Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort2lua errors

From: koppfabi <FabianMalte.Kopp () b-tu de>
Date: Sun, 29 Jan 2017 15:18:08 +0100
Hello,

I encountered an error while converting the snapshot rules to snort3 rules.

from deleted.rules
--[[    FAILED RULES CONVERSIONS:
  These rules has invalid rule options


     Failed to convert rule: alert tcp $HOME_NET any -> $EXTERNAL_NET
         $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker comet systems runtime
         detection - update requests"; flow:to_server,established;
         content:"Host|3A| update.cc.cometsystems.com"; nocase; http_header;
         pcre:"/\x2F[^\s]*\.(dat|xml)\?[^\s]*v=[^\s]*t=[^\s]*c=/UiH";
         reference:url,www.spywareguide.com/product_show.php?id=428;
         reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088065;
         classtype:misc-activity; sid:5831; rev:8;)
     ^^^^ unknown_option=Two sticky buffers set for this regular expression!
--]]

from ftp.rules
--[[    FAILED RULES CONVERSIONS:
  These rules has invalid rule options


     Failed to convert rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 21
         (msg:"PROTOCOL-FTP PORT bounce attempt"; flow:to_server,established;
         content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; metadata:policy
         max-detect-ips drop, ruleset community, service ftp;
         reference:bugtraq,126; reference:cve,1999-0017;  
reference:nessus,10081;
         classtype:misc-attack; sid:3441; rev:13;)
     ^^^^ unknown_option=ftpbounce
--]]

also while loading rules into snort via -R
snort encountered some errors (http://pastebin.com/5XY7skrr)

all this was run with snort build 223



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: