This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kelly_Mccubbin
Explorer
‎2017-10-19 12:13 PM

R77.30 SnortConvertor update -f doesn't import

I've got a list of Snort rules issued to us by a County Government consortium every week or so and no matter what I do, the SnortConvertor won't import them.

"0/1316 rules were successfully converted, total of 0 IPS protections were found.
For more details please see $FWDIR/log/SnortConvertor.elg file.
The configuration is up to date, therefore no changes were made."

In the referenced .elg file, for each rule it says, "

[SnortConvertor 13706 2012998112]@FWCentral[19 Oct 12:03:37] ParseSnortRuleFile: line 1311 (length 108), rule is:
alert tcp any any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;)
[SnortConvertor 13706 2012998112]@FWCentral[19 Oct 12:03:37] prepare_rule: msg is: MS-ISAC MALWARE IP: 109.207.202.8 (length 1024)

[SnortConvertor 13706 2012998112]@FWCentral[19 Oct 12:03:37]
convert_snort_rule: rule is empty or invalid"

Using that rule as an example, here's some variants I've tried...

alert tcp any any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;)

alert tcp $HOME_NET any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;) 

alert ip $HOME_NET any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;)

alert tcp any any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; )

alert any $HOME_NET any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;) 

It doesn't make any difference.  It simply won't import a single rule.  What am I missing?

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2017-10-20 06:10 PM

Are all of the rules specified as eitherbound direction (i.e. <>)?

At least of the examples you gave, they were all this way, and the documentation only speaks to one direction.

I'd try changing the rules to one direction or the other 

That said, if these signatures are just to block access to specific IPs, there are better ways to do that than a snort signature (e.g. using fw samp or similar). 

0 Kudos
PhoneBoy
Admin
Admin
‎2017-10-26 03:03 PM

You should insert the “Content:” keyword in the rules. This keyword is missing in all snort rules you list below and is required.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events