[Oisf-users] Converting rules from Snort to Suricata and ??

Victor Julien lists at inliniac.net
Wed Jul 8 06:30:22 UTC 2020

Note: we're soon closing this list. Please bring new topics to

More inline.

On 08-07-2020 01:16, David Decker wrote:
> I am taking a bunch of rules built by the organization (not me) and
> trying to convert them over to Suricata
> One issues is alot of rules are saying unknown rule keyword
> 'stream_reassemble' and i know that Snort has that keyword, but does not
> look like Suricat does. 

Correct, we don't support this. There is a 'bypass' keyword that would
be similar to:


> Second is offset for snort the numbers can be -65535 to 65535.  For
> Suricata is says 
> 18446744073709551604 > 65535.  This had -12 offset.  

This looks like a parsing issue on our end. However I fail to understand
how a negative offset would work (we do support negative distance).

> http_method pattern with trailing space is another.  

Yes, this can't match. The method is the non-space bytes between the
start of the request line and the first space.

If you're looking for weirdness in the request line you can use the
`http.request_line` buffer.

> http_method or http_uri Keyword seen with a sticky buffer still set. 
> Reset sticky buffer with pkt_data before using the modifier.  

This is usually something like:

file_data; content:"abc"; content:"def"; http_uri;

In modern suri you would write this as

file.data; content:"abc"; http.uri; content:"def";

> Cant really post the the full rules, but I might be albe to provide a
> little more data, or if sometone can point to some better explanations
> on what to look at in the rule as for the above errors

If the above isn't helping you get things resolved posting some
(partial) examples will be helpful.


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list