[Snort-users] snort2lua error

koppfabi FabianMalte.Kopp at ...17700...
Wed Dec 14 06:15:55 EST 2016


Hi


I encountered an error while converting the snapshot rules to snort3 rules.

snort2lua gave me this message for the protocoll-scada.rules file
:

--[[    FAILED RULES CONVERSIONS:
  These rules has invalid rule options


     Failed to convert rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 502
         (msg:"PROTOCOL-SCADA Tri PLC Nano 10 PLC denial of service attempt";
         flow:to_server,established; content:"|00 06|"; depth:2; offset:4;
         modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2;
         reference:cve,2013-2784; classtype:denial-of-service; sid:29965;
         rev:2;)
     ^^^^ unknown_option=depth
     ^^^^ unknown_option=offset
--]]

i guess depth and offeset are unknow...is there a way to fix this ?


the script I used:
#!/bin/bash
# SNORT2LUA helper

echo "Snort2Lua rule converter"

mkdir -p new_rules

for file in rules/*.rules
do
     #remove header
     sed -i -e 1,20d $file
     #remove # and leading space (optional)
     sed -i 's/^#//;s/^[ \t]*//' $file
     name=${file##*/}
     base=${name%.rules}
     NEWNAME=new_${name}
     echo $name
     #-c source -r dest
     snort2lua -c $file -r new_rules/$NEWNAME
done

mfg
Fabian





More information about the Snort-users mailing list