[Snort-users] Error using latest ruleset with Snort++

Jim Campbell jim at w4bqp.net
Thu Jul 13 23:48:08 EDT 2017


Russ,

Better, but still a few errors using the latest Talos rule file.

"Loading rules:
"Loading /opt/snort/etc/snort/snort3.rules:
"ERROR: /opt/snort/etc/snort/snort3.rules:3716 !any is not allowed: 
![$SMTP_SERVERS,$DNS_SERVERS].
"ERROR: /opt/snort/etc/snort/snort3.rules:5655 !any is not allowed: 
!$SMTP_SERVERS.
"ERROR: /opt/snort/etc/snort/snort3.rules:5655 !any is not allowed: 
!$HOME_NET.
"ERROR: /opt/snort/etc/snort/snort3.rules:5666 !any is not allowed: 
!$HOME_NET.
"ERROR: /opt/snort/etc/snort/snort3.rules:34701 unknown rule keyword: 
sd_pattern.
"ERROR: /opt/snort/etc/snort/snort3.rules:34702 unknown rule keyword: 
sd_pattern.
"ERROR: /opt/snort/etc/snort/snort3.rules:34703 unknown rule keyword: 
sd_pattern.
"ERROR: /opt/snort/etc/snort/snort3.rules:34704 unknown rule keyword: 
sd_pattern.
"Finished /opt/snort/etc/snort/snort3.rules.
"Finished rules.

The snort.lua config file is unchanged from what was delivered.

On a whim I changed HOME_NET from 'any' to '192.168.0.0/24' and got the 
following errors:

"Loading rules:
"Loading /opt/snort/etc/snort/snort3.rules:
"ERROR: /opt/snort/etc/snort/snort3.rules:34701 unknown rule keyword: 
sd_pattern.
"ERROR: /opt/snort/etc/snort/snort3.rules:34702 unknown rule keyword: 
sd_pattern.
"ERROR: /opt/snort/etc/snort/snort3.rules:34703 unknown rule keyword: 
sd_pattern.
"ERROR: /opt/snort/etc/snort/snort3.rules:34704 unknown rule keyword: 
sd_pattern.
"Finished /opt/snort/etc/snort/snort3.rules.
"Finished rules.

Jim


On 7/13/2017 9:40 PM, Russ wrote:
> I pushed an update to github this week that should fix that.  Those 
> references are broken and the space makes it look like "reference:name 
> value".  Snort++ was updated to be more tolerant in these cases.  If 
> you grab the latest you should be good to go.
>




More information about the Snort-users mailing list