<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I removed the -BLOCK rules and I don't have the error.<br>
<br>
Now, I have this error<br>
<br>
[945] 30/11/2010 -- 11:17:59 - (detect-fast-pattern.c:197)
<Warning> (DetectFastPatternSetup) -- [ERRCODE:
SC_WARN_COMPATIBILITY(159)] - fast_pattern found inside the rule,
without a preceding content based keyword. Currently we provide
fast_pattern support for content and uricontent<br>
[945] 30/11/2010 -- 11:17:59 - (detect.c:402) <Error>
(DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET MALWARE CryptMEN HTTP library purporting to be
MSIE to PHP HTTP 1.0"; flow:established,to_server;
content:"|20|HTTP/1.0|0d 0a|User-Agent|3a
20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header;
fast_pattern; content:"Host|3a 20|"; http_header; distance:0;
content:!"Referer|3a 20|"; http_header; content:".php?"; nocase;
http_uri; classtype:trojan-activity; sid:2011938; rev:2;)" from file
/etc/suricata/rules/emerging-malware.rules at line 2649<br>
<br>
I try to remove fast_pattern tag but I received this error:<br>
<br>
[967] 30/11/2010 -- 11:29:24 - (detect-distance.c:171) <Error>
(DetectDistanceSetup) -- [ERRCODE:
SC_ERR_WITHIN_MISSING_CONTENT(103)] - within needspreceeding content
or uricontent option<br>
[967] 30/11/2010 -- 11:29:24 - (detect.c:402) <Error>
(DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET MALWARE CryptMEN HTTP library purporting to be
MSIE to PHP HTTP 1.0"; flow:established,to_server;
content:"|20|HTTP/1.0|0d 0a|User-Agent|3a
20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header;
content:"Host|3a 20|"; http_header; distance:0; content:!"Referer|3a
20|"; http_header; content:".php?"; nocase; http_uri;
classtype:trojan-activity; sid:2011938; rev:2;)" from file
/etc/suricata/rules/emerging-malware.rules at line 2649<br>
<br>
<br>
Best regards!.<br>
<br>
On 29/11/2010 21.42, Matthew Jonkman wrote:
<blockquote
cite="mid:C7F19940-1F2F-4821-8C47-8B13C2B13710@emergingthreatspro.com"
type="cite">
<pre wrap="">Ya, looks like you're loading the -BLOCK rules, which are intended for snortsam use. We do not (yet) have a snortsam plugin for suricata. Use the non -BLOCK versions of those rules and you'll be fine!
Matt
On Nov 29, 2010, at 3:00 PM, rmkml wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
could you remove "fwsam" option please?
Regards
Rmkml
On Mon, 29 Nov 2010, Gerardo De Felice wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi everyone,
I remove "distance:0;" tag, and the rules is processed. Now, i have a other
error:
[13621] 29/11/2010 -- 17:29:13 - (detect-parse.c:629) <Error>
(SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(100)] - unknown
rule keyword 'fwsam'.
[13621] 29/11/2010 -- 17:29:13 - (detect.c:402) <Error> (DetectLoadSigFile)
-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert
tcp $HOME_NET any <>
[109.123.106.28,109.123.108.61,109.123.91.37,109.169.55.173,109.169.64.17,109.235.53.153,109.74.195.116,109.74.196.127,109.74.200.40,109.74.201.108]
any (msg:"ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING SOURCE";
flags:S; reference:url,<a class="moz-txt-link-abbreviated" href="http://www.shadowserver.org">www.shadowserver.org</a>; reference:url,abuse.ch;
threshold: type limit, track by_src, seconds 3600, count 1;
classtype:trojan-activity; sid:2405000; rev:2126; fwsam: dst, 30 days;)" from
file /etc/suricata/rules/emerging-botcc-BLOCK.rules at line 41
I can send the errors on this mailing-list or I must send the errors in other
place?
I dont' want abuse of your courtesy.
Thank you.
Best regards!
On 29/11/2010 17.24, rmkml wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi Gerardo,
Could you test with remove "distance:0;" for sid 2011589 please?
Emerging: could you remove "distance:0;" for sid 2011589 please?
Regards
Rmkml
On Mon, 29 Nov 2010, Gerardo De Felice wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
I installated the new version of suricata from git today.
I get this error:
[13488] 29/11/2010 -- 16:17:26 - (detect-parse.c:629) <Error>
(SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN( 100)] -
unknown rule keyword 'file_data'.
[13488] 29/11/2010 -- 16:17:26 - (detect.c:402) <Error>
(DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"ET ACTIVEX DB Software
Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods";
flow:to_client,established; file_data; content:"CLSID"; nocase;
content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase;
pcre:"/(LogFile|ClearLogFile|SaveToFile)/i";
classtype:web-application-attack; reference:bugtraq,31907;
reference:url,milw0rm.com/exploits/6828;
reference:url,doc.emergingthreats.net/2008789;
reference:url,<a class="moz-txt-link-abbreviated" href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software</a>;
sid:2008789; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules
at line 1460
If I remove file_data tag
i get this error:
[13491] 29/11/2010 -- 16:18:10 - (detect-distance.c:312) <Error>
(DetectDistanceSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No
related previous-previous content or pcre keyword
[13491] 29/11/2010 -- 16:18:10 - (detect.c:402) <Error>
(DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"ET ACTIVEX Microsoft
DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt";
flow:to_client,established;
content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; distance:0;
content:".CustomCompositorClass"; nocase;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si";
classtype:web-application-attack;
reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt;
sid:2011589; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules
at line 1526
Best regards!
</pre>
</blockquote>
</blockquote>
<pre wrap="">
--
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
</pre>
</blockquote>
<pre wrap="">-
</pre>
<blockquote type="cite">
<pre wrap="">-
Gerardo De Felice
Rete e Sistemi
Servizi Tecnici
Via di Casal Boccone 188-190, 00137 ROMA
Tel: +39 (06) 3993.37.33
Cell: +39 (347) 14.51.239
Fax: +39 (06) 3993.37.95
E-mail: <a class="moz-txt-link-abbreviated" href="mailto:g.defelice@gmatica.it">g.defelice@gmatica.it</a> <a class="moz-txt-link-rfc2396E" href="mailto:g.defelice@gmatica.it"><mailto:g.defelice@gmatica.it></a>
Web: /www.gmatica.it/ <a class="moz-txt-link-rfc2396E" href="http://www.gmatica.it"><http://www.gmatica.it></a> - /www.gbet.it/
<a class="moz-txt-link-rfc2396E" href="http://www.gbet.it"><http://www.gbet.it></a>
La presente comunicazione (ed eventuali allegati) puo' contenere informazioni
di carattere estremamente riservato e confidenziale ed e' riservata
esclusivamente ai destinatari. Qualsiasi suo utilizzo, comunicazione o
diffusione non autorizzata e' proibita. Se ha ricevuto questa comunicazione
per errore, la preghiamo di darne immediata comunicazione al mittente e di
cancellare tutte le informazioni erroneamente acquisite. Qualsivoglia
utilizzo non autorizzato del contenuto di questo messaggio espone il
responsabile alle relative conseguenze civili e penali. (Rif. D.Lgs.
196/2003). Grazie
This message and its attachments may contain confidential or privileged
information and are intended only for use by the addressees. Any use,
re-transmission or dissemination not authorized of it is prohibited. If you
received this e-mail in error, please inform the sender immediately and
delete all the material. Any unauthorized use of the content of this message
is strictly forbidden and the person responsible may incur penalties. (Rif.
D.Lgs. 196/2003). Thank you.
</pre>
</blockquote>
<pre wrap="">_______________________________________________
Oisf-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
</pre>
</blockquote>
<pre wrap="">
----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
<a class="moz-txt-link-freetext" href="http://www.emergingthreatspro.com">http://www.emergingthreatspro.com</a>
<a class="moz-txt-link-freetext" href="http://www.openinfosecfoundation.org">http://www.openinfosecfoundation.org</a>
----------------------------------------------------
PGP: <a class="moz-txt-link-freetext" href="http://www.jonkmans.com/mattjonkman.asc">http://www.jonkmans.com/mattjonkman.asc</a>
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<hr size="1" align="left" width="250"><br>
<table>
<tbody>
<tr>
<td valign="bottom"><img
src="cid:part1.01090209.06040209@gmatica.it"></td>
<td valign="bottom"><span style="font-family: Times New
Roman,Verdana,Tahoma; font-size: 16px; font-weight:
bold; font-style: italic; color: rgb(0, 0, 0);">Gerardo
De Felice</span><br>
<span style="font-family: Times New Roman,Verdana,Tahoma;
font-size: 16px; font-style: italic; color: rgb(0, 0,
0);">Rete e Sistemi</span><br>
<span style="font-family: Times New Roman,Verdana,Tahoma;
font-size: 16px; font-style: italic; color: rgb(0, 0,
0);">Servizi Tecnici</span></td>
</tr>
</tbody>
</table>
<table>
<tbody style="font-family: Verdana,Tahoma; font-size: 10px;
color: rgb(105, 105, 105);">
<tr>
<td colspan="2">Via di Casal Boccone 188-190, 00137 ROMA</td>
</tr>
<tr>
<td width="60">Tel:</td>
<td>+39 (06) 3993.37.33</td>
</tr>
<tr>
<td>Cell:</td>
<td>+39 (347) 14.51.239</td>
</tr>
<tr>
<td>Fax:</td>
<td>+39 (06) 3993.37.95</td>
</tr>
<tr>
<td><br>
</td>
<td><br>
</td>
</tr>
<tr>
<td>E-mail:</td>
<td><a href="mailto:g.defelice@gmatica.it">g.defelice@gmatica.it</a></td>
</tr>
<tr>
<td>Web:</td>
<td><a href="http://www.gmatica.it"><i>www.gmatica.it</i></a>
- <a href="http://www.gbet.it"><i>www.gbet.it</i></a></td>
</tr>
</tbody>
</table>
<br>
<span style="font-family: Arial; font-size: 8pt; color: rgb(191,
191, 191);"> La presente comunicazione (ed eventuali allegati)
puo' contenere informazioni di carattere estremamente riservato
e confidenziale ed e' riservata esclusivamente ai destinatari.
Qualsiasi suo utilizzo, comunicazione o diffusione non
autorizzata e' proibita. Se ha ricevuto questa comunicazione per
errore, la preghiamo di darne immediata comunicazione al
mittente e di cancellare tutte le informazioni erroneamente
acquisite. Qualsivoglia utilizzo non autorizzato del contenuto
di questo messaggio espone il responsabile alle relative
conseguenze civili e penali. (Rif. D.Lgs. 196/2003). Grazie <br>
<br>
This message and its attachments may contain confidential or
privileged information and are intended only for use by the
addressees. Any use, re-transmission or dissemination not
authorized of it is prohibited. If you received this e-mail in
error, please inform the sender immediately and delete all the
material. Any unauthorized use of the content of this message is
strictly forbidden and the person responsible may incur
penalties. (Rif. D.Lgs. 196/2003). Thank you. </span></div>
</body>
</html>