Incorrect modifications for Suricata Rules.

[carlopmart]

Using pulledpork 0.7.3 under FreeBSD 11.1 amd64 and using a simple config:

rule_url=http://rules.emergingthreats.net/open/suricata|emerging.rules.tar.gz|open-nogpl
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/tmp/suricata.rules
sid_msg=/tmp/sid-msg.map
sid_msg_version=1
sid_changelog=/tmp/sid_changes.log
version=0.7.3

Pulledpork makes incorrect modifications for ET rules to use them with Suricata IDS. An example with rule 2011410:

Original 2011410 rule:
alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; dns_query; content:".cz.cc"; isdataat:!1,relative; nocase;reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)

Pulledpork's output:
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;content:"|02|cz|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:3; metadata:created_at 2010_09_27,updated_at 2010_09_27;).

This behavior is identical when using the snort_version option and when not.

[shirkdog]

This is more of an enhancement, but is also a bug. This is due to the use in Suricata of layer7 protocol specific signatures. The script should not care, but detection for "suricata" would need to be added to keep the layer7 data only if it is Suricata.