List Info

Thread: On converting snort rules to Firekeeper rules
On converting snort rules to Firekeeper rules
country flaguser name
United States		 2007-12-15 14:26:03 
For those of you that aren't already aware, there is an
alpha version of
Firekeeper available as a Firefox Ad-on from http://firekeeper.mozde
v.org/
Although the Firekeeper format is similar to snort rules,
there are a
number of caveats when converting rules between the two
because the
project is still in Alpha.
I converted a subset of the already available bleeding-rules
and
converted them to Firekeeper rules.

I was able to successfully convert 82% of the rules I
identified as web
rules of interest, and I performed minimal verification
testing.
Firekeeper is an alpha project and the rules I generated
should be
considered unstable till proven otherwise.

Please send me an email off-list if you would like a copy of
these
Firekeeper rules for testing purposes. Once I perform more
verification
testing I would like to put together a report for the
Firekeeper
community on any bugs, features, or rule language requests.
Blake Hartstein



For those interested here is the basic method I used.

#replacements, different words for similar functions.
#These may be bad assumptions because of choice between
body/header
s/sid:/fid:/
s/content:/body_content:/
s/uribody_content:/url_content:/    #order of operation
important   
s/pcre:/body_re:/           

#potential deal breakers, modify priority or message to
indicate
s/within:[^;]*;//           
s/distance:[^;]*;//       
s/depth:[^;]*;//
s//R///                #unsupported body_re option //R for
a relative
match, high potential for misses


#removals, not supported may fit into message or other
fields
s/alert[^(]*(/alert(/        #only process rules that match
web-client
s/classtype:[^;]*;//
s/flow:[^;]*;//   
s/threshold:[^;]*;//        #this replacement might work
depending on
type of threshold, and intent of rule

#disabling keywords, doesn't fit in, redesign or delete
rule
s/^.*flowbits:[^;]*;.*//    #firekeeper doesn't support
flowbits
s/^.*body_content:!.*$//     #firekeeper doesn't support
NOT statements yet
s/^.*byte_test:.*$//        #firekeeper doesn't support
byte_test
s/^.*isdataat:.*$//        #firekeeper doesn't support
isdataat
s/^.*dsize:.*$//            #firekeeper doesn't support
dsize

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )