SNORT

[LennyDK]

Hi There
Dos anyone know if SNORT is to be supported in Security Onion 2 ?
I have thousands of rules that only run in SNORT I have written my self. That is years of rewriting and testing on old pcaps and so on.....Nightmare :-)

By the way...you can get them from here (NOT working Security Onion 2)
https://networkforensic.dk/SNORT/default.html

Best Regards
Lenny

[TOoSmOotH]

@LennyDK I looked at your rule file and found several formatting issues that we causing problems. I have attached a cleaned up version of your rule file. I have fixed most of the easy ones where you had HOME_NET instead of $HOME_NET and others that were missing ; somewhere in the rule. I commented out the ones below that will actually require you to do something about so all the other rules will load without error. If you fix the errors below your ruleset will work with Suricata on SO 2.
NF-local.rules.gz

Below is a list of line numbers that have issues.

These lines error out with the following message:
"http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.

11
12
13
14
15
16
17
18
19
21
22
25
26
27
28
30
129
504
613
1012

can't use multiple nocase modifiers with the same content:

124
125
126
127
128

Can't use file_data with flow:to server or flow:from_client with http

601

rule (somesid) setup buffer file_data but didn't add matches to it

1165
1166
1167
1168

2 out of the following 11 sids need to be fixed. The error is "Unable to find the sm in any of the sm lists" and gets triggered specifically by a combination of flowbits plus non buffered pcre. I commented them all out for now. You have 2 other rules that are causing the smlist errors but I am unable to find them right now. Might need to disable chunks of rules to pinpoint the 2 other rules that are throwing the smlist errors.

sids:
5003036
5003037
5013409
5013410
5021502
5021503
5023251
5026001
5026003
5026005
5026011

Getting these warnings:

10/2/2021 -- 09:19:31 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.exe' is checked but not set. Checked in 5017108 and 9 other sigs
10/2/2021 -- 09:19:31 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'smb.trans2.mid65' is checked but not set. Checked in 5017115 and 0 other sigs
10/2/2021 -- 09:19:31 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.lnk' is checked but not set. Checked in 5017120 and 0 other sigs
10/2/2021 -- 09:19:31 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.rtf' is checked but not set. Checked in 5017137 and 3 other sigs
10/2/2021 -- 09:19:31 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'NF-Valak' is checked but not set. Checked in 5023252 and 0 other sigs
10/2/2021 -- 09:19:31 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'NF-RFPNG' is checked but not set. Checked in 5026002 and 0 other sigs
10/2/2021 -- 09:19:31 - - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'NF-RFJPG' is checked but not set. Checked in 5026004 and 0 other sigs
10/2/2021 -- 09:19:31 - - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 5002003: SYN-only to port(s) 12975:12975 w/o direction specified, disabling for toclient direction
10/2/2021 -- 09:19:31 - - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 5024703: SYN-only to port(s) 5800:5820 w/o direction specified, disabling for toclient direction
10/2/2021 -- 09:19:31 - - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 5024708: SYN-only to port(s) 22:22 w/o direction specified, disabling for toclient direction

[petiepooo]

@TOoSmOotH Thank you for cleaning up Lenny's rules so they work under Suricata. But...

His question remains, is there any plans to offer Snort 3.0 as an alternative to Suricata in SecurityOnion v2? Now that Snort 3.0 is finally out of Beta, and capable of using AF_PACKET, offering it as an option is feasible again, I believe. It gives users the benefit of being able to run the full TALOS ruleset from Cisco, including shared-object rules that Suricata cannot run.

From a MSSP perspective, the TALOS and ETPRO rulesets focus on different areas. One tends to focus more on server-to-internet traffic, while the other has more rules for workstation-to-internet traffic (I forget which is which). Plus, becoming a Snort Integrator is cheaper for smaller MSSPs. Last I checked, Proofpoint wouldn't talk to you as an OEM integrator until you dropped $10k, whereas Cisco lets you break the normal per-sensor cost down to top daily usage per quarter, paid quarterly, and with no minimum. ETPRO isn't competitive on cost parity until you're upwards of 30 deployed sensors, assuming the rulesets are of equal value.

If you do explore adding Snort as a NIDS option (and I hope you do), please consider adding the ability to run both Snort and Suricata concurrently. That gives the option to run TALOS or Snort-community rules on Snort and ETPRO or ETOPEN on Suricata.

[dougburks]

Hi @petiepooo

is there any plans to offer Snort 3.0 as an alternative to Suricata in SecurityOnion v2?

https://blog.securityonion.net/2021/02/snort-3-and-security-onion-2.html

please consider adding the ability to run both Snort and Suricata concurrently

We've never supported running both Snort and Suricata concurrently and we don't have any plans to do so.

[petiepooo]

@dougburks Thank you. You posted that blog entry a few hours after I asked the question.. I figured it was in response. :)

A link to the snort+suricata suggestion I made in 2018 along the same lines: https://groups.google.com/u/1/g/security-onion/c/SCCCM_BHyyk/m/OWwnDtE_BgAJ As it was then, my biggest problem with Suricata today is its inability to run the shared-object rules in the TALOS ruleset. Once Snort3 is integrated in Security Onion 2, then I'll be able to again fully utilize our TALOS subscription. Further, if it handles ET rules as well as Suricata does, it means there would be no advantage to running both simultaneously. I'm hopeful, and anxiously awaiting your Snort3 rollout, but fully aware your dev team is overloaded just getting v2 in shape out the door... My thanks to them.