Snort rules order

Antibiotic · Apr 26, 2024, 6:50 PM

Can some1 explain ruled order:

Snort v2.9snortrules-snapshot-29181.tar.gzsnortrules-snapshot-29161.tar.gzsnortrules-snapshot-29130.tar.gzsnortrules-snapshot-29200.tar.gzsnortrules-snapshot-29190.tar.gzsnortrules-snapshot-29151.tar.gzsnortrules-snapshot-29171.tar.gzsnortrules-snapshot-29141.tar.gzsnortrules-snapshot-29170.tar.gzsnortrules-snapshot-29160.tar.gzsnortrules-snapshot-29111.tar.gz

Last one 29200 as undrestood but why in order 29181 first to download or its the most less false error shapshot?

bmeeks · Apr 28, 2024, 1:47 AM

Snort requires that its rules be version-locked to the Snort binary. The current Snort binary on pfSense is 2.9.20, thus the only Snort rules package what will work is snortrules-snapshot-29200.tar.gz.

Those other rules packages are for much older version of the Snort binary that may be in use. For example, for the 2.9.17, or 2.9.18, or 2.9.19 older binary versions. But you can't use those older versions on pfSense because the Snort binary there is the latest version (2.9.20).

Antibiotic · Apr 28, 2024, 1:47 AM

@bmeeks hello

What right order to install and set up suricata wiregurd and pfblockerng I mean 1st 2nd 3rd or doesnt matter?

bmeeks · Apr 28, 2024, 1:50 AM

@Antibiotic said in Snort rules order:

@bmeeks hello

What right order to install and set up suricata wiregurd and pfblockerng I mean 1st 2nd 3rd or doesnt matter?

pfBlocker has nothing to do with the IDS/IPS packages. Not sure why you are bringing that up.

For Suricata, I would use the 2.9.20 Snort rules packages. Just be aware that Suricata does not honor all the same rules syntax as Snort, so many of the Snort rules will not load into Suricata. Suricata will log a syntax error for those rules and not load them. Suricata is heavily sponsored by the Emerging Threats/Proofpoint team, so the ET rules are fully Suricata compatible (there is specific version of them for Suricata, and the pfSense package automatically downloads that version when you select ET rules).

Antibiotic · Apr 28, 2024, 1:54 AM

@bmeeks So. do you mean to download snapshot 29200 for Suricata?

bmeeks · Apr 28, 2024, 1:55 AM

@Antibiotic said in Snort rules order:

@bmeeks So. do you mean to download snapshot 29200 for Suricata?

Yes. Suricata is not version-locked with the Snort rules (since it is Suricata and not Snort ). But you may as well run the most recent Snort rules versions.

Antibiotic · Apr 28, 2024, 1:56 AM

@bmeeks Ok, thanks

Antibiotic · Apr 28, 2024, 10:25 PM

@bmeeks Hello, how to resolve this errors (using snort rules on suricata) , its example have a lot like this

[100508 - Suricata-Main] 2024-04-29 00:59:33 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ivanti multiple products server side request forgery attempt"; flow:to_server,established; content:"SAMLResponse="; nocase; http_uri; base64_decode:bytes 1000,relative; base64_data; content:"RetrievalMethod"; nocase; content:"URI"; nocase; pcre:"/RetrievalMethod[^>]?\sURI\s=/i"; content:"/dana-na/auth/saml"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-21893; reference:url,forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways; classtype:web-application-attack; sid:63099; rev:1;)" from file /usr/local/etc/suricata/suricata_40578_igc2/rules/suricata.rules at line 14962
[100508 - Suricata-Main] 2024-04-29 00:59:31 Error: detect: previous sticky buffer has no matches

and this

[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs
[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs

Here a thousands of rules, how to even found by number?
as i know exist special soft to resolve this typical errors but how and could be not free of charge

At the end have also

[100508 - Suricata-Main] 2024-04-29 00:59:34 Info: detect: 2 rule files processed. 15356 rules successfully loaded, 34 rules failed, 0
[100508 - Suricata-Main] 2024-04-29 00:59:34 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[100508 - Suricata-Main] 2024-04-29 00:59:34 Info: detect: 15356 signatures processed. 14 are IP-only rules, 1025 are inspecting packet payload, 7986 inspect application layer, 0 are decoder event only

bmeeks · Apr 28, 2024, 11:51 PM

@Antibiotic said in Snort rules order:

@bmeeks Hello, how to resolve this errors (using snort rules on suricata) , its example have a lot like this

[100508 - Suricata-Main] 2024-04-29 00:59:33 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ivanti multiple products server side request forgery attempt"; flow:to_server,established; content:"SAMLResponse="; nocase; http_uri; base64_decode:bytes 1000,relative; base64_data; content:"RetrievalMethod"; nocase; content:"URI"; nocase; pcre:"/RetrievalMethod[^>]?\sURI\s=/i"; content:"/dana-na/auth/saml"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-21893; reference:url,forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways; classtype:web-application-attack; sid:63099; rev:1;)" from file /usr/local/etc/suricata/suricata_40578_igc2/rules/suricata.rules at line 14962
[100508 - Suricata-Main] 2024-04-29 00:59:31 Error: detect: previous sticky buffer has no matches

and this

[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs
[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
[100508 - Suricata-Main] 2024-04-29 00:59:34 Warning: detect-flowbits: flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs

Here a thousands of rules, how to even found by number?
as i know exist special soft to resolve this typical errors but how and could be not free of charge

At the end have also

[100508 - Suricata-Main] 2024-04-29 00:59:34 Info: detect: 2 rule files processed. 15356 rules successfully loaded, 34 rules failed, 0
[100508 - Suricata-Main] 2024-04-29 00:59:34 Info: threshold-config: Threshold config parsed: 0 rule(s) found
[100508 - Suricata-Main] 2024-04-29 00:59:34 Info: detect: 15356 signatures processed. 14 are IP-only rules, 1025 are inspecting packet payload, 7986 inspect application layer, 0 are decoder event only

Did you not read this line I posted in an earlier reply?

Just be aware that Suricata does not honor all the same rules syntax as Snort, so many of the Snort rules will not load into Suricata. Suricata will log a syntax error for those rules and not load them.

For reference, here is a link to that earlier reply: https://forum.netgate.com/topic/187763/snort-rules-order/4?_=1714347945655.

Suricata does not recognize the same rules syntax as Snort. It does some things differently, and as a result certain Snort rules will not load in Suricata. Attempting to run the Snort rules tarball on Suricata will result in errors like this for many of the Snort rules (not all, but many of them).

The flowbit errors are normal and are just warnings. They can be a combination of mistakes the rule authors have made and failure to enable particular rules that set those flowbits.

Antibiotic · Apr 28, 2024, 11:51 PM

@bmeeks Ah ok, but its possible to resolve?

bmeeks · Apr 28, 2024, 11:56 PM

@Antibiotic said in Snort rules order:

@bmeeks Ah ok, but its possible to resolve?

Certainly you can resolve it. All you need to do is clone the Suricata binary GitHub repo here, and then rewrite the C and Rust source code so that Suricata can fully understand all of the Snort rules syntax. Once you finish editing the Suricata binary code, you will need to recompile the package so that it loads on pfSense. For that you will need a Poudriere package builder based on the current pfSense kernel.

Sorry if this sounds a bit harsh, but your level of understanding here seems to be lacking. Suricata is NOT Snort. Therefore it CANNOT and DOES NOT use the exact same rules syntax. You cannot resolve this problem. It's just the way the two DIFFERENT products behave.

If you do not want to see the Snort rule errors, then do not attempt to run Snort rules on Suricata. Run only Emerging Threats rules there.

Antibiotic · Apr 29, 2024, 12:04 AM

@bmeeks Ok, than possible to keep this rules off?How to found them?

bmeeks · Apr 29, 2024, 12:07 AM

@Antibiotic said in Snort rules order:

@bmeeks Ok, than possible to keep this rules off?How to found them?

If you want to use the Snort rules package, then just ignore the errors. Suricata is not loading the rules. Other than the log message, there is no harm and no foul in terms of operability.

You can disable rules by GID:SID, but personally I would not go to that amount of trouble. Just ignore the log errors.

Antibiotic · Apr 29, 2024, 12:08 AM

@bmeeks Ok,thanks)))

Antibiotic · Apr 29, 2024, 12:10 AM

@bmeeks I wiil try to use snort rules on snort , when in an one day may be snort become to multithreading on pfSense)))

Antibiotic · Apr 29, 2024, 7:16 PM

@bmeeks Hi,
How often snort snapshot updating, I mean period of time between releases? or when ready than pushing to public snapshot. Last one 29200 when should be next release?

bmeeks · Apr 29, 2024, 7:23 PM

@Antibiotic said in Snort rules order:

@bmeeks Hi,
How often snort snapshot updating, I mean period of time between releases? or when ready than pushing to public snapshot. Last one 29200 when should be next release?

The Snort 2.9.x binary is effectively at end-of-life. It has been superseded for the most part by Snort3. But there is no effort at present to create a Snort3 package for pfSense. I tried at least two different times to create a Snort3 package and gave up very frustrated each time.

Snort3 is the multithreaded variant of Snort. But it was completely rewritten from the ground up in C++, has a new and different plugin API, and uses Lua for conf files instead of plaintext like previous Snort versions. For these and several other reasons, I abandoned creating a Snort3 package for pfSense. So far as I know, no one else is working on such a package either. That means when the upstream Snort team officially pulls support for the legacy 2.9.x Snort branch, Snort will be effectively dead on pfSense.

Suricata is the way forward on pfSense -- not Snort.

To answer your question about Snort 2.9.x, the last update was over two years ago and that was the release of the 2.9.20 binary. Nothing has happened in that branch since then. Only the rules themselves are getting updated, but I suspect at some point in the future even that will cease. That means I doubt there will ever be an update past the 29200 rules version.

You CANNOT use Snort3 rules with the current Snort 2.9.x package on pfSense nor can you use them on Suricata. Attempting to download and install Snort3 rules on pfSense will totally break the IDS/IPS installation.

Antibiotic · Apr 29, 2024, 7:39 PM

@bmeeks So, please confirm that. Can me use snort3 rules snapshot on pfsense Suricata?or can not use at all on pfsesnse ( both snort and suricata)?

bmeeks · Apr 29, 2024, 7:57 PM

@Antibiotic said in Snort rules order:

@bmeeks So, please confirm that. Can me use snort3 rules snapshot on pfsense Suricata?or can not use at all on pfsesnse ( both snort and suricata)?

Did you not read what I just posted above? I've copied and pasted it again immediately below--

@bmeeks said in Snort rules order:

You CANNOT use Snort3 rules with the current Snort 2.9.x package on pfSense nor can you use them on Suricata. Attempting to download and install Snort3 rules on pfSense will totally break the IDS/IPS installation.

I tried to be as clear as possible. You CANNOT use Snort3 rules for anything on pfSense.

Antibiotic · Apr 29, 2024, 8:02 PM

@bmeeks OK. now clear but if have snort subscribe rules not registered. IPS Policy Mode in suricata for snort rules will work in auto drop? Connectivity , balanced and security?