[Snort-users] snort2lua errors

koppfabi FabianMalte.Kopp at ...17700...
Sun Jan 29 09:18:08 EST 2017


Hello,

I encountered an error while converting the snapshot rules to snort3 rules.

from deleted.rules
--[[    FAILED RULES CONVERSIONS:
  These rules has invalid rule options


     Failed to convert rule: alert tcp $HOME_NET any -> $EXTERNAL_NET
         $HTTP_PORTS (msg:"DELETED SPYWARE-PUT Hijacker comet systems runtime
         detection - update requests"; flow:to_server,established;
         content:"Host|3A| update.cc.cometsystems.com"; nocase; http_header;
         pcre:"/\x2F[^\s]*\.(dat|xml)\?[^\s]*v=[^\s]*t=[^\s]*c=/UiH";
         reference:url,www.spywareguide.com/product_show.php?id=428;
         reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088065;
         classtype:misc-activity; sid:5831; rev:8;)
     ^^^^ unknown_option=Two sticky buffers set for this regular expression!
--]]

from ftp.rules
--[[    FAILED RULES CONVERSIONS:
  These rules has invalid rule options


     Failed to convert rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 21
         (msg:"PROTOCOL-FTP PORT bounce attempt"; flow:to_server,established;
         content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; metadata:policy
         max-detect-ips drop, ruleset community, service ftp;
         reference:bugtraq,126; reference:cve,1999-0017;  
reference:nessus,10081;
         classtype:misc-attack; sid:3441; rev:13;)
     ^^^^ unknown_option=ftpbounce
--]]

also while loading rules into snort via -R
snort encountered some errors (http://pastebin.com/5XY7skrr)

all this was run with snort build 223






More information about the Snort-users mailing list