Snort mailing list archives
Re: Error using latest ruleset with Snort++
From: Russ via Snort-users <snort-users () lists snort org>
Date: Wed, 28 Jun 2017 14:33:02 -0400
Thanks, we are aware of the issue. We need to resolve that format. We really should require quotes on the URL string but in the first case it should not have a space. The second one we can tolerate if essential. We will get that fixed before the beta. Sorry for the inconvenience.
Russ On 6/28/17 2:19 PM, João Soares via Snort-users wrote:
Hi everyone, I've been using Snort++ for quite a while now (over 1 year), and I just updated my build to the latest one - Version 3.0.0-a4 (Build 236) from 2.9.8-383 I also updated my rules to the latest Talos registered ruleset and emerging ruleset. As expected, I've been using the snort2lua script in order to convert the rules to the Snort++ format. As soon as I finished both updates and started Snort++, I started getting errors on some rules: snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:77 invalid argument reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s = irefef-malware snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:968 invalid argument reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s = irefef-malware snort[195228]: Finished /etc/snort/etc/rules/snort.rules.lua. snort[195228]: Loading /etc/snort/etc/rules/emerging-all.rules.lua: snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:152 invalid argument reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i = Viewer-Active-X-SEH-Overwrite.html snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:1420 invalid argument reference:url,support.clean-mx.de/clean-mx = viruses.php?domain=rr.nu&sort=first%20desc This goes on for more than 40 rules across both rulesets. Analyzing the original files, both lua and the old format, I realize that these errors only occur when there are spaces in the reference:url argument. I might be wrong though. For example, rule with SID 26577 (notice the space before "irefef-malware"): alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent Opera 10"; flow:to_server,established; content:"Opera/10|20|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; classtype:trojan-activity; sid:26577; rev:2;) Or SID 2012938 from the emerging ruleset (notice the space after the comma): alert tcp $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; isdataat:256,relative; content:!"|0A|"; within:256; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/; classtype:denial-of-service; sid:2012938; rev:1; metadata:created_at 2011_06_07, updated_at 2011_06_07;) Am I missing something here? Best Regards, _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Error using latest ruleset with Snort++ João Soares via Snort-users (Jun 28)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jun 28)
- Re: Error using latest ruleset with Snort++ João Soares via Snort-users (Jun 28)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jun 28)