[Snort-users] Error using latest ruleset with Snort++

João Soares joaosoares11 at hotmail.com
Wed Jun 28 14:19:22 EDT 2017


Hi everyone,

I've been using Snort++ for quite a while now (over 1 year), and I just
updated my build to the latest one - Version 3.0.0-a4 (Build 236) from
2.9.8-383

I also updated my rules to the latest Talos registered ruleset and
emerging ruleset. As expected, I've been using the snort2lua script in
order to convert the rules to the Snort++ format.

As soon as I finished both updates and started Snort++, I started
getting errors on some rules:

snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:77 invalid
argument
reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
= irefef-malware
snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:968 invalid
argument
reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
= irefef-malware
snort[195228]: Finished /etc/snort/etc/rules/snort.rules.lua.
snort[195228]: Loading /etc/snort/etc/rules/emerging-all.rules.lua:
snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:152
invalid argument
reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i =
Viewer-Active-X-SEH-Overwrite.html
snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:1420
invalid argument reference:url,support.clean-mx.de/clean-mx =
viruses.php?domain=rr.nu&sort=first%20desc

This goes on for more than 40 rules across both rulesets.

Analyzing the original files, both lua and the old format, I realize
that these errors only occur when there are spaces in the reference:url
argument. I might be wrong though. For example, rule with SID 26577
(notice the space before "irefef-malware"):

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
User-Agent known malicious user agent Opera 10";
flow:to_server,established; content:"Opera/10|20|"; fast_pattern:only;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
irefef-malware;
reference:url,dev.opera.com/articles/view/opera-ua-string-changes;
classtype:trojan-activity; sid:26577; rev:2;)

Or SID 2012938 from the emerging ruleset (notice the space after the comma):

alert tcp $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli
Endpoint Buffer Overflow Attempt"; flow:established,to_server;
content:"POST "; depth:5; isdataat:256,relative; content:!"|0A|";
within:256; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/;
classtype:denial-of-service; sid:2012938; rev:1; metadata:created_at
2011_06_07, updated_at 2011_06_07;)

Am I missing something here?

Best Regards,



More information about the Snort-users mailing list