[Oisf-users] Converting rules from Snort to Suricata and ??

Wed Jul 8 22:10:55 UTC 2020

Thanks Victor and David.  Will look at the suggestions and see if not I
will just leave it up to the "developers" of the rules to fix.  Just trying
to get a head of the issues that will be occurring.  As stated we switched
from Snort to Suricata recently, and I have some time, so looking deep into
things.

On Tue, Jul 7, 2020 at 11:30 PM Victor Julien <lists at inliniac.net> wrote:

> Note: we're soon closing this list. Please bring new topics to
> forum.suricata.io.
>
> More inline.
>
> On 08-07-2020 01:16, David Decker wrote:
> >
> > I am taking a bunch of rules built by the organization (not me) and
> > trying to convert them over to Suricata
> >
> >
> > One issues is alot of rules are saying unknown rule keyword
> > 'stream_reassemble' and i know that Snort has that keyword, but does not
> > look like Suricat does.
>
> Correct, we don't support this. There is a 'bypass' keyword that would
> be similar to:
>
> stream_reassemble:disable,both,noalert,fastpath;
>
>
> > Second is offset for snort the numbers can be -65535 to 65535.  For
> > Suricata is says
> > 18446744073709551604 > 65535.  This had -12 offset.
>
> This looks like a parsing issue on our end. However I fail to understand
> how a negative offset would work (we do support negative distance).
>
>
> > http_method pattern with trailing space is another.
>
> Yes, this can't match. The method is the non-space bytes between the
> start of the request line and the first space.
>
> If you're looking for weirdness in the request line you can use the
> `http.request_line` buffer.
>
>
> > http_method or http_uri Keyword seen with a sticky buffer still set.
> > Reset sticky buffer with pkt_data before using the modifier.
>
> This is usually something like:
>
> file_data; content:"abc"; content:"def"; http_uri;
>
> In modern suri you would write this as
>
> file.data; content:"abc"; http.uri; content:"def";
>
>
>
> > Cant really post the the full rules, but I might be albe to provide a
> > little more data, or if sometone can point to some better explanations
> > on what to look at in the rule as for the above errors
> >
>
> If the above isn't helping you get things resolved posting some
> (partial) examples will be helpful.
>
> Regards,
> Victor
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> NOTE: this list will soon be closed. New topics should be brought to:
> https://forum.suricata.io
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20200708/de162f10/attachment.html>