<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi everyone,<br>
<br>
I remove "distance:0;" tag, and the rules is processed. Now, i have
a other error:<br>
<br>
[13621] 29/11/2010 -- 17:29:13 - (detect-parse.c:629) <Error>
(SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(100)] -
unknown rule keyword 'fwsam'.<br>
[13621] 29/11/2010 -- 17:29:13 - (detect.c:402) <Error>
(DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
Error parsing signature "alert tcp $HOME_NET any <>
[109.123.106.28,109.123.108.61,109.123.91.37,109.169.55.173,109.169.64.17,109.235.53.153,109.74.195.116,109.74.196.127,109.74.200.40,109.74.201.108]
any (msg:"ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING
SOURCE"; flags:S; reference:url,<a class="moz-txt-link-abbreviated" href="http://www.shadowserver.org">www.shadowserver.org</a>;
reference:url,abuse.ch; threshold: type limit, track by_src, seconds
3600, count 1; classtype:trojan-activity; sid:2405000; rev:2126;
fwsam: dst, 30 days;)" from file
/etc/suricata/rules/emerging-botcc-BLOCK.rules at line 41<br>
<br>
I can send the errors on this mailing-list or I must send the errors
in other place?<br>
<br>
I dont' want abuse of your <span class="dct-tt">courtesy.</span><br>
<br>
Thank you.<br>
<br>
Best regards!
<br>
<br>
<br>
On 29/11/2010 17.24, rmkml wrote:
<blockquote cite="mid:alpine.DEB.2.00.1011291722460.4081@pc"
type="cite">Hi Gerardo,
<br>
Could you test with remove "distance:0;" for sid 2011589 please?
<br>
Emerging: could you remove "distance:0;" for sid 2011589 please?
<br>
Regards
<br>
Rmkml
<br>
<br>
<br>
<br>
On Mon, 29 Nov 2010, Gerardo De Felice wrote:
<br>
<br>
<blockquote type="cite">Hi,
<br>
<br>
I installated the new version of suricata from git today.
<br>
<br>
I get this error:
<br>
<br>
<br>
[13488] 29/11/2010 -- 16:17:26 - (detect-parse.c:629)
<Error> (SigParseOptions) -- [ERRCODE:
SC_ERR_RULE_KEYWORD_UNKNOWN( 100)] - unknown rule keyword
'file_data'.
<br>
[13488] 29/11/2010 -- 16:17:26 - (detect.c:402) <Error>
(DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
Error parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS
-> $HOME_NET any (msg:"ET ACTIVEX DB Software
<br>
Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods";
flow:to_client,established; file_data; content:"CLSID"; nocase;
content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase;
pcre:"/(LogFile|ClearLogFile|SaveToFile)/i";
<br>
classtype:web-application-attack; reference:bugtraq,31907;
reference:url,milw0rm.com/exploits/6828;
reference:url,doc.emergingthreats.net/2008789;
<br>
reference:url,<a class="moz-txt-link-abbreviated" href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software</a>;
sid:2008789; rev:5;)" from file
/etc/suricata/rules/emerging-activex.rules at line 1460
<br>
<br>
If I remove file_data tag
<br>
<br>
i get this error:
<br>
<br>
[13491] 29/11/2010 -- 16:18:10 - (detect-distance.c:312)
<Error> (DetectDistanceSetup) -- [ERRCODE:
SC_ERR_INVALID_SIGNATURE(39)] - No related previous-previous
content or pcre keyword
<br>
[13491] 29/11/2010 -- 16:18:10 - (detect.c:402) <Error>
(DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
Error parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS
-> $HOME_NET any (msg:"ET ACTIVEX Microsoft
<br>
DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt";
flow:to_client,established;
content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase;
distance:0; content:".CustomCompositorClass"; nocase;
<br>
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si";
classtype:web-application-attack;
reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt;<br>
sid:2011589; rev:5;)" from file
/etc/suricata/rules/emerging-activex.rules at line 1526
<br>
<br>
<br>
Best regards!
<br>
<br>
<br>
</blockquote>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<hr size="1" align="left" width="250"><br>
<table>
<tbody>
<tr>
<td valign="bottom"><img
src="cid:part1.06010006.09090402@gmatica.it"></td>
<td valign="bottom"><span style="font-family: Times New
Roman,Verdana,Tahoma; font-size: 16px; font-weight:
bold; font-style: italic; color: rgb(0, 0, 0);">Gerardo
De Felice</span><br>
<span style="font-family: Times New Roman,Verdana,Tahoma;
font-size: 16px; font-style: italic; color: rgb(0, 0,
0);">Rete e Sistemi</span><br>
<span style="font-family: Times New Roman,Verdana,Tahoma;
font-size: 16px; font-style: italic; color: rgb(0, 0,
0);">Servizi Tecnici</span></td>
</tr>
</tbody>
</table>
<table>
<tbody style="font-family: Verdana,Tahoma; font-size: 10px;
color: rgb(105, 105, 105);">
<tr>
<td colspan="2">Via di Casal Boccone 188-190, 00137 ROMA</td>
</tr>
<tr>
<td width="60">Tel:</td>
<td>+39 (06) 3993.37.33</td>
</tr>
<tr>
<td>Cell:</td>
<td>+39 (347) 14.51.239</td>
</tr>
<tr>
<td>Fax:</td>
<td>+39 (06) 3993.37.95</td>
</tr>
<tr>
<td><br>
</td>
<td><br>
</td>
</tr>
<tr>
<td>E-mail:</td>
<td><a href="mailto:g.defelice@gmatica.it">g.defelice@gmatica.it</a></td>
</tr>
<tr>
<td>Web:</td>
<td><a href="http://www.gmatica.it"><i>www.gmatica.it</i></a>
- <a href="http://www.gbet.it"><i>www.gbet.it</i></a></td>
</tr>
</tbody>
</table>
<br>
<span style="font-family: Arial; font-size: 8pt; color: rgb(191,
191, 191);"> La presente comunicazione (ed eventuali allegati)
puo' contenere informazioni di carattere estremamente riservato
e confidenziale ed e' riservata esclusivamente ai destinatari.
Qualsiasi suo utilizzo, comunicazione o diffusione non
autorizzata e' proibita. Se ha ricevuto questa comunicazione per
errore, la preghiamo di darne immediata comunicazione al
mittente e di cancellare tutte le informazioni erroneamente
acquisite. Qualsivoglia utilizzo non autorizzato del contenuto
di questo messaggio espone il responsabile alle relative
conseguenze civili e penali. (Rif. D.Lgs. 196/2003). Grazie <br>
<br>
This message and its attachments may contain confidential or
privileged information and are intended only for use by the
addressees. Any use, re-transmission or dissemination not
authorized of it is prohibited. If you received this e-mail in
error, please inform the sender immediately and delete all the
material. Any unauthorized use of the content of this message is
strictly forbidden and the person responsible may incur
penalties. (Rif. D.Lgs. 196/2003). Thank you. </span></div>
</body>
</html>