Thursday, October 1, 2020

How to use Snort2lua



By Bhagya Tholpady. 

One of the major differences between Snort 2.X and Snort 3.X is configuration. Snort 2.X configuration files are written in Snort-specific syntax while Snort 3.0 configuration files are written in Lua. Hence, a valid Snort 2.X configuration won’t work with Snort 3 unless it’s converted to Lua. This can be done by using a tool called “Snort2lua” found under the tools/snort2lua directory in the distribution. 

Converting Snort 2.X configuration 

Usage

Snort2lua supports several options that can be listed by using the –help option.

The main requirement for Snort2lua is a valid Snort 2.X configuration file. This is passed using the options “-c” or “--conf-file” as follows: 

snort2lua -c snort.conf 

snort2lua –conf-file snort.conf

The above commands read the Snort 2.X configuration named snort.conf and generates a Snort 3.X Lua configuration called snort.lua in the same directory. If the conversion fails, Snort2lua reports the number of errors encountered with the error file name. By default, errors are redirected to the file named snort.rej.  

Snort2lua also supports Snort 2.x rule file conversion. The following command will convert the snort2.rules to Snort 3.X supported snort3.rules: 

Snort2lua -c snort2.rules -r snort3.rules

Output file 

As mentioned above, the default converted output file will be snort.lua. However, the output file name can be configured by passing in the option -o <out_file>.  

The output file generated will contain a valid Snort 3.0 Lua config along with useful comments about the conversion. These comments can help identify the differences between the two configs and provide information for fixing issues in the config that snort2lua cannot handle. Different types of comments are as follows: 

option change: specifies change of option name or change in module.

Examples: 

--option change: 'config react:' --> 'page' 

--option change: 'min_fragment_length' --> 'min_frag_length' 

--option change: 'http_inspect_server' --> 'http_inspect' 

Deprecated options

Examples:  

# react: msg – deprecated 

# uricontent deprecated --> 'http_uri: content:'foo' 

Rule conversion information

Examples: 

# Changing ruletype 'alert' to 'rewrite' because the rule has 'replace' option. 

#Ruletype 'drop' discards the current packet only; using 'block' to discard all packets on flow 

Unsupported configuration

Examples: 

--option 'use_side_channel' is currently unsupported 

--option 'nap rules interface' is currently unsupported 

The 'activate' ruletype is no longer supported.

Every included rules or config file (i.e. 'include path/to/conf/other_conf') and policy file i.e. 'config binding: path/to/conf/other_conf') result in an additional converted file with the extension “.lua” or “.rules”. 

Although Snort2lua provides a good starting for converting Snort 2.X config to Snort 3.X, some manual updates to the converted config may be required to work properly with Snort 3.X. For example: 

Variable conversion 

Variables in Snort 2.X are defined using keywords ipvar, portvar and var. The keywords indicate the type of the variable. But in Snort 3.X, variables must be suffixed with _PATH, _NET, _SERVER or _PORT. Type of the variable is identified using these suffixes. 

Example:  

portvar HTTP 80 will be convert to HTTP=’80’ instead of ips.variables = { HTTP_PORT = ’80’ } 

Conversion of dynamicengine and dynamicpreprocessor options:  

Although these Snort 2.X options were changed to Snort 3.X option plugin_path, Snort2lua won’t convert these. They must be manually passed using the —plugin-path option. 

Conversion of Port bindings  

By default, a wizard configuration is added to the converted file and the port bindings are suppressed. To override this behavior “--bind-port” option should be passed.

Error file 

When the conversion results in error, a default error file snort.rej is created. The error file used by Snort2lua can be changed by passing the options “–error-file” or “-e”. 

The main reasons for conversion errors are: 

  • Invalid snort2lua input: The error that generates when the input passed to Snort2lua is not a valid Snort2 config. 
  • Unsupported preprocessors or rule options.

Validating Converted Snort 3.X config 

The config generated by the successful conversion of snort2lua can be validated by running it with Snort 3.X as follows: 

bin/snort -c snort.lua -T 

If the validation succeeds, Snort 3.X will print the message “Snort successfully validated the config.”