Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort rules order

    Scheduled Pinned Locked Moved IDS/IPS
    34 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Antibiotic
      last edited by

      Can some1 explain ruled order:

      Snort v2.9snortrules-snapshot-29181.tar.gzsnortrules-snapshot-29161.tar.gzsnortrules-snapshot-29130.tar.gzsnortrules-snapshot-29200.tar.gzsnortrules-snapshot-29190.tar.gzsnortrules-snapshot-29151.tar.gzsnortrules-snapshot-29171.tar.gzsnortrules-snapshot-29141.tar.gzsnortrules-snapshot-29170.tar.gzsnortrules-snapshot-29160.tar.gzsnortrules-snapshot-29111.tar.gz

      Last one 29200 as undrestood but why in order 29181 first to download or its the most less false error shapshot?

      pfSense plus 24.11 on Topton mini PC
      CPU: Intel N100
      NIC: Intel i-226v 4 pcs
      RAM : 16 GB DDR5
      Disk: 128 GB NVMe
      Brgds, Archi

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Snort requires that its rules be version-locked to the Snort binary. The current Snort binary on pfSense is 2.9.20, thus the only Snort rules package what will work is snortrules-snapshot-29200.tar.gz.

        Those other rules packages are for much older version of the Snort binary that may be in use. For example, for the 2.9.17, or 2.9.18, or 2.9.19 older binary versions. But you can't use those older versions on pfSense because the Snort binary there is the latest version (2.9.20).

        A 2 Replies Last reply Reply Quote 0
        • A
          Antibiotic @bmeeks
          last edited by

          @bmeeks hello

          What right order to install and set up suricata wiregurd and pfblockerng I mean 1st 2nd 3rd or doesnt matter?

          pfSense plus 24.11 on Topton mini PC
          CPU: Intel N100
          NIC: Intel i-226v 4 pcs
          RAM : 16 GB DDR5
          Disk: 128 GB NVMe
          Brgds, Archi

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @Antibiotic
            last edited by bmeeks

            @Antibiotic said in Snort rules order:

            @bmeeks hello

            What right order to install and set up suricata wiregurd and pfblockerng I mean 1st 2nd 3rd or doesnt matter?

            pfBlocker has nothing to do with the IDS/IPS packages. Not sure why you are bringing that up.

            For Suricata, I would use the 2.9.20 Snort rules packages. Just be aware that Suricata does not honor all the same rules syntax as Snort, so many of the Snort rules will not load into Suricata. Suricata will log a syntax error for those rules and not load them. Suricata is heavily sponsored by the Emerging Threats/Proofpoint team, so the ET rules are fully Suricata compatible (there is specific version of them for Suricata, and the pfSense package automatically downloads that version when you select ET rules).

            A 1 Reply Last reply Reply Quote 0
            • A
              Antibiotic @bmeeks
              last edited by Antibiotic

              @bmeeks So. do you mean to download snapshot 29200 for Suricata?

              pfSense plus 24.11 on Topton mini PC
              CPU: Intel N100
              NIC: Intel i-226v 4 pcs
              RAM : 16 GB DDR5
              Disk: 128 GB NVMe
              Brgds, Archi

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @Antibiotic
                last edited by bmeeks

                @Antibiotic said in Snort rules order:

                @bmeeks So. do you mean to download snapshot 29200 for Suricata?

                Yes. Suricata is not version-locked with the Snort rules (since it is Suricata and not Snort 🙂). But you may as well run the most recent Snort rules versions.

                A 2 Replies Last reply Reply Quote 0
                • A
                  Antibiotic @bmeeks
                  last edited by

                  @bmeeks Ok, thanks

                  pfSense plus 24.11 on Topton mini PC
                  CPU: Intel N100
                  NIC: Intel i-226v 4 pcs
                  RAM : 16 GB DDR5
                  Disk: 128 GB NVMe
                  Brgds, Archi

                  1 Reply Last reply Reply Quote 0
                  • A
                    Antibiotic @bmeeks
                    last edited by Antibiotic

                    @bmeeks Hello, how to resolve this errors (using snort rules on suricata) , its example have a lot like this

                    [100508 - Suricata-Main] 2024-04-29 00:59:33 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ivanti multiple products server side request forgery attempt"; flow:to_server,established; content:"SAMLResponse="; nocase; http_uri; base64_decode:bytes 1000,relative; base64_data; content:"RetrievalMethod"; nocase; content:"URI"; nocase; pcre:"/RetrievalMethod[^>]?\sURI\s=/i"; content:"/dana-na/auth/saml"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-21893; reference:url,forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways; classtype:web-application-attack; sid:63099; rev:1;)" from file /usr/local/etc/suricata/suricata_40578_igc2/rules/suricata.rules at line 14962
                    [100508 - Suricata-Main] 2024-04-29 00:59:31 Error: detect: previous sticky buffer has no matches

                    and this

                    [100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs
                    [100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
                    [100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
                    [100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs

                    Here a thousands of rules, how to even found by number?
                    as i know exist special soft to resolve this typical errors but how and could be not free of charge

                    At the end have also

                    [100508 - Suricata-Main] 2024-04-29 00:59:34 Info: detect: 2 rule files processed. 15356 rules successfully loaded, 34 rules failed, 0
                    [100508 - Suricata-Main] 2024-04-29 00:59:34 Info: threshold-config: Threshold config parsed: 0 rule(s) found
                    [100508 - Suricata-Main] 2024-04-29 00:59:34 Info: detect: 15356 signatures processed. 14 are IP-only rules, 1025 are inspecting packet payload, 7986 inspect application layer, 0 are decoder event only

                    pfSense plus 24.11 on Topton mini PC
                    CPU: Intel N100
                    NIC: Intel i-226v 4 pcs
                    RAM : 16 GB DDR5
                    Disk: 128 GB NVMe
                    Brgds, Archi

                    bmeeksB 1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @Antibiotic
                      last edited by bmeeks

                      @Antibiotic said in Snort rules order:

                      @bmeeks Hello, how to resolve this errors (using snort rules on suricata) , its example have a lot like this

                      [100508 - Suricata-Main] 2024-04-29 00:59:33 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ivanti multiple products server side request forgery attempt"; flow:to_server,established; content:"SAMLResponse="; nocase; http_uri; base64_decode:bytes 1000,relative; base64_data; content:"RetrievalMethod"; nocase; content:"URI"; nocase; pcre:"/RetrievalMethod[^>]?\sURI\s=/i"; content:"/dana-na/auth/saml"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-21893; reference:url,forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways; classtype:web-application-attack; sid:63099; rev:1;)" from file /usr/local/etc/suricata/suricata_40578_igc2/rules/suricata.rules at line 14962
                      [100508 - Suricata-Main] 2024-04-29 00:59:31 Error: detect: previous sticky buffer has no matches

                      and this

                      [100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs
                      [100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
                      [100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
                      [100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs

                      Here a thousands of rules, how to even found by number?
                      as i know exist special soft to resolve this typical errors but how and could be not free of charge

                      At the end have also

                      [100508 - Suricata-Main] 2024-04-29 00:59:34 Info: detect: 2 rule files processed. 15356 rules successfully loaded, 34 rules failed, 0
                      [100508 - Suricata-Main] 2024-04-29 00:59:34 Info: threshold-config: Threshold config parsed: 0 rule(s) found
                      [100508 - Suricata-Main] 2024-04-29 00:59:34 Info: detect: 15356 signatures processed. 14 are IP-only rules, 1025 are inspecting packet payload, 7986 inspect application layer, 0 are decoder event only

                      Did you not read this line I posted in an earlier reply?

                      Just be aware that Suricata does not honor all the same rules syntax as Snort, so many of the Snort rules will not load into Suricata. Suricata will log a syntax error for those rules and not load them.

                      For reference, here is a link to that earlier reply: https://forum.netgate.com/topic/187763/snort-rules-order/4?_=1714347945655.

                      Suricata does not recognize the same rules syntax as Snort. It does some things differently, and as a result certain Snort rules will not load in Suricata. Attempting to run the Snort rules tarball on Suricata will result in errors like this for many of the Snort rules (not all, but many of them).

                      The flowbit errors are normal and are just warnings. They can be a combination of mistakes the rule authors have made and failure to enable particular rules that set those flowbits.

                      A 1 Reply Last reply Reply Quote 0
                      • A
                        Antibiotic @bmeeks
                        last edited by

                        @bmeeks Ah ok, but its possible to resolve?

                        pfSense plus 24.11 on Topton mini PC
                        CPU: Intel N100
                        NIC: Intel i-226v 4 pcs
                        RAM : 16 GB DDR5
                        Disk: 128 GB NVMe
                        Brgds, Archi

                        bmeeksB 1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks @Antibiotic
                          last edited by bmeeks

                          @Antibiotic said in Snort rules order:

                          @bmeeks Ah ok, but its possible to resolve?

                          Certainly you can resolve it. All you need to do is clone the Suricata binary GitHub repo here, and then rewrite the C and Rust source code so that Suricata can fully understand all of the Snort rules syntax. Once you finish editing the Suricata binary code, you will need to recompile the package so that it loads on pfSense. For that you will need a Poudriere package builder based on the current pfSense kernel.

                          Sorry if this sounds a bit harsh, but your level of understanding here seems to be lacking. Suricata is NOT Snort. Therefore it CANNOT and DOES NOT use the exact same rules syntax. You cannot resolve this problem. It's just the way the two DIFFERENT products behave.

                          If you do not want to see the Snort rule errors, then do not attempt to run Snort rules on Suricata. Run only Emerging Threats rules there.

                          A 1 Reply Last reply Reply Quote 1
                          • A
                            Antibiotic @bmeeks
                            last edited by

                            @bmeeks Ok, than possible to keep this rules off?How to found them?

                            pfSense plus 24.11 on Topton mini PC
                            CPU: Intel N100
                            NIC: Intel i-226v 4 pcs
                            RAM : 16 GB DDR5
                            Disk: 128 GB NVMe
                            Brgds, Archi

                            bmeeksB 1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks @Antibiotic
                              last edited by

                              @Antibiotic said in Snort rules order:

                              @bmeeks Ok, than possible to keep this rules off?How to found them?

                              If you want to use the Snort rules package, then just ignore the errors. Suricata is not loading the rules. Other than the log message, there is no harm and no foul in terms of operability.

                              You can disable rules by GID:SID, but personally I would not go to that amount of trouble. Just ignore the log errors.

                              A 2 Replies Last reply Reply Quote 0
                              • A
                                Antibiotic @bmeeks
                                last edited by

                                @bmeeks Ok,thanks)))

                                pfSense plus 24.11 on Topton mini PC
                                CPU: Intel N100
                                NIC: Intel i-226v 4 pcs
                                RAM : 16 GB DDR5
                                Disk: 128 GB NVMe
                                Brgds, Archi

                                1 Reply Last reply Reply Quote 0
                                • A
                                  Antibiotic @bmeeks
                                  last edited by

                                  @bmeeks I wiil try to use snort rules on snort , when in an one day may be snort become to multithreading on pfSense)))

                                  pfSense plus 24.11 on Topton mini PC
                                  CPU: Intel N100
                                  NIC: Intel i-226v 4 pcs
                                  RAM : 16 GB DDR5
                                  Disk: 128 GB NVMe
                                  Brgds, Archi

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    Antibiotic @bmeeks
                                    last edited by Antibiotic

                                    @bmeeks Hi,
                                    How often snort snapshot updating, I mean period of time between releases? or when ready than pushing to public snapshot. Last one 29200 when should be next release?

                                    pfSense plus 24.11 on Topton mini PC
                                    CPU: Intel N100
                                    NIC: Intel i-226v 4 pcs
                                    RAM : 16 GB DDR5
                                    Disk: 128 GB NVMe
                                    Brgds, Archi

                                    bmeeksB 1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks @Antibiotic
                                      last edited by bmeeks

                                      @Antibiotic said in Snort rules order:

                                      @bmeeks Hi,
                                      How often snort snapshot updating, I mean period of time between releases? or when ready than pushing to public snapshot. Last one 29200 when should be next release?

                                      The Snort 2.9.x binary is effectively at end-of-life. It has been superseded for the most part by Snort3. But there is no effort at present to create a Snort3 package for pfSense. I tried at least two different times to create a Snort3 package and gave up very frustrated each time.

                                      Snort3 is the multithreaded variant of Snort. But it was completely rewritten from the ground up in C++, has a new and different plugin API, and uses Lua for conf files instead of plaintext like previous Snort versions. For these and several other reasons, I abandoned creating a Snort3 package for pfSense. So far as I know, no one else is working on such a package either. That means when the upstream Snort team officially pulls support for the legacy 2.9.x Snort branch, Snort will be effectively dead on pfSense.

                                      Suricata is the way forward on pfSense -- not Snort.

                                      To answer your question about Snort 2.9.x, the last update was over two years ago and that was the release of the 2.9.20 binary. Nothing has happened in that branch since then. Only the rules themselves are getting updated, but I suspect at some point in the future even that will cease. That means I doubt there will ever be an update past the 29200 rules version.

                                      You CANNOT use Snort3 rules with the current Snort 2.9.x package on pfSense nor can you use them on Suricata. Attempting to download and install Snort3 rules on pfSense will totally break the IDS/IPS installation.

                                      A 1 Reply Last reply Reply Quote 1
                                      • A
                                        Antibiotic @bmeeks
                                        last edited by Antibiotic

                                        @bmeeks So, please confirm that. Can me use snort3 rules snapshot on pfsense Suricata?or can not use at all on pfsesnse ( both snort and suricata)?

                                        pfSense plus 24.11 on Topton mini PC
                                        CPU: Intel N100
                                        NIC: Intel i-226v 4 pcs
                                        RAM : 16 GB DDR5
                                        Disk: 128 GB NVMe
                                        Brgds, Archi

                                        bmeeksB 1 Reply Last reply Reply Quote 0
                                        • bmeeksB
                                          bmeeks @Antibiotic
                                          last edited by bmeeks

                                          @Antibiotic said in Snort rules order:

                                          @bmeeks So, please confirm that. Can me use snort3 rules snapshot on pfsense Suricata?or can not use at all on pfsesnse ( both snort and suricata)?

                                          Did you not read what I just posted above? I've copied and pasted it again immediately below--

                                          @bmeeks said in Snort rules order:

                                          You CANNOT use Snort3 rules with the current Snort 2.9.x package on pfSense nor can you use them on Suricata. Attempting to download and install Snort3 rules on pfSense will totally break the IDS/IPS installation.

                                          I tried to be as clear as possible. You CANNOT use Snort3 rules for anything on pfSense.

                                          A 1 Reply Last reply Reply Quote 0
                                          • A
                                            Antibiotic @bmeeks
                                            last edited by Antibiotic

                                            @bmeeks OK. now clear but if have snort subscribe rules not registered. IPS Policy Mode in suricata for snort rules will work in auto drop? Connectivity , balanced and security?

                                            pfSense plus 24.11 on Topton mini PC
                                            CPU: Intel N100
                                            NIC: Intel i-226v 4 pcs
                                            RAM : 16 GB DDR5
                                            Disk: 128 GB NVMe
                                            Brgds, Archi

                                            bmeeksB 2 Replies Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.