Snort mailing list archives
Re: Error using latest ruleset with Snort++
From: João Soares via Snort-users <snort-users () lists snort org>
Date: Wed, 28 Jun 2017 23:13:20 +0000
Thank you! I'll be waiting for the fix :) Until then, I removed the spaces from all reference:url arguments. Just a heads up: There's another case in which something similar happens: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo EXE Download Attempt"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/dwn/d.html?sid="; http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009174; classtype:trojan-activity; sid:2009174; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) urilen: > 80; will be converted to bufferlen:> 80; by rules2lua which will issue an error due to that space after the > Best regards, João Soares On 06/28/2017 07:33 PM, Russ wrote:
Thanks, we are aware of the issue. We need to resolve that format. We really should require quotes on the URL string but in the first case it should not have a space. The second one we can tolerate if essential. We will get that fixed before the beta. Sorry for the inconvenience. Russ On 6/28/17 2:19 PM, João Soares via Snort-users wrote:Hi everyone, I've been using Snort++ for quite a while now (over 1 year), and I just updated my build to the latest one - Version 3.0.0-a4 (Build 236) from 2.9.8-383 I also updated my rules to the latest Talos registered ruleset and emerging ruleset. As expected, I've been using the snort2lua script in order to convert the rules to the Snort++ format. As soon as I finished both updates and started Snort++, I started getting errors on some rules: snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:77 invalid argument reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s = irefef-malware snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:968 invalid argument reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s = irefef-malware snort[195228]: Finished /etc/snort/etc/rules/snort.rules.lua. snort[195228]: Loading /etc/snort/etc/rules/emerging-all.rules.lua: snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:152 invalid argument reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i = Viewer-Active-X-SEH-Overwrite.html snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:1420 invalid argument reference:url,support.clean-mx.de/clean-mx = viruses.php?domain=rr.nu&sort=first%20desc This goes on for more than 40 rules across both rulesets. Analyzing the original files, both lua and the old format, I realize that these errors only occur when there are spaces in the reference:url argument. I might be wrong though. For example, rule with SID 26577 (notice the space before "irefef-malware"): alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent Opera 10"; flow:to_server,established; content:"Opera/10|20|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; classtype:trojan-activity; sid:26577; rev:2;) Or SID 2012938 from the emerging ruleset (notice the space after the comma): alert tcp $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; isdataat:256,relative; content:!"|0A|"; within:256; reference:url, zerodayinitiative.com/advisories/ZDI-11-169/; classtype:denial-of-service; sid:2012938; rev:1; metadata:created_at 2011_06_07, updated_at 2011_06_07;) Am I missing something here? Best Regards, _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Error using latest ruleset with Snort++ João Soares via Snort-users (Jun 28)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jun 28)
- Re: Error using latest ruleset with Snort++ João Soares via Snort-users (Jun 28)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jun 28)