I am working on a suricata signature converter and converting them for Zeek, starting from this development https://github.com/adi928/brocata (which currently does not work), and I am doing various bug fixing and expanding it.
But I have only one problem, it concerns the conversion of the rules containing the suricata pcre into expressions compatible with zeek (“flex”).
has anyone ever approached this development and could you give me some advice?
Anyone knows other development for this scope?
Hi Vincenzo,
I am not a developer, so I can’t comment on the programming aspects. However, from what little I know about the optimizations and use cases for Zeek compared to Suricata, it makes sense to run each tool in the manner for which it was designed.
In other words, depending on the number of signatures you want to port to Zeek, and that they work as expected, it’s possible you will cripple your Zeek deployment. Can you tell us a little bit more about your expected use case? It might be better to just run both tools in parallel.
Sincerely,
Richard
Hi download a tar from this emerging threaths https://rules.emergingthreats.net/open/suricata-5.0/ and Zeek has loaded all signature (29670) excluding pcre option from suricata rule, but i included (content,ip,port,flow,nocase of content etc), and Zeek rose correctly.
Yes, I know they are tools that are made to work in parallel, but these are the design requirements.