[Snort-users] Error using latest ruleset with Snort++

João Soares joaosoares11 at hotmail.com
Wed Jun 28 19:13:20 EDT 2017


Thank you! I'll be waiting for the fix :) Until then, I removed the
spaces from all reference:url arguments.

Just a heads up: There's another case in which something similar happens:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Possible Vundo EXE Download Attempt"; flow:established,to_server;
content:"GET"; depth:3; http_method; content:"/dwn/d.html?sid=";
http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009174;
classtype:trojan-activity; sid:2009174; rev:4; metadata:created_at
2010_07_30, updated_at 2010_07_30;)

urilen: > 80; will be converted to bufferlen:> 80; by rules2lua which
will issue an error due to that space after the >

Best regards,

João Soares

On 06/28/2017 07:33 PM, Russ wrote:
> Thanks, we are aware of the issue.  We need to resolve that format. We
> really should require quotes on the URL string but in the first case it
> should not have a space.  The second one we can tolerate if essential. 
> We will get that fixed before the beta.  Sorry for the inconvenience.
> 
> Russ
> 
> On 6/28/17 2:19 PM, João Soares via Snort-users wrote:
>> Hi everyone,
>>
>> I've been using Snort++ for quite a while now (over 1 year), and I just
>> updated my build to the latest one - Version 3.0.0-a4 (Build 236) from
>> 2.9.8-383
>>
>> I also updated my rules to the latest Talos registered ruleset and
>> emerging ruleset. As expected, I've been using the snort2lua script in
>> order to convert the rules to the Snort++ format.
>>
>> As soon as I finished both updates and started Snort++, I started
>> getting errors on some rules:
>>
>> snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:77 invalid
>> argument
>> reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
>> = irefef-malware
>> snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:968 invalid
>> argument
>> reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
>> = irefef-malware
>> snort[195228]: Finished /etc/snort/etc/rules/snort.rules.lua.
>> snort[195228]: Loading /etc/snort/etc/rules/emerging-all.rules.lua:
>> snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:152
>> invalid argument
>> reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i =
>> Viewer-Active-X-SEH-Overwrite.html
>> snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:1420
>> invalid argument reference:url,support.clean-mx.de/clean-mx =
>> viruses.php?domain=rr.nu&sort=first%20desc
>>
>> This goes on for more than 40 rules across both rulesets.
>>
>> Analyzing the original files, both lua and the old format, I realize
>> that these errors only occur when there are spaces in the reference:url
>> argument. I might be wrong though. For example, rule with SID 26577
>> (notice the space before "irefef-malware"):
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
>> User-Agent known malicious user agent Opera 10";
>> flow:to_server,established; content:"Opera/10|20|"; fast_pattern:only;
>> http_header; metadata:impact_flag red, policy balanced-ips drop, policy
>> security-ips drop, ruleset community, service http;
>> reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
>> irefef-malware;
>> reference:url,dev.opera.com/articles/view/opera-ua-string-changes;
>> classtype:trojan-activity; sid:26577; rev:2;)
>>
>> Or SID 2012938 from the emerging ruleset (notice the space after the
>> comma):
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli
>> Endpoint Buffer Overflow Attempt"; flow:established,to_server;
>> content:"POST "; depth:5; isdataat:256,relative; content:!"|0A|";
>> within:256; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/;
>> classtype:denial-of-service; sid:2012938; rev:1; metadata:created_at
>> 2011_06_07, updated_at 2011_06_07;)
>>
>> Am I missing something here?
>>
>> Best Regards,
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
> 



More information about the Snort-users mailing list