Tuesday, February 13, 2018

Snort 3.0 Ruleset Announcement!

Join as we welcome the first official builds of the Snort 3 subscriber and registered ruleset to the family!

Today marks the first day that we will begin publishing the Snort 3 subscriber and registered rulesets along side of the Snort 2.x rulesets on Snort.org.  These are going to be downloadable via API (Oinkcode) the same as Snort 2.x rulesets, and will be published on the same dates.

The same subscription rules apply for Snort 3.  New rules will be added to the registered ruleset after a 30-day delay.  The licensing is the exact same as it is today on Snort 2.x.  Our license can be viewed here:  https://www.snort.org/snort_license

False Positives against Snort 3 rules can be filed by following the same instructions as Snort 2.x rules.  Instructions on how to file false positives can be found here: http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html

There are a couple caveats to the Snort 3 ruleset:

  1. Keep in mind that the format and layout of the Snort 3 ruleset is different than Snort 2.  If you want to start testing the Alpha (and coming soon, Beta!) builds of Snort 3, and you have a custom ruleset, you can convert your Snort 2 ruleset into the Snort 3 language by using the snort2lua tool found in the Snort 3 tarball available on www.snort.org/downloads
  2. Shared Object rules are not part of this initial build.  We have not begun to transition the share object rules that we build for Snort 2.x’s rule tree into Snort 3.  Work on that will begin very soon.
  3. The files within the Snort 3 ruleset tarball are named slightly differently, this is on purpose, not only for a clean separation from the old rule set to the new one, but also, if someone writes the Snort-Sigs list asking for assistance with a rule and they are trying to run a Snort 3 rule on a Snort 2 engine, it’ll be easily identifiable. 
    1. For instance, in Snort 2.x rules, an example rule file may be named:  “server-webapp.rules
    2. In Snort 3’s rule package, the same file would be named: “snort3-server-webapp.rules
  4. We have removed all the old dead categories.  Exploit.rules, blacklist.rules, web-iis.rules and the like, all gone.

We look forward to people starting to use this ruleset and test it out.  Please provide us feedback on the Snort-sigs list.