[Oisf-users] Converting rules from Snort to Suricata and ??
David Decker
x.faith at gmail.com
Tue Jul 7 23:16:04 UTC 2020
I am taking a bunch of rules built by the organization (not me) and trying
to convert them over to Suricata
One issues is alot of rules are saying unknown rule keyword
'stream_reassemble' and i know that Snort has that keyword, but does not
look like Suricat does.
Second is offset for snort the numbers can be -65535 to 65535. For
Suricata is says
18446744073709551604 > 65535. This had -12 offset.
http_method pattern with trailing space is another.
http_method or http_uri Keyword seen with a sticky buffer still set. Reset
sticky buffer with pkt_data before using the modifier.
Cant really post the the full rules, but I might be albe to provide a
little more data, or if sometone can point to some better explanations on
what to look at in the rule as for the above errors
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200707/15c54beb/attachment.html>
More information about the Oisf-users
mailing list