TippingPoint
cancel
Showing results for 
Search instead for 
Did you mean: 

Converting Snort rules to tipping point filters with dv converter

Johnb_2
Advisor

Converting Snort rules to tipping point filters with dv converter

I have had a few filters when converted had a content section fail the conversion because content was empty. Snort ID 21070 for example. When I add this rule to the converter it fails conversion because it doesn't have at least one string content set to match. In order to fix this based on the examples in the help, I am supposed to add something from the payload to match. Based on glancing at this rule I believe I should add "?spl=2" to the string match content so that the conversion tool is happy. Am I right or am I wrong?

 

Question 2:

What should we do to solve the issue of matching less than 5 characters in a string content match? There are certain rules that have 3 or 4 characters to match against in the snort rule.