Thursday, December 18, 2014

Translating a Snort 2.9.X configuration file into a Snort 3.0 configuration file

Enter Snort2Lua

One of the major differences between Snort 2.9.X and Snort 3.0 is the configuration. Snort 2.9.X configuration files are written in Snort-specific syntax while Snort 3.0 configuration files are written in Lua. Snort2Lua is a program specifically designed to convert Snort 2.9.X configuration files into Lua files that Snort 3.0 can understand.

Basic Usage
Snort2Lua is included in the Snort 3.0 distribution. The Snort2Lua source code is located in the tools/snort2lua directory. The program is automatically built and installed.

Translating your configuration
To run Snort2Lua, the only requirement is a file containing Snort 2.9.X syntax. Assuming your configuration file is named snort.conf, run the command
    • snort2lua –c snort.conf
Snort2Lua will output a file named snort.lua. Assuming your snort.conf file is a valid Snort 2.9.X configuration file, than the resulting snort.lua file will always be a valid Snort 3.0 configuration file; any errors that occur are because Snort 3.0 currently does not support all of the Snort 2.9.X options.

Every keyword from the Snort configuration can be found in the output file. If the option or keyword has changed, then a comment containing both the option or keyword’s old name and new name will be present in the output file.

Translating a rule file
Snort2Lua can also accommodate translating individual rule files. Assuming the Snort 2.9.X rule file is named snort.rules and you want the new rule file to be name updated.rules, run the command
    • snort2lua –c snort.rules -r updated.rules
Snort2Lua will output a file named updated.rules. That file, updated.rules, will always be a valid Snort 3.0 rule file. Any rule that contains unsupported options will be a comment in the output file.

Understanding the Output
Although Snort2Lua outputs very little to the console, there are several things that occur when Snort2Lua runs.  This is a list of Snort2Lua outputs.

The console.   Every line that Snort2Lua is unable to translate from the Snort 2.9.X format to the Snort 3.0 format is considered an error. Upon exiting, Snort2Lua will print the number of errors that occurred. Snort2Lua will also print the name of the error file. 

The output file.  As previously mentioned, Snort2Lua will create a Lua file with valid Snort 3.0 syntax.  The default Lua file is named snort.lua.  This file is the equivalent of your main Snort 2.9.X configuration file.

The rule file.   By default, all rules will be printed to the Lua file.  However, if a rule file is specified on the command line, any rules found in the Snort 2.9.X configuration will be written to the rule file instead

The error file.  By default, the error file is snort.rej. It will only be created if errors exist.  Every error referenced on the command line can be found in this file.  There are two reasons an error can occur.
1)   The Snort 2.9.X configuration file has invalid syntax. If Snort 2.9.X cannot parse the configuration file, neither can Snort2Lua.  In the example below, Snort2Lua could not convert the line 'config bad_option'.  Since that is not valid Snort 2.9.X syntax, this is a syntax error.

2)    The Snort 2.9.X configuration file contains preprocessors and rule options that are not supported in Snort 3.0.  If Snort 2.9.X can parse a line that Snort2Lua cannot parse, than Snort 3.0 does not support something in the line.  As Snort 3.0 begins supporting these preprocessors and rule options, Snort2Lua will also begin translating these lines. One example of such an error is dcerpc2.

Additional .lua and .rules files. Every time Snort2Lua parses the include or binding keyword, the program will attempt to parse the file referenced by the keyword.  Snort2Lua will then create one or two new files.  The new files will have a .lua or .rules extension appended to the original filename.

Snort2Lua Documentation
Additional information is available in the Snort2Lua section of the Snort 3.0 manual.

1 comment:

  1. spp_anomalydetection.c:348:57: error: ‘PP_ALL_ON’ undeclared (first use in this function)

    During build of SNORT with AD