Snort mailing list archives

Re: Error using latest ruleset with Snort++

From: Jim Campbell <jim () w4bqp net>
Date: Thu, 13 Jul 2017 23:48:08 -0400

Russ,

Better, but still a few errors using the latest Talos rule file.

"Loading rules:
"Loading /opt/snort/etc/snort/snort3.rules:

"ERROR: /opt/snort/etc/snort/snort3.rules:3716 !any is not allowed:![$SMTP_SERVERS,$DNS_SERVERS]."ERROR: /opt/snort/etc/snort/snort3.rules:5655 !any is not allowed:!$SMTP_SERVERS."ERROR: /opt/snort/etc/snort/snort3.rules:5655 !any is not allowed:!$HOME_NET."ERROR: /opt/snort/etc/snort/snort3.rules:5666 !any is not allowed:!$HOME_NET."ERROR: /opt/snort/etc/snort/snort3.rules:34701 unknown rule keyword:sd_pattern."ERROR: /opt/snort/etc/snort/snort3.rules:34702 unknown rule keyword:sd_pattern."ERROR: /opt/snort/etc/snort/snort3.rules:34703 unknown rule keyword:sd_pattern."ERROR: /opt/snort/etc/snort/snort3.rules:34704 unknown rule keyword:sd_pattern.

"Finished /opt/snort/etc/snort/snort3.rules.
"Finished rules.

The snort.lua config file is unchanged from what was delivered.

On a whim I changed HOME_NET from 'any' to '192.168.0.0/24' and got thefollowing errors:


"Loading rules:
"Loading /opt/snort/etc/snort/snort3.rules:

"ERROR: /opt/snort/etc/snort/snort3.rules:34701 unknown rule keyword:sd_pattern."ERROR: /opt/snort/etc/snort/snort3.rules:34702 unknown rule keyword:sd_pattern."ERROR: /opt/snort/etc/snort/snort3.rules:34703 unknown rule keyword:sd_pattern."ERROR: /opt/snort/etc/snort/snort3.rules:34704 unknown rule keyword:sd_pattern.

"Finished /opt/snort/etc/snort/snort3.rules.
"Finished rules.

Jim


On 7/13/2017 9:40 PM, Russ wrote:

I pushed an update to github this week that should fix that. Thosereferences are broken and the space makes it look like "reference:namevalue". Snort++ was updated to be more tolerant in these cases. Ifyou grab the latest you should be good to go.


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 12)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)
  - Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
    - Re: Error using latest ruleset with Snort++ Marcin Dulak via Snort-users (Jul 13)
    - Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
    - Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
    - Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
    - Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
    - Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
    - Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
    - Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
    - Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
- <Possible follow-ups>
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
  - Re: Error using latest ruleset with Snort++ João Soares via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 15)
  - Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 15)
    - RES: Error using latest ruleset with Snort++ Renan Menezes via Snort-users (Jul 15)
    - Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 15)