Snort mailing list archives
Re: Error after using snort2lua to ET_Open ruleset for Snort2.9.0
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 6 Jun 2016 20:18:35 +0000
Can you send use some of the rules that wont convert/are giving you an error please? Thanks. Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: 高三山 [mailto:1294972664 () qq com] Sent: Monday, June 06, 2016 6:48 AM To: snort-sigs Subject: [Snort-sigs] Error after using snort2lua to ET_Open ruleset for Snort2.9.0 Hi, all, I want to use snort2lua, which is bundled with Snort3.0, to change ET Open rulesett for Snort 2.9.0 to be used by Snort3. However, although this transformation is successful after filtering out unsupported options (e.g. distance, ftpbounce), Snort3 will prompt ERRORS when load rules. These messages are shown below. It's very odd, because although it prompt me that "fast_pattern_offset must be less than the actual pattern length which is 0", the corresponding rule doesn't use "fast_patter" key word. There is too less information about Snort3, and I cannot find a solution, although the sample.rules working successfully. Who can give me a hand? Thank you very much. Error message: -------------------------------------------------------------------------------------------------------------------------------- Loading /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules. rules: ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.r ules:651 invalid byte code at 24 ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.r ules:651 fast_pattern_offset must be less than the actual pattern length which is 0. ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.r ules:651 can't finalize content ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.$ ules:905 invalid byte code at 15 ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.$ ules:905 fast_pattern_offset must be less than the actual pattern length which is 0. ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.$ ules:905 can't finalize content ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.$ ules:927 invalid byte code at 8 ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.$ ules:927 fast_pattern_offset must be less than the actual pattern length which is 0. ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.$ ules:927 can't finalize content ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.$ ules:963 invalid byte code at 9 ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.$ ules:963 fast_pattern_offset must be less than the actual pattern length which is 0. ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.$ ules:963 can't finalize content ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.$ ules:997 invalid byte code at 9 ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.$ ules:997 fast_pattern_offset must be less than the actual pattern length which is 0. ERROR: /home/sanshang/files/nids/experiment/ruleset/ET_open_snort_2.9.0/all_rules_for_snort3.self.rules.$ ules:997 can't finalize content ... ... ----------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Error after using snort2lua to ET_Open ruleset for Snort2.9.0 ?????? (Jun 06)
- Re: Error after using snort2lua to ET_Open ruleset for Snort2.9.0 Al Lewis (allewi) (Jun 06)