Snort failing to load rules
-
$ grep -Rni 'sid:20835' /usr/local/ /usr/local/etc/suricata/rules/snort_browser-plugins.rules:1759:# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Novell ZENworks LaunchHelp.dll ActiveX clsid access attempt"; flow:to_client,established; file_data; content:"LaunchHelp.HelpLauncher"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-2657; reference:url,www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1; classtype:attempted-user; sid:20835; rev:11;) -
Thanks. Appreciate the quick response.
Not sure but it has something to do with "Snort OPENAPPI Rules". The moment I un-select all the rules under that last column Snort starts but if I enable even one single rule there ..snort fails to load with the same error I posted above.
-
Well, I'm using Suricata (but the rules are the same). There's no support for OpenAppID rules there, so… cannot help. Probably better asked in IPS/IDS forum, don't think it's related to 2.4 snapshots.
-
Hmm. makes me think.. should I move to Suricata? Would you recommend it?
-
Well, you'd definitely not hit similar issues there, since broken/unsupported rules are just skipped. Otherwise, pretty happy with that, multithreading definitely helps.
-
How about the long list of false positives that I have identified in Snort. Will I have to start from scratch? It took me well over a year to assemble that list.
-
Hmmm well, I'm using SID Mgmt - disablesid.conf for any FPs. If you are using something else, not sure… but I guess getting those out of config.xml should be doable as well.
-
Yeah I use the same but I had to suppress the FPs one by one to ensure I am not suppressing the wrong ones. Took some good time. Can I just transfer the Snort FPs to Suricata?
-
Yeah definitely, just save the file and paste back to Suricata. The rulesets are the same, so are the SIDs.
-
Awesome! Thanks bud. :D