Re: Error using latest ruleset with Snort++

[João Soares via Snort-users <snort-users () lists snort org>]

(Changed my list's e-mail, hotmail is considering too many messages as spam)

I noticed and forgot to thank you.

Haven't tested it yet, but thank you in advance for your work. I'll
report back if anything breaks :)

Keep up the great job,

Best regards,


On 14/07/2017 14:24, Russ via Snort-users wrote:
> FYI - these issues are fixed in the latest on github.
>
> Thanks
> Russ
>
> On 6/28/17 7:13 PM, João Soares wrote:
> > Thank you! I'll be waiting for the fix :) Until then, I removed the
> > spaces from all reference:url arguments.
> >
> > Just a heads up: There's another case in which something similar
> > happens:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> > Possible Vundo EXE Download Attempt"; flow:established,to_server;
> > content:"GET"; depth:3; http_method; content:"/dwn/d.html?sid=";
> > http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009174;
> > classtype:trojan-activity; sid:2009174; rev:4; metadata:created_at
> > 2010_07_30, updated_at 2010_07_30;)
> >
> > urilen: > 80; will be converted to bufferlen:> 80; by rules2lua which
> > will issue an error due to that space after the >
> >
> > Best regards,
> >
> > João Soares
> >
> > On 06/28/2017 07:33 PM, Russ wrote:
> > > Thanks, we are aware of the issue.  We need to resolve that format. We
> > > really should require quotes on the URL string but in the first case it
> > > should not have a space.  The second one we can tolerate if essential.
> > > We will get that fixed before the beta.  Sorry for the inconvenience.
> > >
> > > Russ
> > >
> > > On 6/28/17 2:19 PM, João Soares via Snort-users wrote:
> > > > Hi everyone,
> > > >
> > > > I've been using Snort++ for quite a while now (over 1 year), and I
> > > > just
> > > > updated my build to the latest one - Version 3.0.0-a4 (Build 236) from
> > > > 2.9.8-383
> > > >
> > > > I also updated my rules to the latest Talos registered ruleset and
> > > > emerging ruleset. As expected, I've been using the snort2lua script in
> > > > order to convert the rules to the Snort++ format.
> > > >
> > > > As soon as I finished both updates and started Snort++, I started
> > > > getting errors on some rules:
> > > >
> > > > snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:77 invalid
> > > > argument
> > > > reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
> > > >
> > > > = irefef-malware
> > > > snort[195228]: ERROR: /etc/snort/etc/rules/snort.rules.lua:968 invalid
> > > > argument
> > > > reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
> > > >
> > > > = irefef-malware
> > > > snort[195228]: Finished /etc/snort/etc/rules/snort.rules.lua.
> > > > snort[195228]: Loading /etc/snort/etc/rules/emerging-all.rules.lua:
> > > > snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:152
> > > > invalid argument
> > > > reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i =
> > > > Viewer-Active-X-SEH-Overwrite.html
> > > > snort[195228]: ERROR: /etc/snort/etc/rules/emerging-all.rules.lua:1420
> > > > invalid argument reference:url,support.clean-mx.de/clean-mx =
> > > > viruses.php?domain=rr.nu&sort=first%20desc
> > > >
> > > > This goes on for more than 40 rules across both rulesets.
> > > >
> > > > Analyzing the original files, both lua and the old format, I realize
> > > > that these errors only occur when there are spaces in the
> > > > reference:url
> > > > argument. I might be wrong though. For example, rule with SID 26577
> > > > (notice the space before "irefef-malware"):
> > > >
> > > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
> > > > User-Agent known malicious user agent Opera 10";
> > > > flow:to_server,established; content:"Opera/10|20|"; fast_pattern:only;
> > > > http_header; metadata:impact_flag red, policy balanced-ips drop,
> > > > policy
> > > > security-ips drop, ruleset community, service http;
> > > > reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
> > > >
> > > > irefef-malware;
> > > > reference:url,dev.opera.com/articles/view/opera-ua-string-changes;
> > > > classtype:trojan-activity; sid:26577; rev:2;)
> > > >
> > > > Or SID 2012938 from the emerging ruleset (notice the space after the
> > > > comma):
> > > >
> > > > alert tcp $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli
> > > > Endpoint Buffer Overflow Attempt"; flow:established,to_server;
> > > > content:"POST "; depth:5; isdataat:256,relative; content:!"|0A|";
> > > > within:256; reference:url,
> > > > zerodayinitiative.com/advisories/ZDI-11-169/;
> > > > classtype:denial-of-service; sid:2012938; rev:1; metadata:created_at
> > > > 2011_06_07, updated_at 2011_06_07;)
> > > >
> > > > Am I missing something here?
> > > >
> > > > Best Regards,
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists snort org
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.snort.org/mailman/listinfo/snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

-- 
João Soares

System Administrator @ University of Coimbra
Web: jadmin.net | LinkedIn: joaopsys

My PGP Public Key is available at http://pgp.mit.edu/pks/lookup?op=get&search=0xCE04B638CB64FA67

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!