-29160.tar.gz

Yes. You want to use the most current version of the Snort 2.9.x rules with Suricata. Since Snort 2.9.16 is the current release, then the snortrules-snapshot-29160.tar.gz rules archive contains the latest ones.

MxcZXAKM

@bmeeks said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

@MxcZXAKM said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

@bmeeks So is this the best release to reference for now?

snortrules-snapshot-29160.tar.gz

Yes. You want to use the most current version of the Snort 2.9.x rules with Suricata. Since Snort 2.9.16 is the current release, then the snortrules-snapshot-29160.tar.gz rules archive contains the latest ones.

Very helpful, Thank you!