[Oisf-devel] [Open Information Security Foundation] Contact

Peter Manev petermanev at gmail.com
Tue May 17 05:25:08 UTC 2016


On Tue, May 17, 2016 at 7:59 AM, Jason Ish <lists at unx.ca> wrote:
> On Mon, May 16, 2016 at 9:25 PM, Kelley Misata <kmisata at oisf.net> wrote:
>> Hello Vladimir -
>>
>> I'm moving your question over to the developer community mailing list to
>> answer.
>>
>> Kelley
>>
>> On Mon, May 16, 2016 at 9:39 AM, 'Vladimir' via info
>> <info at openinfosecfoundation.org> wrote:
>>>
>>> Name: Vladimir
>>>
>>> Email: v.s.vorotnikov at gmail.com
>>>
>>> Comment: Hi!
>>> I'm trying to use Suricata in my network, but I want to use a Snort set of
>>> rules (signatures).
>>> Is there any tool to convert Snort rules to Suricata format?
>>> Is there is no ready for use tool, is there a documentation, explaining
>>> all the differences between Snort and Suricata format?
>>> Thanks for your help!
>
> Hi Vladimir,
>
> Your mileage may vary when working with Snort rules.  I just tried
> that latest default Talos set (minus the shared object rules of
> course), and 44 of the 8336 rules enabled by default failed to load.
> Then there are some known incompatibilities which are documented here:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Compatibility_with_Snort
>
> IMHO, to get the most out of Suricata you should use a ruleset written
> for Suricata, likewise, Snort is likely to give you the best results
> when using a ruleset written specifically for Snort (like Talos).
>


Second that.
If you would like to use a ruleset that makes the most of Suricata I
recommend ET Open or ET Pro. The free version for the latest Suricata
can be found here -
https://rules.emergingthreats.net/open/suricata-3.0/



> If not using Talos rules, and just migrating existing custom Snort
> rules then it shouldn't be too bad. You might need some minor
> modifications, but it should be a one time thing.
>
> Jason
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> Developer Training in Paris Sept 12-16: http://suricata-ids.org/training/



-- 
Regards,
Peter Manev



More information about the Oisf-devel mailing list