snort2lua error

[koppfabi <FabianMalte.Kopp () b-tu de>]

Hi


I encountered an error while converting the snapshot rules to snort3 rules.

snort2lua gave me this message for the protocoll-scada.rules file
:

--[[    FAILED RULES CONVERSIONS:
  These rules has invalid rule options


     Failed to convert rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 502
         (msg:"PROTOCOL-SCADA Tri PLC Nano 10 PLC denial of service attempt";
         flow:to_server,established; content:"|00 06|"; depth:2; offset:4;
         modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2;
         reference:cve,2013-2784; classtype:denial-of-service; sid:29965;
         rev:2;)
     ^^^^ unknown_option=depth
     ^^^^ unknown_option=offset
--]]

i guess depth and offeset are unknow...is there a way to fix this ?


the script I used:
#!/bin/bash
# SNORT2LUA helper

echo "Snort2Lua rule converter"

mkdir -p new_rules

for file in rules/*.rules
do
     #remove header
     sed -i -e 1,20d $file
     #remove # and leading space (optional)
     sed -i 's/^#//;s/^[ \t]*//' $file
     name=${file##*/}
     base=${name%.rules}
     NEWNAME=new_${name}
     echo $name
     #-c source -r dest
     snort2lua -c $file -r new_rules/$NEWNAME
done

mfg
Fabian


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!