Wednesday, August 12, 2020

How rules are improving in Snort 3


By Russ Combs and Jon Munshaw. 

There are many ways the user experience will improve in Snort 3 compared to previous versions. We've already outlined things like the improved speed and new features that’ll be in the full release later this year. Now, it’s time to look at what the full Snort 3 release means for the rules themselves. 

Cisco Talos releases new rule sets at least twice a week, and sometimes more depending upon any urgent vulnerabilities or exploits that appear in the wild. With Snort 3, rules are going to be more effective, faster and easier to understand. 

Here’s a look at some of the major changes to Snort rules with Snort 3. There are many more benefits that we’ll get into as well as we get closer to release. 

  • All rules must now have a SID 
  • The SID “0” is not allowed 
  • Deleted active/dynamic rules, unused rule_state.action and metadata engine shared 
  • Removed metadata: rule-flushing. With PDU flushing, some rules could miss attacks 
  • Changed metadata:service one[ to service:one[, two] 
  • soid is now a non-metadata option 
  • Metadata is now truly metadata. There won’t be any effect on detection, as Snort 3 ignores metadata internal structure/syntax. You can use the command line option --metadata-filter to select rules.  Eg snort --c snort.lua --tweaks security -rule-path path/to/talos/rules --metadata-filter "policy security-ips" will select all rules from the security policy. 
  • Snort 3 will automatically determine when something is fast_pattern only. 
  • Rules can fast-pattern sensitive data using Hyperscan with sd_pattern 
  • Deleted the uricontent option. Users should now only use sticky buffer uricontent:”foo” 
  • Deleted urilen raw and norm. Users should now use http_raw_uri and http_uri instead 
  • Added sticky buffers. Buffer selector option smust now also precede contents and remain in effect until changed 
  • Deleted the following PCRE options: B, U, P, H, M, C, I, D, K, S and Y. Users should use sticky buffers instead. 
  • Deleted the unused http_encode option 
  • urilen was replaced with the generic bufferlen, which applies to the current sticky buffer 
  • Added an option selector to http_header 
  • The new http_inspect has new buffers and rule options. Eg: http_param will set the detection cursor to the value of the specified HTTP parameter key which may be in the query or body. 
  • Added alert file and alert service rules 
  • There are #begin and #end comments to allow rule writers to easily comment out multiple lines 
  • Nets and/or ports can now be omitted from rule headers 
  • Snort 3 parses all rules and outputs all errors before quitting 
  • The symbol =< in a byte test is now recognized as a syntax error. The correct symbol is <= 
  • All text mode outputs default to stdout 
  • Changed default logging mode to “-L none” 
  • Deleted log_ascii 
  • Snort 3 now queues decoder and inspector events to the main event queue before IPS policy is selected. Since some events may not be enabled, the queue needs to be sized larger than they would be in Snort 2. 
  • Snort 3 added these fast pattern buffers:  http_raw_uri, http_raw_header, http_stat_code, http_stat_msg, http_cookie, http_method 
  • Unlike Snort 2, the use of service rules does not prevent the use of port rules. 
  • Snort 3 does not require the hosts table (attribute table in Snort 2) in order to use services. 
  • Rules can be included in a config or loaded from the command line with -R file, --rule-path dir, or --stdin-rules.