Hi James,
I hear you and understand issue you are facing, but as I am listening I also hear "99 problems" 🙂 Why?
Because of the following facts:
- snort signatures are yara-like, allowing more complex constructs than we can do with our signatures - therefore, not easily translatable or they easily loose their value when translated. For example, some signature might be looking for specific bytes found at unusually high offset; translating those to PAN rules cannot be automated as you cannot specify offset in bytes - you need to figure out where is it according to the protocol type. With PAN-OS, you can look for pattern match in DNS request header or DNS request body, but that cannot be specified as an offset from the start of the record.
- plenty of "other vendor" signatures cover for things that are either not applicable to be covered by us (such as end-point issues) or might already be covered by us (we have plenty of AV and vulnerability signatures already)
- "tons" of other signatures will never scale well: PAN-OS can take only "so many" custom regex patterns. More patterns in rules = less rules available; and also simpler rules (less regex) = lesser the chance to cover all (sub)variants of malware / vulnerability you are trying to cover
I could probably come up with few more reasons where this will not end up well if being automated, but let's discuss how could you still resolve your issue... I believe that, considering aforementioned, the best approach would be for you to:
- sort all the signatures you have according to severity,
- weed out all signatures that aren't applicable/possible to be covered by firewalls (end-point issues such as Flash or PDF abuse, for example, or for signatures irrelevant for your infrastructure - you probably don't need signatures to protect Hummingbird print services)
- when you end up with the list of what you really want covered, check in the Threat vault for CVE number or similar items to see if we are already covering that issue
- review what is left and see how many can have signatures created in Palo Alto Networks firewalls (review documentation for threat signatures prior to starting to write them, so you know what you can do in the first place)
- go with manual creation of signatures, starting from the top with severity "critical" and going down "high" and less....
I would be surprised if you come up with more than few dozens that need converting, after "review" process suggested above.
Of course, all this is not really answering your initial question but since answer is negative, I am just suggesting how I would approach it knowing what I know already 🙂 Sorry if I did not help much. I know there were talks on creating some semi-official supported script for converting this, but I think any potential author of such script faces challenges I named above and it would be very hard to create a script that would automatically check all the things I named above from "any" set of signatures. I know nothing has been published yet or nobody reported it's existance to TAC 🙂
If you have a sub-set of signatures you could share for example, or can find a set of online signatures that mimic structure of signatures you have, let us know what they look like - there still might be a wild chance someone could see a pattern that could be scripted.
Best regards
Luciano
... View more