-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Usage: convert Snort rule into fortinet IPS signature format
-i <input Snort rule txt>
-o <output IPS rule txt>, default fortirules.txt
-h or --help - This Usage
-q quiet
-j output rule txt in a json format
-g output suitable for GUI entry
-e only convert enabled signatures
--no-all skip result for invalid lines in file
--sig-max-len maximum length of converted IPS sig
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The Snort2Fortigate script provides a best-effort translation of Snort rules into FortiGate IPS Custom Signatures.
-i [file]or--input [file](Required) A text file of Snort rules. Snort2 and Snort3 syntax are both accepted. See Supported Options for the full list of options we can convert at this time. Snort rules that are commented out (# alert tcp...) are also converted by default. This behaviour can be changed with option--enabled-onlyor-e.
-o [file]or--output [file]Defaults tofortirules.txt. A text file of IPS custom signatures, quotes-escaped to be usable in the CLI. Alternatively, use the provided options to generate without escaped quotes (-gfor use in GUI) and in JSON format with-j. JSON output format, for each parsed rule:
"converted": "The converted IPS signature",
"messages": [
{
"level": "WARNING or ERROR",
"message": "Reason for failure."
}
],
"name": "Name of the converted signature (also present in the signature itself)",
"original": "The original Snort rule",
"success": true if a signature was converted at all, or false if there is an ERROR and the rule is skipped
Additionally, the JSON output aggregates count of converted signatures:
"statistics": {
"failure": 1,
"success": 3
}
-qor--quietSuppress warnings and errors.-eor--enabled-onlyBy default, all Snort rules found in the file are converted. Set this option to not convert Snort rules that are commented out with a single#, eg. rules beginning with# alert ....--no-allSet this option to ignore lines that do not begin with a rule action. Current supported rule actions:alert, log, pass, drop, reject, sdrop.
Unsupported or unrecognized options are logged as a warning and the rest of the signature is still generated. Use these signatures with discretion.
Unacceptable errors in parsing the Snort syntax are logged as ERROR and the rule is skipped.
The total number of converted IPS rules is printed:
Total 6 from 7 Snort rules are converted.
See Known Issues for common conversion issues.
| Snort Option | FGT Conversion | Notes |
|---|---|---|
content |
--pattern |
Snort3 content modifiers as suboptions accepted |
pcre |
--pcre |
|
nocase |
--no_case |
|
distance |
--distance |
|
within |
--within |
|
depth |
--within num,context |
|
offset |
--distance num,context |
|
file_data |
--context file |
|
http_client_body |
--context body |
|
http_cookie |
--context header |
|
http_header |
--context header |
|
http_method |
--context uri |
When matching for "GET" or "POST" this is converted to --parsed_type HTTP_GET (or _POST) |
http_raw_cookie |
--context header |
|
http_raw_header |
--context header |
|
http_raw_request |
--context uri |
|
http_raw_status |
--context banner |
|
http_raw_uri |
--context uri |
|
http_stat_code |
--context banner |
|
http_stat_msg |
--context banner |
|
http_uri |
--context uri |
|
http_user_agent |
--context header |
|
uricontent |
--context uri |
|
pkt_data |
--context packet |
|
raw_data |
--context packet_origin |
|
rawbytes |
--context packet_origin |
|
sip_body |
--context body |
--service sip is added to the rule |
sip_header |
--context header |
--service sip is added to the rule |
sip_method |
--context banner |
--service sip is added to the rule |
sip_stat_code |
--context banner |
--service sip is added to the rule |
dsize |
--data_size |
Does not support norm modifier |
bufferlen |
--data_size num,uri |
Only when used inside http_uri sticky buffer (Snort 3) |
urilen |
--data_size num,uri |
|
isdataat |
--data_at |
|
ssl_version |
--parsed_type |
|
service |
--service |
Only in Snort3. Can only handle one service In Snort2, service is in metadata |
sameip |
--same_ip |
|
id |
ip_id |
|
ip proto |
--protocol or --ip[offset] |
If no operators present, --protocol is used If operators are present --ip[offset] is used. |
ipopts |
--ip_option |
IP option esec is not supported |
tos |
--ip_tos |
! operator is not supported |
ttl |
--ip.ttl |
|
icmp_seq |
--icmp_seq |
|
icmp_id |
--icmp_id |
|
icode |
--icmp.code |
|
itype |
--icmp.type |
|
flow |
--flow |
Only support to_client, to_server, from_client, from_server. |
seq |
--seq |
|
ack |
--ack |
|
flags |
--tcp_flags |
|
window |
--window_size |
|
flowbits |
--tag cmd,tag_name |
Support commands set, isset, isnotset, noalert, and toggle only. group_name is not supported |
byte_extract |
--extract |
Does not support dce, bitmasks, and multiplier modifiers. Extracts to a register instead of variables (see Issues). |
byte_jump |
--byte_jump |
Does not support dce, bitmasks, from_end, and post_offset modifiers. |
byte_test |
--byte_test |
Does not support dce and bitmask modifiers. Does not support !& and !^ operators. Can only test against 1,2,4 bytes. |
detection_filter |
--rate count,sec --track filter |
- Option
fast_patterndoes not have an IPS signature equivalent. IPS signatures are optimized by the engine for fast matching. This option is skipped silently. - Snort variables (extracted by byte_extract in the same rule) are converted to registers to use within IPS signatures. IPS engine supports up to 8 registers at this time ($0-$7).
- For rules applying to more than one 'service' (metadata service (Snort2) or the 'service' keyword in Snort3), the resulting IPS signature will not include the service option as IPS signatures do not support having more than one service keyword per signature.
- IPS signatures do not support matching by hashes
md5,sha256, orsha512. - Content modifiers
distanceandwithinin Snort are to be used only after a preceding match in the same buffer. Otherwise,depthandoffsetshould be used from the beginning of the buffer if there is no previous match. - Keywords
dsize,icode,itype,ip_proto,urilen, andbyte_testcannot directly convert<=,>=operators. To mitigate this issue, the value is added/subtracted by 1 to complete the translation. This may result in failed conversions when overflow occurs during the operation. - In the Snort rule headers, policy variables (eg. $OFFICE_NET) cannot be translated to its IP address as each environment is different.
- Custom signatures currently do not support multiple ports, eg.
tcp any [80,8080].... The converted signature will omit the list of ports (with warning).
Some test cases of sample Snort signatures and the equivalent valid IPS output are included.
To run unit tests, use:
./test/test_snort2fortigate.py
Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services. For direct issues, please refer to the Issues tab of this GitHub project. For other questions related to this project, contact github@fortinet.com.
License © Fortinet Technologies. All rights reserved.