Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kelly_Mccubbin
Explorer

R77.30 SnortConvertor update -f doesn't import

I've got a list of Snort rules issued to us by a County Government consortium every week or so and no matter what I do, the SnortConvertor won't import them.

"0/1316 rules were successfully converted, total of 0 IPS protections were found.
For more details please see $FWDIR/log/SnortConvertor.elg file.
The configuration is up to date, therefore no changes were made."

In the referenced .elg file, for each rule it says, "

[SnortConvertor 13706 2012998112]@FWCentral[19 Oct 12:03:37] ParseSnortRuleFile: line 1311 (length 108), rule is:
alert tcp any any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;)
[SnortConvertor 13706 2012998112]@FWCentral[19 Oct 12:03:37] prepare_rule: msg is: MS-ISAC MALWARE IP: 109.207.202.8 (length 1024)

[SnortConvertor 13706 2012998112]@FWCentral[19 Oct 12:03:37]
convert_snort_rule: rule is empty or invalid"

Using that rule as an example, here's some variants I've tried...

alert tcp any any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;)

alert tcp $HOME_NET any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;) 

alert ip $HOME_NET any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;)

alert tcp any any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; )

alert any $HOME_NET any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;) 

It doesn't make any difference.  It simply won't import a single rule.  What am I missing?

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Are all of the rules specified as eitherbound direction (i.e. <>)?

At least of the examples you gave, they were all this way, and the documentation only speaks to one direction.

I'd try changing the rules to one direction or the other 

That said, if these signatures are just to block access to specific IPs, there are better ways to do that than a snort signature (e.g. using fw samp or similar). 

0 Kudos
PhoneBoy
Admin
Admin

You should insert the “Content:” keyword in the rules. This keyword is missing in all snort rules you list below and is required.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events