[Oisf-devel] [Open Information Security Foundation] Contact

Jason Ish lists at unx.ca
Tue May 17 04:59:57 UTC 2016


On Mon, May 16, 2016 at 9:25 PM, Kelley Misata <kmisata at oisf.net> wrote:
> Hello Vladimir -
>
> I'm moving your question over to the developer community mailing list to
> answer.
>
> Kelley
>
> On Mon, May 16, 2016 at 9:39 AM, 'Vladimir' via info
> <info at openinfosecfoundation.org> wrote:
>>
>> Name: Vladimir
>>
>> Email: v.s.vorotnikov at gmail.com
>>
>> Comment: Hi!
>> I'm trying to use Suricata in my network, but I want to use a Snort set of
>> rules (signatures).
>> Is there any tool to convert Snort rules to Suricata format?
>> Is there is no ready for use tool, is there a documentation, explaining
>> all the differences between Snort and Suricata format?
>> Thanks for your help!

Hi Vladimir,

Your mileage may vary when working with Snort rules.  I just tried
that latest default Talos set (minus the shared object rules of
course), and 44 of the 8336 rules enabled by default failed to load.
Then there are some known incompatibilities which are documented here:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Compatibility_with_Snort

IMHO, to get the most out of Suricata you should use a ruleset written
for Suricata, likewise, Snort is likely to give you the best results
when using a ruleset written specifically for Snort (like Talos).

If not using Talos rules, and just migrating existing custom Snort
rules then it shouldn't be too bad. You might need some minor
modifications, but it should be a one time thing.

Jason



More information about the Oisf-devel mailing list