Snort mailing list archives
Re: Error using latest ruleset with Snort++
From: Russ via Snort-users <snort-users () lists snort org>
Date: Fri, 14 Jul 2017 14:08:13 -0400
Hey Jim,I'm not seeing those issues. I just downloaded the latest registered rule set and do see some other stuff to clean up but nothing with sd_pattern. Can you send me the original 2.9 rules that you converted that are causing the problems?
Thanks Russ On 7/13/17 11:48 PM, Jim Campbell wrote:
Russ, Better, but still a few errors using the latest Talos rule file. "Loading rules: "Loading /opt/snort/etc/snort/snort3.rules:"ERROR: /opt/snort/etc/snort/snort3.rules:3716 !any is not allowed: ![$SMTP_SERVERS,$DNS_SERVERS]. "ERROR: /opt/snort/etc/snort/snort3.rules:5655 !any is not allowed: !$SMTP_SERVERS. "ERROR: /opt/snort/etc/snort/snort3.rules:5655 !any is not allowed: !$HOME_NET. "ERROR: /opt/snort/etc/snort/snort3.rules:5666 !any is not allowed: !$HOME_NET. "ERROR: /opt/snort/etc/snort/snort3.rules:34701 unknown rule keyword: sd_pattern. "ERROR: /opt/snort/etc/snort/snort3.rules:34702 unknown rule keyword: sd_pattern. "ERROR: /opt/snort/etc/snort/snort3.rules:34703 unknown rule keyword: sd_pattern. "ERROR: /opt/snort/etc/snort/snort3.rules:34704 unknown rule keyword: sd_pattern."Finished /opt/snort/etc/snort/snort3.rules. "Finished rules. The snort.lua config file is unchanged from what was delivered.On a whim I changed HOME_NET from 'any' to '192.168.0.0/24' and got the following errors:"Loading rules: "Loading /opt/snort/etc/snort/snort3.rules:"ERROR: /opt/snort/etc/snort/snort3.rules:34701 unknown rule keyword: sd_pattern. "ERROR: /opt/snort/etc/snort/snort3.rules:34702 unknown rule keyword: sd_pattern. "ERROR: /opt/snort/etc/snort/snort3.rules:34703 unknown rule keyword: sd_pattern. "ERROR: /opt/snort/etc/snort/snort3.rules:34704 unknown rule keyword: sd_pattern."Finished /opt/snort/etc/snort/snort3.rules. "Finished rules. Jim On 7/13/2017 9:40 PM, Russ wrote:I pushed an update to github this week that should fix that. Those references are broken and the space makes it look like "reference:name value". Snort++ was updated to be more tolerant in these cases. If you grab the latest you should be good to go.
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 12)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Marcin Dulak via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 13)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 13)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 12)
- <Possible follow-ups>
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ João Soares via Snort-users (Jul 14)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 15)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 15)
- RES: Error using latest ruleset with Snort++ Renan Menezes via Snort-users (Jul 15)
- Re: Error using latest ruleset with Snort++ Jim Campbell (Jul 15)
- Re: Error using latest ruleset with Snort++ Russ via Snort-users (Jul 15)