Snort mailing list archives
Re: Error using latest ruleset with Snort++
From: Jim Campbell <jim () w4bqp net>
Date: Thu, 13 Jul 2017 19:40:08 -0400
Thank you, Russ for your timely guidance to point me in the right direction. OBSERVATIONS:I installed Snort 3 on a clean Ubuntu 16.04 Desktop that had been updated with the latest patches. I just checked my ~/snort_src directory and the only Snort source file is "snort3-master". Even so, a "which snort" returns "/usr/local/bin/snort" and indeed there is a snort 2.9.9.0 executable there. Since in my testing of my installation I wasn't using a full path to snort I was inadvertently invoking the snort 2.9.9.0 executable instead of the snort 3 executable.
I installed Pulledpork v0.7.2 and downloaded the latest Talos rules. I used snort2lua to convert the 2.9.9.0 rules file to the 3.0-level rules file. Invoking Snort 3 (with a full path to all references) and using the original configuration file (snort.lua) and the Snort 3-level rules file, everything ran but I got 45 error messages from the rules file. A sampling:
"Loading rules: "Loading /opt/snort/etc/snort/snort3.rules:"ERROR: /opt/snort/etc/snort/snort3.rules:152 invalid argument reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i = Viewer-Active-X-SEH-Overwrite.html "ERROR: /opt/snort/etc/snort/snort3.rules:1460 invalid argument reference:url,support.clean-mx.de/clean-mx = viruses.php?domain=rr.nu&sort=first%20desc "ERROR: /opt/snort/etc/snort/snort3.rules:1697 invalid argument reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another- = java-zero-day-2.html
At the end of the output I got the following: "pcap DAQ configured to passive. "FATAL: see prior 45 errors "Fatal Error, Quitting..CONCLUSION: I believe that I have enough of a platform now to begin learning how Snort 3 actually works.
Thanks again, Russ, and thanks to all who are working to deliver a potentially awesome networking tool.
Jim _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 12)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Marcin Dulak via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)
- <Possible follow-ups>
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ João Soares via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 15)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 15)