[Snort-devel] Unknown rule keyword

Russ rucombs at cisco.com
Thu Jul 6 10:15:42 EDT 2017


That is a 2.X rule.  You need to convert the rules to 3.0 format using 
the snort2lua utility.  Please check the user manual for more information.

On 7/6/17 9:16 AM, Simon Dzn via Snort-devel wrote:
> Hey all,
>
> I am running Snort 3(a4-236) on arm(Raspberry pi) and I have a big 
> problem loading rules I am getting this error: unknown rule keyword: x.
> some of the problematic keywords: distance, nocase, offset, fast_pattern.
> Example for a rule: alert udp any any -> any any (msg:"ET SHELLCODE 
> Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 
> 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; 
> reference:url,doc.emergingthreats.net/2009285 
> <http://doc.emergingthreats.net/2009285>; classtype:shellcode-detect; 
> sid:2009285; rev:2; metadata:created_at 2010_07_30, updated_at 
> 2010_07_30;)
> Here the "distance" keyword is the problem.
> Any ideas?
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170706/07f409d5/attachment.html>


More information about the Snort-devel mailing list