Convert Snort 2 Rules of a Single Intrusion Policy to Snort 3

Procedure

Step 1

Choose Policies > Intrusion.

Step 2

In the Intrusion Policies tab, click Show Snort 3 Sync status.

If your policy displays an orange arrow, it indicates that the Snort 2 and the Snort 3 versions of the intrusion policy are not synchronized.

Step 3

Click the orange arrow.

The Snort 2 to Snort 3 Sync Summary page displays that the Snort 2 to Snort 3 sync is pending.

Step 4

Click Re-Sync to start the synchronization.

Note
When you click Re-Sync, the snort2Lua tool converts the rules from Snort 2 to Snort 3.

The Summary Details section lists the rules that were migrated or skipped. In our use case, there are 76 custom Snort 2 rules, 17 rules with thresholds, and 15 rules with suppression that were skipped during the sync process. To migrate the custom rules, go to the next step.

To migrate rules with thresholds and suppressions, go to Step 6.

Step 5

To migrate the 76 custom rules, perform either one of these steps:

  • In the Custom Rules tab, click the Import icon to convert and auto-import the local rules to the Snort 3 version of the policy.

    A confirmation message is displayed after the rules are successfully imported.

  • Choose Objects > Intrusion Rules and click Snort 3 All Rules.

    1. Click Local Rules in the left panel to check if any rules have been migrated. Notice that no custom rules from Snort 2 have been migrated.

    2. From the Tasks drop-down list, choose Convert Snort 2 rules and import.

    3. Click OK.

      A newly created rule group (All Snort 2 Converted Global) is created under Local Rules in the left panel.

      Notice that all 76 custom rules have been migrated, as shown in the following figure.

    Alternatively, you can select the Convert Snort 2 rules and download in the previous step to save the rules file locally. You can review the converted rules in the downloaded file and later upload them using the Upload Snort 3 rules option.

Step 6

Click the Download Summary Details link to download the rules in .txt format.

The following is a sample of the summary that is displayed.

  "id": "00505691-15DC-0ed3-0000-004294988561",
  "name": "_Intrusion_Policy_1",
  "type": "IntrusionPolicy",
  "syncStatus": {
    "source": {
      "id": "bdce2d6a-1ebe-11ee-8e88-220032eb1fb5",
      "type": "IntrusionPolicy"
    },
    "status": "WARN",
    "description": "Migration is partially successful. Some of the rules are not copied to Snort3.",
    "timestamp": 1690883954814,
    "lastUser": {
      "name": "admin"
    },
    "details": [
      {
        "type": "Summary",
        "status": "INFO",
        "description": "Based on Talos rule-mapping 18639 Snort 2 rule action overrides migrated to 18635 Snort 3 rules."
      },
      {
        "id": "1:1000156=alert,1:1000114=alert,1:1000160=alert,1:1000135=alert,1:1000115=alert,1:1000118=alert,
         1:1000092=alert,1:1000139=alert,1:1000123=alert,1:1000159=alert,1:1000149=disabled,1:1000167=alert,
         1:1000133=alert,1:1000095=alert,1:1000143=alert,1:1000106=alert,1:1000153=alert,1:1000097=alert,1:1000141=alert,
         1:1000148=alert,1:1000090=alert,1:1000119=alert,1:1000112=alert,1:1000138=alert,1:1000128=alert,1:1000132=alert,
         1:1000134=alert,1:1000145=disabled,1:1000110=disabled,1:1000107=alert,1:1000163=alert,1:1000124=alert,1:1000125=alert,
         1:1000094=alert,1:1000113=disabled,1:1000147=alert,1:1000161=alert,1:1000105=disabled,1:1000140=alert,1:1000111=alert,
         1:1000102=alert,1:1000129=disabled,1:1000108=alert,1:1000144=disabled,1:1000088=alert,1:1000091=alert,1:1000131=alert,
         1:1000157=alert,1:1000120=alert,1:1000126=alert,1:1000165=alert,1:1000146=alert,1:1000162=alert,1:1000116=alert,1:1000142=alert,
         1:1000170=disabled,1:1000169=alert,1:1000104=alert,1:1000099=disabled,1:1000171=alert,1:1000093=alert,1:1000087=alert,1:1000100=alert,
         1:1000137=alert,1:1000158=alert,1:1000103=alert,1:1000098=alert,1:1000127=disabled,1:1000130=alert,1:1000164=alert,1:1000089=alert,
         1:1000109=alert,1:1000136=alert,1:1000117=alert,1:1000166=alert,1:1000168=alert",
        "type": "PolicyInfo",
        "description": "Corresponding Snort 2 policy overridden custom (local) rules."
      },
      {
        "type": "AssignedDevices",
        "status": "INFO",
        "description": "Snort3:0 , Snort2:0"
      },
      {
        "id": "122:6",
        "type": "Threshold",
        "status": "ERROR",
        "description": "PSNG_TCP_FILTERED_DECOY_PORTSCAN"
      },
      {
        "id": "122:15",
        "type": "Threshold",
        "status": "ERROR",
        "description": "PSNG_IP_PORTSWEEP_FILTERED"
       },
      {
        "id": "122:1",
        "type": "Threshold",
        "status": "ERROR",
        "description": "PSNG_TCP_PORTSCAN"
      },

Step 7

Click Close to close the Sync Summary dialog box.

Step 8

To check the rules with status: ERROR, choose Policies > Intrusion and click the Snort 2 version of the intrusion policy.

Step 9

Under Policy Information, click Rules and filter for the rule. For example, enter PSNG_TCP_PORTSCAN in the Filterfield to find the rule.

Step 10

Click Show Details to view the detailed version of the rule.

Step 11

Create the rule again in Snort 3 using Snort 3 rule guidelines and save the file as a .txt or .rules file. For more information, see www.snort3.org.

Step 12

Upload the custom rule that you just created locally to the list of all the Snort 3 rules. See Add Custom Rules to Rule Groups.

What to do next

Deploy configuration changes. See Deploy Configuration Changes.