Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unknown rule keyword

From: Russ via Snort-devel <snort-devel () lists snort org>
Date: Thu, 6 Jul 2017 10:15:42 -0400
That is a 2.X rule. You need to convert the rules to 3.0 format using the snort2lua utility. Please check the user manual for more information. 

On 7/6/17 9:16 AM, Simon Dzn via Snort-devel wrote:

Hey all,
I am running Snort 3(a4-236) on arm(Raspberry pi) and I have a big problem loading rules I am getting this error: unknown rule keyword: x. 
some of the problematic keywords: distance, nocase, offset, fast_pattern.
Example for a rule: alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009285 <http://doc.emergingthreats.net/2009285>; classtype:shellcode-detect; sid:2009285; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;) 
Here the "distance" keyword is the problem.
Any ideas?


_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!



_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: