Using Snort VRT Rules With Suricata and Keeping Them Updated



  • Suricata is compatible with most of the Snort VRT rules, and thus many users like to include the Snort VRT rules in their collection of rule signatures used with Suricata.  However, using Snort VRT rules with Suricata requires understanding and working with two key points.  First, obviously Suricata is not Snort; and thus while it is compatible with most legacy Snort rule options, there are some newer Snort rule keywords/options that Suricata will not recognize.  Suricata will print errors in the suricata.log file when encountering rules like this.  Luckily, unlike Snort which will quit when encountering a rule syntax error, Suricata will skip the offending rule and keep on loading the next one.  The second major point to understand is that Snort VRT rules are versioned and tied to a specific Snort binary version.  So you must run 2.9.8.3 rules with the 2.9.8.3 Snort binary.  For instance, the only rules package that will work with Snort version 2.9.8.3 is snortrules-snapshot-2983.tar.gz.  If you manually download a different rules snapshot version and attempt to use it with Snort 2.9.8.3, the rules load will fail.

    The Snort package on pfSense automatically determines the correct Snort VRT rules snapshot update to use because it knows what version of the Snort binary is running.  Suricata can't know that.  Nor does Suricata have any way of determining what the "latest" version of Snort might be.  The Suricata package depends on you to tell it what Snort VRT rules snapshot file to download.  You do this on the GLOBAL SETTINGS tab when you enable use of the Snort VRT rules.  There is an input box where you should type in the Snort VRT rules snapshot filename.  Enter just the filename.  Do not enter a URL and do not enter your Oinkcode here!  This filename parameter tells Suricata which snapshot file to download for the daily rule updates.

    It follows from the above that it is also incumbent upon the admin user to keep up with changes in the Snort binary and resulting rules snapshots so the rules snapshot filename Suricata uses is updated when necessary.  For instance, recently Snort has posted a new 2.9.12 binary version and associated rules snapshot.  Suricata can use the updated rules in the new 2.9.12 rules snapshot file, but it won't download that file until you tell it the name on the GLOBAL SETTINGS tab.  Also, if you forget to change the value on the GLOBAL SETTINGS tab, then when the file version specified there goes end-of-life and is pulled by the Snort team, Suricata's Snort Subscriber Rules updates will start failing.  So if you are using Snort Subscriber Rules with Suricata, set some kind of external reminder in your email or on your smartphone to prompt you to check the www.snort.org site once a month to see if updated versions of the Snort Subscriber Rules snapshot files have been posted and update the Snort Subscriber Rules snapshot filename on the GLOBAL SETTINGS tab in Suricata..

    Bill



  • Question for you Bill.

    Can Suricata use the Snort 3.0 rules?

    Thanks in advance.

    Thank you for all of you hard work on these packages.



  • Hi OsrRon,
    I have upgraded rules already and working like a charm

    
    Mar 14 12:08:43 pf php: /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-3000.tar.gz...
    Mar 14 12:08:48 pf php: /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Snort VRT rules file update downloaded successfully.
    
    

    rules 3 same as rule 2.990 and they only removed "snort_blacklist.rules" and "snort_local.rules"



  • Thank you for the info!



  • @barakah:

    Hi OsrRon,
    I have upgraded rules already and working like a charm

    
    Mar 14 12:08:43 pf php: /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-3000.tar.gz...
    Mar 14 12:08:48 pf php: /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Snort VRT rules file update downloaded successfully.
    
    

    rules 3 same as rule 2.990 and they only removed "snort_blacklist.rules" and "snort_local.rules"

    This is good to know. I had not tested Suricata with the Snort-3.0 rules.  I have been waiting on Snort-3.0 to get closer to RELEASE status before investigating creating a GUI package to support it.

    Bill



  • @osrron said in Using Snort VRT Rules With Suricata and Keeping Them Updated:

    Question for you Bill.

    Can Suricata use the Snort 3.0 rules?

    Thanks in advance.

    Thank you for all of you hard work on these packages.

    In case someone else stumbles on this pinned post.

    You can enable Snort3 rules with Suricata and it may seem like they are enabled, but a look at the logs will reveal that almost none of the Snort3 rules are valid for Suricata:

    With Snort3 (+ET) rules file:
    3/12/2018 -- 18:54:14 - <Info> -- 2 rule files processed. 16107 rules successfully loaded, 12873 rules failed

    With Snort2 (+ET) rules file:
    3/12/2018 -- 18:59:44 - <Info> -- 2 rule files processed. 26848 rules successfully loaded, 2132 rules failed

    With just ET Suricata rules:
    3/12/2018 -- 19:01:22 - <Info> -- 2 rule files processed. 16087 rules successfully loaded, 2077 rules failed

    Most of the failures come from ET's Suricata rules. Most of the failures are a result of missing references (eg "md5") which are in the ET rules but not in the reference files after processing by pfSense's Suricata package.