AnsweredAssumed Answered

R77.30 SnortConvertor update -f doesn't import

Question asked by Kelly Mccubbin on Oct 19, 2017
Latest reply on Oct 26, 2017 by Dameon Welch-Abernathy

I've got a list of Snort rules issued to us by a County Government consortium every week or so and no matter what I do, the SnortConvertor won't import them.

"0/1316 rules were successfully converted, total of 0 IPS protections were found.
For more details please see $FWDIR/log/SnortConvertor.elg file.
The configuration is up to date, therefore no changes were made."

 

In the referenced .elg file, for each rule it says, "

[SnortConvertor 13706 2012998112]@FWCentral[19 Oct 12:03:37] ParseSnortRuleFile: line 1311 (length 108), rule is:
alert tcp any any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;)
[SnortConvertor 13706 2012998112]@FWCentral[19 Oct 12:03:37] prepare_rule: msg is: MS-ISAC MALWARE IP: 109.207.202.8 (length 1024)

[SnortConvertor 13706 2012998112]@FWCentral[19 Oct 12:03:37]
convert_snort_rule: rule is empty or invalid"

 

Using that rule as an example, here's some variants I've tried...

alert tcp any any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;)

alert tcp $HOME_NET any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;) 

alert ip $HOME_NET any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;)

alert tcp any any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; )

alert any $HOME_NET any <> 109.207.202.8 any (msg:"MS-ISAC MALWARE IP: 109.207.202.8 "; sid:1001310; priority:5;) 

 

It doesn't make any difference.  It simply won't import a single rule.  What am I missing?

Outcomes