Re: Error using latest ruleset with Snort++

[Russ via Snort-users <snort-users () lists snort org>]

Thanks, we are aware of the issue.  We need to resolve that format. We 
really should require quotes on the URL string but in the first case it 
should not have a space.  The second one we can tolerate if essential.  
We will get that fixed before the beta.  Sorry for the inconvenience.

Russ

On 6/28/17 2:19 PM, João Soares via Snort-users wrote:
> Hi everyone,
>
> I've been using Snort++ for quite a while now (over 1 year), and I just
> updated my build to the latest one - Version 3.0.0-a4 (Build 236) from
> 2.9.8-383
>
> I also updated my rules to the latest Talos registered ruleset and
> emerging ruleset. As expected, I've been using the snort2lua script in
> order to convert the rules to the Snort++ format.
>
> As soon as I finished both updates and started Snort++, I started
> getting errors on some rules:
>
> snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:77 invalid
> argument
> reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
> = irefef-malware
> snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:968 invalid
> argument
> reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
> = irefef-malware
> snort[195228]: Finished /etc/snort/etc/rules/snort.rules.lua.
> snort[195228]: Loading /etc/snort/etc/rules/emerging-all.rules.lua:
> snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:152
> invalid argument
> reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i =
> Viewer-Active-X-SEH-Overwrite.html
> snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:1420
> invalid argument reference:url,support.clean-mx.de/clean-mx =
> viruses.php?domain=rr.nu&sort=first%20desc
>
> This goes on for more than 40 rules across both rulesets.
>
> Analyzing the original files, both lua and the old format, I realize
> that these errors only occur when there are spaces in the reference:url
> argument. I might be wrong though. For example, rule with SID 26577
> (notice the space before "irefef-malware"):
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
> User-Agent known malicious user agent Opera 10";
> flow:to_server,established; content:"Opera/10|20|"; fast_pattern:only;
> http_header; metadata:impact_flag red, policy balanced-ips drop, policy
> security-ips drop, ruleset community, service http;
> reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
> irefef-malware;
> reference:url,dev.opera.com/articles/view/opera-ua-string-changes;
> classtype:trojan-activity; sid:26577; rev:2;)
>
> Or SID 2012938 from the emerging ruleset (notice the space after the comma):
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli
> Endpoint Buffer Overflow Attempt"; flow:established,to_server;
> content:"POST "; depth:5; isdataat:256,relative; content:!"|0A|";
> within:256; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/;
> classtype:denial-of-service; sid:2012938; rev:1; metadata:created_at
> 2011_06_07, updated_at 2011_06_07;)
>
> Am I missing something here?
>
> Best Regards,
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!