Why SnortConverter is failing or unable to generate simple rule like this?

[blason]

Hi Guys,

Is anyone SnortCoverter expert here? I am trying to export a Snort rules using SnortConverter, couple of other rules are getting exported correctly but not sure what is this cribbing about?

This is failing
alert udp any any -> 104.199.121.36 any (msg:"ET CNC Shadowserver Reported CnC Server UDP group 2";)

0/1 rules were successfully converted, total of 0 IPS protections were found.
For more details please see $FWDIR/log/SnortConvertor.elg file.
The configuration is up to date, therefore no changes were made.

##################

And this is successful

[Expert@GPMGMT:0]# SnortConvertor update -f test2.rules
1/1 rules were successfully converted, total of 1 IPS protections were found.
1/1 IPS protections were updated
Updating database...

alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow:to_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9;)

[blason]

Well I feel it doesn't like IP address mentioned in the signature..Any idea how to override that?

[blason]

OK - I figured it out the issue and able to import the rule :)

CP does not like the Snort rule without content keyword, I added that it got imported perfectly!

[Chili]

Hi Blason,

I have the same problem you had.
Is there any relevant need of the content option which CP tries to enforce?
Do I have specific content options or can I just add what I like to add?
I tried quotes without contents. This caused a coredump :D

Thanks in advance.

BR
Sven

[Chili]

I have to add that I wanted to add a rule that works like a blacklist without triggering specific content.