Hi,
Downloaded emerging rules from Proofpoint Emerging Threats Rules
The following rule is found in http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-trojan.rules updated on 2025_02_22 .
alert tcp $EXTERNAL_NET 1337 → $HOME_NET any (msg:“ET TROJAN implant.js CnC Activity (Evil Module Sent with DebugMode=ON)”; flow:established,to_client; flowbits:isset,ET.implantjs.ack; content:“|81 01|”; depth:2; byte_math:bytes 4, offset 0,oper +,rvalue 6,result length,relative; isdataat:!length; reference:url,GitHub - captainGeech42/implant.js: Proof-of-concept modular implant platform leveraging v8; reference:url,— DistrictCon; classtype:trojan-activity; sid:2060259; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2025_02_21, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Major, tag c2, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
and two or more rules has this byte_math
This rule generates error while running test in my Linux Desktop
command : snort -Tc snort.conf
ERROR: trojan.rules(42657) Unknown rule option: ‘byte_math’.
I verified the change logs and the following added rule cause error.
2053792 - ET TROJAN [ANY.RUN] NjRat (tXRAT v.2.3R) Client Sends Check-in Packet (emerging-trojan.rules)
Looking for suitable suggestion as to why this is throwing error in my system.
Thanks,
