[Snort-users] Error using latest ruleset with Snort++

Russ rucombs at cisco.com
Wed Jun 28 14:33:02 EDT 2017


Thanks, we are aware of the issue.  We need to resolve that format. We 
really should require quotes on the URL string but in the first case it 
should not have a space.  The second one we can tolerate if essential.  
We will get that fixed before the beta.  Sorry for the inconvenience.

Russ

On 6/28/17 2:19 PM, João Soares via Snort-users wrote:
> Hi everyone,
>
> I've been using Snort++ for quite a while now (over 1 year), and I just
> updated my build to the latest one - Version 3.0.0-a4 (Build 236) from
> 2.9.8-383
>
> I also updated my rules to the latest Talos registered ruleset and
> emerging ruleset. As expected, I've been using the snort2lua script in
> order to convert the rules to the Snort++ format.
>
> As soon as I finished both updates and started Snort++, I started
> getting errors on some rules:
>
> snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:77 invalid
> argument
> reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
> = irefef-malware
> snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:968 invalid
> argument
> reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
> = irefef-malware
> snort[195228]: Finished /etc/snort/etc/rules/snort.rules.lua.
> snort[195228]: Loading /etc/snort/etc/rules/emerging-all.rules.lua:
> snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:152
> invalid argument
> reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i =
> Viewer-Active-X-SEH-Overwrite.html
> snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:1420
> invalid argument reference:url,support.clean-mx.de/clean-mx =
> viruses.php?domain=rr.nu&sort=first%20desc
>
> This goes on for more than 40 rules across both rulesets.
>
> Analyzing the original files, both lua and the old format, I realize
> that these errors only occur when there are spaces in the reference:url
> argument. I might be wrong though. For example, rule with SID 26577
> (notice the space before "irefef-malware"):
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
> User-Agent known malicious user agent Opera 10";
> flow:to_server,established; content:"Opera/10|20|"; fast_pattern:only;
> http_header; metadata:impact_flag red, policy balanced-ips drop, policy
> security-ips drop, ruleset community, service http;
> reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
> irefef-malware;
> reference:url,dev.opera.com/articles/view/opera-ua-string-changes;
> classtype:trojan-activity; sid:26577; rev:2;)
>
> Or SID 2012938 from the emerging ruleset (notice the space after the comma):
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli
> Endpoint Buffer Overflow Attempt"; flow:established,to_server;
> content:"POST "; depth:5; isdataat:256,relative; content:!"|0A|";
> within:256; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/;
> classtype:denial-of-service; sid:2012938; rev:1; metadata:created_at
> 2011_06_07, updated_at 2011_06_07;)
>
> Am I missing something here?
>
> Best Regards,
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list