Snort mailing list archives
Re: Error using latest ruleset with Snort++
From: Russ via Snort-users <snort-users () lists snort org>
Date: Fri, 14 Jul 2017 17:16:57 -0400
There are a few things going on:1. snort2lua is rejecting sid:2018795, 2018796, and 2018797 because distance follows pcre:
content:"foo"; pcre:"bar"; distance:0; That should be: content:"foo"; distance:0; pcre:"bar"; 2. snort2lua is rejecting sid:2018122 for a similar ordering issue: content:"foo"; urilen:20; http_uri; That should be: content:"foo"; http_uri; urilen:20;3. Snort 2.9 and Snort 3.0 both reject sid:2011802, 2000328, and 2002087 because of the !any condition. Setting your nets and ports variables or disabling those rules is the way to go there.
4. Your gid:138 rules are rejected by Snort 3 because you need hyperscan for sd_pattern. That is available for Intel platforms from https://github.com/01org/hyperscan.
The emerging threats rules should be fixed since distance and http_uri modify content, not pcre or urilen. However, since Snort 2.9 can digest them we will update snort2lua for that case. In the meantime you can manually patch them as above to get by.
Hopefully that gets you going. Thanks Russ On 7/14/17 3:11 PM, Jim Campbell wrote:
Russ,I didn't mention that when I ran snort2lua against the rule file yesterday I got 4 errors. I don't see sd_pattern in the four errors.I will send the snort.rej file and the snort.rules file directly to you as an email attachment.Thanks, Jim On 7/14/2017 2:08 PM, Russ wrote:Hey Jim,I'm not seeing those issues. I just downloaded the latest registered rule set and do see some other stuff to clean up but nothing with sd_pattern. Can you send me the original 2.9 rules that you converted that are causing the problems?Thanks Russ
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 12)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Marcin Dulak via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)
- <Possible follow-ups>
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ João Soares via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 15)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 15)
- RES: Error using latest ruleset with Snort++ Renan Menezes via Snort-users (Jul 15)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 15)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 15)