[Snort-users] snort2lua error

Russ rucombs at ...589...
Wed Dec 14 08:40:04 EST 2016


Hi Fabian,

snort2lua is tripping over modbus_data.  We will get a fix out ASAP.  In 
the meantime, if you change the offset and depth for those contents to 
be comma separated instead of semicolon separated it will work:

alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Tri 
PLC Nano 10 PLC denial of service attempt"; flow:to_server,established; 
content:"|00 06|"; depth:2; offset:4; modbus_func:1; modbus_data; 
content:"|00 00|", depth:2, offset:2; reference:cve,2013-2784; 
classtype:denial-of-service; sid:29965; rev:2;)

Thanks for reporting the issue.
Russ

On 12/14/16 6:15 AM, koppfabi wrote:
> Hi
>
>
> I encountered an error while converting the snapshot rules to snort3 rules.
>
> snort2lua gave me this message for the protocoll-scada.rules file
> :
>
> --[[    FAILED RULES CONVERSIONS:
>    These rules has invalid rule options
>
>
>       Failed to convert rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 502
>           (msg:"PROTOCOL-SCADA Tri PLC Nano 10 PLC denial of service attempt";
>           flow:to_server,established; content:"|00 06|"; depth:2; offset:4;
>           modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2;
>           reference:cve,2013-2784; classtype:denial-of-service; sid:29965;
>           rev:2;)
>       ^^^^ unknown_option=depth
>       ^^^^ unknown_option=offset
> --]]
>
> i guess depth and offeset are unknow...is there a way to fix this ?
>
>
> the script I used:
> #!/bin/bash
> # SNORT2LUA helper
>
> echo "Snort2Lua rule converter"
>
> mkdir -p new_rules
>
> for file in rules/*.rules
> do
>       #remove header
>       sed -i -e 1,20d $file
>       #remove # and leading space (optional)
>       sed -i 's/^#//;s/^[ \t]*//' $file
>       name=${file##*/}
>       base=${name%.rules}
>       NEWNAME=new_${name}
>       echo $name
>       #-c source -r dest
>       snort2lua -c $file -r new_rules/$NEWNAME
> done
>
> mfg
> Fabian
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list