'Re: [Snort-users] snort2lua error'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] snort2lua error
From:       Russ <rucombs () cisco ! com>
Date:       2016-12-16 18:29:10
Message-ID: d75c28eb-ecc9-3eba-f07a-44bd82808e03 () cisco ! com
[Download RAW message or body]

This is fixed with build 222 now on github.

Thanks
Russ

On 12/14/16 8:40 AM, Russ wrote:
> Hi Fabian,
>
> snort2lua is tripping over modbus_data.  We will get a fix out ASAP.  In
> the meantime, if you change the offset and depth for those contents to
> be comma separated instead of semicolon separated it will work:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Tri
> PLC Nano 10 PLC denial of service attempt"; flow:to_server,established;
> content:"|00 06|"; depth:2; offset:4; modbus_func:1; modbus_data;
> content:"|00 00|", depth:2, offset:2; reference:cve,2013-2784;
> classtype:denial-of-service; sid:29965; rev:2;)
>
> Thanks for reporting the issue.
> Russ
>
> On 12/14/16 6:15 AM, koppfabi wrote:
>> Hi
>>
>>
>> I encountered an error while converting the snapshot rules to snort3 rules.
>>
>> snort2lua gave me this message for the protocoll-scada.rules file
>> :
>>
>> --[[    FAILED RULES CONVERSIONS:
>>     These rules has invalid rule options
>>
>>
>>        Failed to convert rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 502
>>            (msg:"PROTOCOL-SCADA Tri PLC Nano 10 PLC denial of service attempt";
>>            flow:to_server,established; content:"|00 06|"; depth:2; offset:4;
>>            modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2;
>>            reference:cve,2013-2784; classtype:denial-of-service; sid:29965;
>>            rev:2;)
>>        ^^^^ unknown_option=depth
>>        ^^^^ unknown_option=offset
>> --]]
>>
>> i guess depth and offeset are unknow...is there a way to fix this ?
>>
>>
>> the script I used:
>> #!/bin/bash
>> # SNORT2LUA helper
>>
>> echo "Snort2Lua rule converter"
>>
>> mkdir -p new_rules
>>
>> for file in rules/*.rules
>> do
>>        #remove header
>>        sed -i -e 1,20d $file
>>        #remove # and leading space (optional)
>>        sed -i 's/^#//;s/^[ \t]*//' $file
>>        name=${file##*/}
>>        base=${name%.rules}
>>        NEWNAME=new_${name}
>>        echo $name
>>        #-c source -r dest
>>        snort2lua -c $file -r new_rules/$NEWNAME
>> done
>>
>> mfg
>> Fabian
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic