Hi,
Downloaded emerging rules from Proofpoint Emerging Threats Rules
The following rule is found in http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-trojan.rules updated on 2024_06_21 .
alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN [ANY.RUN] NjRat (tXRAT v.2.3R) Client Sends Check-in Packet”; flow:established,to_server;
content:“tXInfoClient|7c|”; offset:3; depth:20; fast_pattern; pcre:“/^\d{2,4}\x00/”; byte_jump:0,0,string,dec; isdataat:!2,relative;
reference:md5,917d3bcc7cbe4668fa22b8bc2f0a4092; reference:url,community.emergingthreats.net/t/njrat-variant-txrat-v-2-3r;reference:url,checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/; classtype:trojan-activity; sid:2053792; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_06_21, deployment Perimeter, malware_family njrat, confidence High, signature_severity Critical, tag RAT,
updated_at 2024_06_21;)
This rule generates error while running test in my Linux Desktop
command : snort -Tc snort.conf
ERROR: trojan.rules(35015): byte_jump can’t process more than 10 bytes!
Fatal Error, Quitting…
I verified the change logs and the following added rule cause error.
2053792 - ET TROJAN [ANY.RUN] NjRat (tXRAT v.2.3R) Client Sends Check-in Packet (emerging-trojan.rules)
Looking for suitable suggestion as to why this is throwing error in my system.
Thanks,