[Snort-users] Error using latest ruleset with Snort++
joaosoares11 at hotmail.com
Wed Jun 28 19:13:20 EDT 2017
Thank you! I'll be waiting for the fix :) Until then, I removed the
spaces from all reference:url arguments.
Just a heads up: There's another case in which something similar happens:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Possible Vundo EXE Download Attempt"; flow:established,to_server;
content:"GET"; depth:3; http_method; content:"/dwn/d.html?sid=";
http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009174;
classtype:trojan-activity; sid:2009174; rev:4; metadata:created_at
2010_07_30, updated_at 2010_07_30;)
urilen: > 80; will be converted to bufferlen:> 80; by rules2lua which
will issue an error due to that space after the >
On 06/28/2017 07:33 PM, Russ wrote:
> Thanks, we are aware of the issue. We need to resolve that format. We
> really should require quotes on the URL string but in the first case it
> should not have a space. The second one we can tolerate if essential.
> We will get that fixed before the beta. Sorry for the inconvenience.
> On 6/28/17 2:19 PM, João Soares via Snort-users wrote:
>> Hi everyone,
>> I've been using Snort++ for quite a while now (over 1 year), and I just
>> updated my build to the latest one - Version 3.0.0-a4 (Build 236) from
>> I also updated my rules to the latest Talos registered ruleset and
>> emerging ruleset. As expected, I've been using the snort2lua script in
>> order to convert the rules to the Snort++ format.
>> As soon as I finished both updates and started Snort++, I started
>> getting errors on some rules:
>> snort: ERROR: /etc/snort/etc/rules/snort.rules.lua:77 invalid
>> = irefef-malware
>> snort: ERROR: /etc/snort/etc/rules/snort.rules.lua:968 invalid
>> = irefef-malware
>> snort: Finished /etc/snort/etc/rules/snort.rules.lua.
>> snort: Loading /etc/snort/etc/rules/emerging-all.rules.lua:
>> snort: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:152
>> invalid argument
>> reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i =
>> snort: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:1420
>> invalid argument reference:url,support.clean-mx.de/clean-mx =
>> This goes on for more than 40 rules across both rulesets.
>> Analyzing the original files, both lua and the old format, I realize
>> that these errors only occur when there are spaces in the reference:url
>> argument. I might be wrong though. For example, rule with SID 26577
>> (notice the space before "irefef-malware"):
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
>> User-Agent known malicious user agent Opera 10";
>> flow:to_server,established; content:"Opera/10|20|"; fast_pattern:only;
>> http_header; metadata:impact_flag red, policy balanced-ips drop, policy
>> security-ips drop, ruleset community, service http;
>> classtype:trojan-activity; sid:26577; rev:2;)
>> Or SID 2012938 from the emerging ruleset (notice the space after the
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli
>> Endpoint Buffer Overflow Attempt"; flow:established,to_server;
>> content:"POST "; depth:5; isdataat:256,relative; content:!"|0A|";
>> within:256; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/;
>> classtype:denial-of-service; sid:2012938; rev:1; metadata:created_at
>> 2011_06_07, updated_at 2011_06_07;)
>> Am I missing something here?
>> Best Regards,
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
More information about the Snort-users