Snort mailing list archives
Re: Error using latest ruleset with Snort++
From: Russ via Snort-users <snort-users () lists snort org>
Date: Thu, 13 Jul 2017 21:40:12 -0400
On 7/13/17 7:40 PM, Jim Campbell wrote:
I pushed an update to github this week that should fix that. Those references are broken and the space makes it look like "reference:name value". Snort++ was updated to be more tolerant in these cases. If you grab the latest you should be good to go.Thank you, Russ for your timely guidance to point me in the right direction.OBSERVATIONS:I installed Snort 3 on a clean Ubuntu 16.04 Desktop that had been updated with the latest patches. I just checked my ~/snort_src directory and the only Snort source file is "snort3-master". Even so, a "which snort" returns "/usr/local/bin/snort" and indeed there is a snort 2.9.9.0 executable there. Since in my testing of my installation I wasn't using a full path to snort I was inadvertently invoking the snort 2.9.9.0 executable instead of the snort 3 executable.I installed Pulledpork v0.7.2 and downloaded the latest Talos rules. I used snort2lua to convert the 2.9.9.0 rules file to the 3.0-level rules file. Invoking Snort 3 (with a full path to all references) and using the original configuration file (snort.lua) and the Snort 3-level rules file, everything ran but I got 45 error messages from the rules file. A sampling:"Loading rules: "Loading /opt/snort/etc/snort/snort3.rules:"ERROR: /opt/snort/etc/snort/snort3.rules:152 invalid argument reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i = Viewer-Active-X-SEH-Overwrite.html "ERROR: /opt/snort/etc/snort/snort3.rules:1460 invalid argument reference:url,support.clean-mx.de/clean-mx = viruses.php?domain=rr.nu&sort=first%20desc "ERROR: /opt/snort/etc/snort/snort3.rules:1697 invalid argument reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another- = java-zero-day-2.html
At the end of the output I got the following: "pcap DAQ configured to passive. "FATAL: see prior 45 errors "Fatal Error, Quitting..CONCLUSION: I believe that I have enough of a platform now to begin learning how Snort 3 actually works.Thanks again, Russ, and thanks to all who are working to deliver a potentially awesome networking tool.Jim
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 12)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Marcin Dulak via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)
- <Possible follow-ups>
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ João Soares via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 15)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 15)
- RES: Error using latest ruleset with Snort++ Renan Menezes via Snort-users (Jul 15)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 15)