Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SNORT rule converter

I know this has come up numerous times but has anyone actually written a SNORT -> CSIDS sig proggie? I don't want to start a debate over whether or not this is the thing to do -- I want early-access to deal with threats as they arise and the sigs are available (whether it comes from Cisco or not is of no consequence to me if they don't have one already).

thx,

brkn!

4 REPLIES
Bronze

Re: SNORT rule converter

We are tossing around ideas about the best way to implement something like this. The current idea is to implement an engine that would allow you enter a Snort configuration line that the sensor will interpret . This would be done with the understanding that not all Snort parameters may be supported, and that Cisco is not responsible for supporting any customer generated signatures. The positive of this is that it allows you to add custom Snort rules with an interface consistent with the sensor and all of its mgmt. applications. The down side is that all custom signatures must be entered individually, and we may only support a hard limit of say five rules for performance reasons. The question to the forum is, could you live with this? Any other suggestions are welcome.

New Member

Re: SNORT rule converter

We are currently running over 80 IDS-4230s and IDS-4235s with 3.1(3)S45. We have over 100 custom signatures running on these platforms. My question being is the limit for 4.0 going to be 5 custom signatures or 5 rule-sets with multiple sinatures per set?

We don't have a 4.0 sensor on-line (we are running UNIX 2.2.3 directors) and most of our sensors sit at remote sites where physical access is a problem--the upgrade to 4.0 is going to cause us multiple issues (just converting from the 6 UNIX directors to the multiple Windows 2000 MCs is a major problem). Limiting custom signatures is only going to cause more of a problem.

Also, can the custom signatures be added through the MC or do we have to add them manually to each sensor? Please tell me that that this upgrade (3.1 to 4.0) isn't that much of a pain.

MSgt Daniel Berry

USAF AFCERT

Bronze

Re: SNORT rule converter

There is no limit to the number of custom signatures that you can use with 4.0. The limit in question was strictly limited to a proposed 4.0 SNORT rules compatibility engine. You can add as many custom signatures to 4.0 using the existing engines as you like (practical limitations assumed). And yes, the custom signatures can be added via the MC. This is one of the major advantages of MC over the Unix Director. BTW, there is a Solaris version of MC coming out this summer.

New Member

Re: SNORT rule converter

Hello all,

I'm bringing up an old but nevertheless an important requirement, especially at times when we have new worms running wild and we are to detect them using a custom signature.

I'd like to know if there is a plan to support or to convert Snort signatures into Cisco IDS v4.x sigs? One example I have noticed recently is the way ISS RealSecure 7.0 does it - they call it the "TRONS", which supports Snort sigs on a RealSecure engine.

If Cisco could support atleast 5-10 snort sigs at a time (due to performance reasons), I guess that's fine. We need to support a snort sig on a Cisco IDS platform only till such time that the issue (example-worm) is under control or Cisco comes out with it's own version of the signature. The moment Cisco releases a new version, we can delete the Snort sig and update our CSIDS sensors. This way, we always run our systems with Cisco sigs but have the ability to support Snort sigs during critical times. Any comments are welcome.

238
Views
0
Helpful
4
Replies
CreatePlease login to create content