Snort rule syntax

[netsecninja]

I've read documentation on Snort rule syntax, and understand the basics. However there are thousands of rules firing FP that do not seem to have any logic beyond an established connection. The only similarity is they all have the "metadata: engine shared" string, which I can't find any documentation to explain that well. Can someone help me understand these rules?

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC FF-RAT outbound connection attempt"; sid:38747; gid:3; rev:1; classtype:trojan-activity; metadata: engine shared, soid 3|38747, policy balanced-ips drop, policy security-ips drop, impact_flag red;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS PGM nak list overflow attempt"; sid:8351; gid:3; rev:7; classtype:attempted-admin; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-052; reference:cve,2006-3442; reference:bugtraq,19922; metadata: engine shared, soid 3|8351;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected"; sid:17775; gid:3; rev:6; classtype:shellcode-detect; metadata: engine shared, soid 3|17775, policy max-detect-ips drop;)

For reference, I am using the TALOS ruleset.

[dougburks]

Those rules are Talos shared object rules and will only run on Snort, not Suricata.

Security Onion 2 currently only supports Suricata.

[netsecninja]

Gotcha, thanks for the quick response Doug. So why do you get the option in the setup, and the documentation still lists it as an option (https://docs.securityonion.net/en/2.3/rules.html?highlight=talos#snort-subscriber-talos)?

Just to be clear, Suricata only supports ET Open or ET Pro correct?

[dougburks]

Suricata can run the standard Talos rules, just not the shared object rules (gid/soid 3) that you're asking about above.

[netsecninja]

Great, thanks! I'll attempt to disable those ones. I'll report back on the method and status in case anyone else needs to do the same.

[netsecninja]

Blocked in my /opt/so/saltstack/local/pillar/minions/securityonion_standalone.sls:

idstools:
  config:
    ruleset: 'TALOS'
    oinkcode: 'g3ty0ur0wn'
    urls:
  sids:
    enabled:
    disabled:
      - 're:soid [0-9]+'
    modify:

I then ran salt securityonion_standalone state.apply idstools followed by a sudo so-rule-update for good measure.