[Oisf-users] Converting rules from Snort to Suricata and ??

[Victor Julien]

Note: we're soon closing this list. Please bring new topics to
forum.suricata.io.

More inline.

On 08-07-2020 01:16, David Decker wrote:
> 
> I am taking a bunch of rules built by the organization (not me) and
> trying to convert them over to Suricata
> 
> 
> One issues is alot of rules are saying unknown rule keyword
> 'stream_reassemble' and i know that Snort has that keyword, but does not
> look like Suricat does. 

Correct, we don't support this. There is a 'bypass' keyword that would
be similar to:

stream_reassemble:disable,both,noalert,fastpath;


> Second is offset for snort the numbers can be -65535 to 65535.  For
> Suricata is says 
> 18446744073709551604 > 65535.  This had -12 offset.  

This looks like a parsing issue on our end. However I fail to understand
how a negative offset would work (we do support negative distance).


> http_method pattern with trailing space is another.  

Yes, this can't match. The method is the non-space bytes between the
start of the request line and the first space.

If you're looking for weirdness in the request line you can use the
`http.request_line` buffer.


> http_method or http_uri Keyword seen with a sticky buffer still set. 
> Reset sticky buffer with pkt_data before using the modifier.  

This is usually something like:

file_data; content:"abc"; content:"def"; http_uri;

In modern suri you would write this as

file.data; content:"abc"; http.uri; content:"def";



> Cant really post the the full rules, but I might be albe to provide a
> little more data, or if sometone can point to some better explanations
> on what to look at in the rule as for the above errors
> 

If the above isn't helping you get things resolved posting some
(partial) examples will be helpful.

Regards,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------