Snort Subscriber Rules - in Suricata

Waqar.UK

I have installed Suricata.

I am using this
https://rules.emergingthreats.net/open/suricata-6.0.0/emerging.rules.tar.gz
which is in "ETOpen Custom Rule Download URL"

In this section "Snort Rules Filename"
I have an Oink code to place in "Snort Oinkmaster Code", but it is asking for
a "Snort Rules Filename".
Where do I get a "Snort Rules Filename"?

Updates:

INSTALLED RULE SET MD5 SIGNATURES
Rule Set Name/Publisher MD5 Signature Hash MD5 Signature Date
Emerging Threats Open Rules 05a2ac60dc761268b961163f2c8bacaa Saturday, 27-Mar-21 18:46:59 GMT
Snort Subscriber Rules Not Enabled Not Enabled
Snort GPLv2 Community Rules 5b99793a4f54165afb43fc43767ee637 Saturday, 27-Mar-21 18:46:59 GMT

were failing until a few minutes ago.

How do I get a :

"Snort Subscriber Rules Not Enabled Not Enabled" High lighted in red.
Which is shown in attachment 3.

Is this normal: "SURICATA UDPv4 invalid checksum "

bmeeks

Right here at the top of this forum is the following Sticky Post: https://forum.netgate.com/topic/110325/using-snort-vrt-rules-with-suricata-and-keeping-them-updated. The Sticky Posts are the ones with the red pushpin icon beside them, and they are marked as "Sticky Posts" so they stay at the top of the list of messages. They convey important information about using the features in the IDS/IPS packages.

Waqar.UK

@bmeeks

From your posting: https://forum.netgate.com/topic/110325/using-snort-vrt-rules-with-suricata-and-keeping-them-updated

" Snort VRT rules are versioned and tied to a specific Snort binary version."

From package manager within Pfsense:
snort 4.1.3_2 Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection.

Package Dependencies:
snort-2.9.17

So I can use

Package Dependencies snort-2.9.17
and version snort 4.1.3_2
On Suricata?

I have used: snortrules-snapshot-29160.tar.gz
In the "Snort rules filename"
and inputted my "Snort Oinkmaster filename"

So far so good!!

Thanks a lot!!

I forgot to add, when Snort changes from: "snortrules-snapshot-29160.tar.gz"
Then what do I use??

bmeeks

You will have to monitor the Snort.og site yourself and see when the 2.9.x rules update to a new version. Right now the most current version that works with Suricata is 2.9.17.

Just FYI. Do NOT use the Snort3 rules with Suricata. It will totally break the Suricata package!!!

Waqar.UK

@bmeeks said in Snort Subscriber Rules - in Suricata:

You will have to monitor the Snort.og site yourself and see when the 2.9.x rules update to a new version. Right now the most current version that works with Suricata is 2.9.17.

Just FYI. Do NOT use the Snort3 rules with Suricata. It will totally break the Suricata package!!!

Thanks,

I worked the correct 2.9x rules from your reply and looking at the package manger Snort dependencies. Where does it mention on Snort site which rules are available?

bmeeks

@waqar-uk said in Snort Subscriber Rules - in Suricata:

@bmeeks said in Snort Subscriber Rules - in Suricata:

You will have to monitor the Snort.og site yourself and see when the 2.9.x rules update to a new version. Right now the most current version that works with Suricata is 2.9.17.

Just FYI. Do NOT use the Snort3 rules with Suricata. It will totally break the Suricata package!!!

Thanks,

I worked the correct 2.9x rules from your reply and looking at the package manger Snort dependencies. Where does it mention on Snort site which rules are available?

The package manager dependencies for Snort are not material at all to Suricata. Ignore those. Suricata can ingest any version of Snort rules (other than 3.0, which will kill it).

The Snort rules are listed under a link right on the Snort.org web site. The same place you obtained your Oinkcode from -- https://www.snort.org. There is a bright red button in the upper left corner labeled "Download Rules". Go there and you can see the versions available.

Waqar.UK

@bmeeks

Re:

There is a bright red button in the upper left corner labeled "Download Rules". Go there and you can see the versions available.
which takes me to:

https://www.snort.org/downloads/#rule-downloads

Snort v2.9
community-rules.tar.gz
https://www.snort.org/downloads/community/community-rules.tar.gz
Is downloaded, no snapshot such as "snortrules-snapshot-29160.tar.gz"

But it does not mention:
"Snort Rules Filename" such as currently: "snortrules-snapshot-29160.tar.gz"

Are these the rules, once I sign in as a registered, as seen in the attachment (circled in red).

bmeeks

What is your skill level with cyber security? You have drawn a red circle around the filenames in the image you posted. Compare what you have circled in the screen capture you posted with the example filenames shown in the Sticky Post I linked in my earlier reply, and also compare it to the example given in the Help text on the Suricata GUI page. The correct answer should be immediately apparent.

Waqar.UK

@bmeeks

Good evening.
My knowledge of cyber security is pretty small. I just want to learn from this forum.
Yes, it is apparent what is the correct answer.
Thanks a lot.