Symptom
Snort 2 to Snort 3 converted file on FMC is not accepted by the FMC.
It throws the error as "Syntax errors on the uploaded file. Download file with errors. Fix and re-upload"
Also, after getting the Snort 3 rule on FMC, if we edit the Snort 3 rule and modify the SID value and then try to save it, it doesn't reflect the new SID or new Port of protocol that is added event hough it accepts the SAVE action. This is the same behaviour even for directly created Snort3 rule as well.
We have to use the "Save as New" button to get the modified Snort 3 rule and also reflect the modifications.
Conditions
FMC 7.1.0.1 and Snort2 to Snort 3 conversion and upload.
Workaround
Open the customer_rules.txt file which is downloaded after conversion of snort 2 to Snort 3. It looks as below in this case.
alert tcp any any any !9200 ( sid:1000005; msg:"NOT-PORT-9200"; classtype:unusual-client-port-connection; rev:2; )
We need to remove the space between "any !920" and make it as below.
alert tcp any any any!9200 ( sid:1000005; msg:"NOT-PORT-9200"; classtype:unusual-client-port-connection; rev:2; )
After this the same file can be uploaded and the FMC accepts this edited file.
Further Problem Description
Snort 2 to Snort 3 converted file for condition "!" is not accepted by the FMC.
Also there are issues in modifying the Snort 3 rules and saving them. It doesn't reflect the modifications after saving.
