<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
    <title></title>
  </head>
  <body bgcolor="#ffffff" text="#000000">
    Hi everyone,<br>
    <br>
    I remove "distance:0;" tag, and the rules is processed. Now, i have
    a other error:<br>
    <br>
    [13621] 29/11/2010 -- 17:29:13 - (detect-parse.c:629) &lt;Error&gt;
    (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(100)] -
    unknown rule keyword 'fwsam'.<br>
    [13621] 29/11/2010 -- 17:29:13 - (detect.c:402) &lt;Error&gt;
    (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
    Error parsing signature "alert tcp $HOME_NET any &lt;&gt;
    [109.123.106.28,109.123.108.61,109.123.91.37,109.169.55.173,109.169.64.17,109.235.53.153,109.74.195.116,109.74.196.127,109.74.200.40,109.74.201.108]
    any (msg:"ET DROP Known Bot C&amp;C Traffic TCP (group 1) - BLOCKING
    SOURCE"; flags:S; reference:url,<a class="moz-txt-link-abbreviated" href="http://www.shadowserver.org">www.shadowserver.org</a>;
    reference:url,abuse.ch; threshold: type limit, track by_src, seconds
    3600, count 1; classtype:trojan-activity; sid:2405000; rev:2126;
    fwsam: dst, 30 days;)" from file
    /etc/suricata/rules/emerging-botcc-BLOCK.rules at line 41<br>
    <br>
    I can send the errors on this mailing-list or I must send the errors
    in other place?<br>
    <br>
    I dont' want abuse of your <span class="dct-tt">courtesy.</span><br>
    <br>
    Thank you.<br>
    <br>
    Best regards!
    <br>
    <br>
    <br>
    On 29/11/2010 17.24, rmkml wrote:
    <blockquote cite="mid:alpine.DEB.2.00.1011291722460.4081@pc"
      type="cite">Hi Gerardo,
      <br>
      Could you test with remove "distance:0;" for sid 2011589 please?
      <br>
      Emerging: could you remove "distance:0;" for sid 2011589 please?
      <br>
      Regards
      <br>
      Rmkml
      <br>
      <br>
      <br>
      <br>
      On Mon, 29 Nov 2010, Gerardo De Felice wrote:
      <br>
      <br>
      <blockquote type="cite">Hi,
        <br>
        <br>
        I installated the new version of suricata from git today.
        <br>
        <br>
        I get this error:
        <br>
        <br>
        <br>
        [13488] 29/11/2010 -- 16:17:26 - (detect-parse.c:629)
        &lt;Error&gt; (SigParseOptions) -- [ERRCODE:
        SC_ERR_RULE_KEYWORD_UNKNOWN( 100)] - unknown rule keyword
        'file_data'.
        <br>
        [13488] 29/11/2010 -- 16:17:26 - (detect.c:402) &lt;Error&gt;
        (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
        Error parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS
        -&gt; $HOME_NET any (msg:"ET ACTIVEX DB Software
        <br>
        Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods";
        flow:to_client,established; file_data; content:"CLSID"; nocase;
        content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase;&nbsp;
        pcre:"/(LogFile|ClearLogFile|SaveToFile)/i";
        <br>
        classtype:web-application-attack; reference:bugtraq,31907;
        reference:url,milw0rm.com/exploits/6828;
        reference:url,doc.emergingthreats.net/2008789;
        <br>
        reference:url,<a class="moz-txt-link-abbreviated" href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software</a>;
        sid:2008789; rev:5;)" from file
        /etc/suricata/rules/emerging-activex.rules at line 1460
        <br>
        <br>
        If I remove file_data tag
        <br>
        <br>
        i get this error:
        <br>
        <br>
        [13491] 29/11/2010 -- 16:18:10 - (detect-distance.c:312)
        &lt;Error&gt; (DetectDistanceSetup) -- [ERRCODE:
        SC_ERR_INVALID_SIGNATURE(39)] - No related previous-previous
        content or pcre keyword
        <br>
        [13491] 29/11/2010 -- 16:18:10 - (detect.c:402) &lt;Error&gt;
        (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
        Error parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS
        -&gt; $HOME_NET any (msg:"ET ACTIVEX Microsoft
        <br>
        DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt";
        flow:to_client,established;
        content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase;
        distance:0; content:".CustomCompositorClass"; nocase;
        <br>
        pcre:"/&lt;OBJECT\s+[^&gt;]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si";
        classtype:web-application-attack;
reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt;<br>
        sid:2011589; rev:5;)" from file
        /etc/suricata/rules/emerging-activex.rules at line 1526
        <br>
        <br>
        <br>
        Best regards!
        <br>
        <br>
        <br>
      </blockquote>
    </blockquote>
    <br>
    <br>
    <div class="moz-signature">-- <br>
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <hr size="1" align="left" width="250"><br>
      <table>
        <tbody>
          <tr>
            <td valign="bottom"><img
                src="cid:part1.06010006.09090402@gmatica.it"></td>
            <td valign="bottom"><span style="font-family: Times New
                Roman,Verdana,Tahoma; font-size: 16px; font-weight:
                bold; font-style: italic; color: rgb(0, 0, 0);">Gerardo
                De Felice</span><br>
              <span style="font-family: Times New Roman,Verdana,Tahoma;
                font-size: 16px; font-style: italic; color: rgb(0, 0,
                0);">Rete e Sistemi</span><br>
              <span style="font-family: Times New Roman,Verdana,Tahoma;
                font-size: 16px; font-style: italic; color: rgb(0, 0,
                0);">Servizi Tecnici</span></td>
          </tr>
        </tbody>
      </table>
      <table>
        <tbody style="font-family: Verdana,Tahoma; font-size: 10px;
          color: rgb(105, 105, 105);">
          <tr>
            <td colspan="2">Via di Casal Boccone 188-190, 00137 ROMA</td>
          </tr>
          <tr>
            <td width="60">Tel:</td>
            <td>+39 (06) 3993.37.33</td>
          </tr>
          <tr>
            <td>Cell:</td>
            <td>+39 (347) 14.51.239</td>
          </tr>
          <tr>
            <td>Fax:</td>
            <td>+39 (06) 3993.37.95</td>
          </tr>
          <tr>
            <td><br>
            </td>
            <td><br>
            </td>
          </tr>
          <tr>
            <td>E-mail:</td>
            <td><a href="mailto:g.defelice@gmatica.it">g.defelice@gmatica.it</a></td>
          </tr>
          <tr>
            <td>Web:</td>
            <td><a href="http://www.gmatica.it"><i>www.gmatica.it</i></a>
              - <a href="http://www.gbet.it"><i>www.gbet.it</i></a></td>
          </tr>
        </tbody>
      </table>
      <br>
      <span style="font-family: Arial; font-size: 8pt; color: rgb(191,
        191, 191);"> La presente comunicazione (ed eventuali allegati)
        puo' contenere informazioni di carattere estremamente riservato
        e confidenziale ed e' riservata esclusivamente ai destinatari.
        Qualsiasi suo utilizzo, comunicazione o diffusione non
        autorizzata e' proibita. Se ha ricevuto questa comunicazione per
        errore, la preghiamo di darne immediata comunicazione al
        mittente e di cancellare tutte le informazioni erroneamente
        acquisite. Qualsivoglia utilizzo non autorizzato del contenuto
        di questo messaggio espone il responsabile alle relative
        conseguenze civili e penali. (Rif. D.Lgs. 196/2003). Grazie <br>
        <br>
        This message and its attachments may contain confidential or
        privileged information and are intended only for use by the
        addressees. Any use, re-transmission or dissemination not
        authorized of it is prohibited. If you received this e-mail in
        error, please inform the sender immediately and delete all the
        material. Any unauthorized use of the content of this message is
        strictly forbidden and the person responsible may incur
        penalties. (Rif. D.Lgs. 196/2003). Thank you. </span></div>
  </body>
</html>