I just checked the suricata.yaml file from the GIT repo... the EXTERNAL_NET: any doesn't have any quotes... However, if you want to change it to something other than any, put the quotes around it... <div><br></div><div>
ie: EXTERNAL_NET: !$HOME_NET </div><div><br></div><div>should actually be:</div><div><br></div><div>EXTERNAL_NET: "!$HOME_NET"<br><br></div><div>Somebody should put a note in the .yaml file somewhere!</div><div>
<br></div><div>See Yas!<br>~Brant</div><div><br><div class="gmail_quote">On Mon, Jul 11, 2011 at 3:37 PM, Matthew Jonkman <span dir="ltr"><<a href="mailto:jonkman@emergingthreatspro.com">jonkman@emergingthreatspro.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div style="word-wrap:break-word">Have you tried with <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a>? I suspect suri is not liking the incorrect cidr mask....<div>
<br></div><div>Matt</div><div><div></div><div class="h5"><div><br></div><div><br><div><div>On Jul 11, 2011, at 3:15 PM, Brant Wells wrote:</div><br><blockquote type="cite">Hey Matt,<div><br></div><div>HOME_NET: "[<a href="http://192.168.0.0/8" target="_blank">192.168.0.0/8</a>, 208.67.222.222,208.67.220.220]"</div>
<div>EXTERNAL_NET: !$HOME_NET</div><div><br></div><div><br><br><div class="gmail_quote">
On Mon, Jul 11, 2011 at 3:12 PM, Matthew Jonkman <span dir="ltr"><<a href="mailto:jonkman@emergingthreatspro.com" target="_blank">jonkman@emergingthreatspro.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">How are you defining home and external nets and such?<div><br></div><div>Matt</div><div><br></div><div><br><div><div><div></div><div><div>On Jul 11, 2011, at 1:50 PM, Brant Wells wrote:</div>
<br></div></div><blockquote type="cite"><div><div></div><div>Hey Guys,<div><br></div><div><div>I have tried both of the following URLs in my oinkmaster.conf for pulling in the rules.</div><div><br></div><div>url = <a href="http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" target="_blank">http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz</a></div>
<div>url = <a href="http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz" target="_blank">http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz</a></div><div><br></div><div>The log entry below is what I get when running suricata without the --init-errors-fatal switch.</div>
<div>I have also attached my suricata.yaml as a text file. </div><div><br></div><div>NOTE: IP Address Ranges have been changed... I know <a href="http://192.168.0.0/8" target="_blank">192.168.0.0/8</a> ain't valid.</div>
<div><br></div>
<div>Any other ideas?</div><div><br></div><div>[LOG ENTRY]</div><div><div>[28480] 11/7/2011 -- 13:31:23 - (flow.c:787) <Info> (FlowInitConfig) -- initializing flow engine...</div><div>[28480] 11/7/2011 -- 13:31:23 - (flow.c:874) <Info> (FlowInitConfig) -- allocated 524288 bytes of memory for the flow hash... 65536 buckets of size 8</div>
<div>[28480] 11/7/2011 -- 13:31:23 - (flow.c:893) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 164</div><div>[28480] 11/7/2011 -- 13:31:23 - (flow.c:895) <Info> (FlowInitConfig) -- flow memory usage: 2164288 bytes, maximum: 33554432</div>
<div>[28480] 11/7/2011 -- 13:31:23 - (detect.c:503) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:"/screens/frameset.html"; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/\x2Fscreens\x2Fframeset\x2Ehtml.+Authorization\x3A Basic.{120}/msi"; classtype:attempted-dos; reference:url,<a href="http://www.securityfocus.com/bid/35805" target="_blank">www.securityfocus.com/bid/35805</a>; reference:url,<a href="http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml" target="_blank">www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml</a>; reference:cve,2009-1164; reference:url,<a href="http://doc.emergingthreats.net/2010674" target="_blank">doc.emergingthreats.net/2010674</a>; reference:url,<a href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_WLAN" target="_blank">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_WLAN</a>; sid:2010674; rev:5;)" from file /etc/suricata/rules/emerging-dos.rules at line 66</div>
</div><div>[END LOG ENTRY]</div><div><br></div><div>[BOTTOM OF LOG FILE]</div><div><div>[28709] 11/7/2011 -- 13:42:52 - (detect.c:635) <Info> (SigLoadSignatures) -- 7 rule files processed. 35 rules succesfully loaded, 6266 rules failed</div>
<div>[28709] 11/7/2011 -- 13:42:52 - (detect.c:2396) <Info> (SigAddressPrepareStage1) -- 35 signatures processed. 0 are IP-only rules, 28 are inspecting packet payload, 13 inspect application layer, 0 are decoder event only</div>
<div>[28709] 11/7/2011 -- 13:42:52 - (detect.c:2399) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete</div><div>[28709] 11/7/2011 -- 13:42:52 - (detect.c:3041) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete</div>
<div>[28709] 11/7/2011 -- 13:42:52 - (detect.c:3598) <Info> (SigAddressPrepareStage3) -- MPM memory 49690 (dynamic 49690, ctxs 0, avg per ctx 0)</div><div>[28709] 11/7/2011 -- 13:42:52 - (detect.c:3600) <Info> (SigAddressPrepareStage3) -- max sig id 35, array size 5</div>
<div>[28709] 11/7/2011 -- 13:42:52 - (detect.c:3611) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete</div><div>[28709] 11/7/2011 -- 13:42:52 - (util-threshold-config.c:138) <Info> (SCThresholdConfInitContext) -- Global thresholding options defined</div>
<div>[28709] 11/7/2011 -- 13:42:52 - (alert-fastlog.c:372) <Info> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log</div><div>[28709] 11/7/2011 -- 13:42:52 - (alert-unified2-alert.c:889) <Info> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename unified2.alert, limit 32 MB</div>
<div>[28709] 11/7/2011 -- 13:42:52 - (runmodes.c:336) <Warning> (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named alert-prelude, ignoring</div><div>[28709] 11/7/2011 -- 13:42:52 - (log-droplog.c:182) <Info> (LogDropLogInitCtx) -- Drop log output initialized, filename: drop.log</div>
<div>[28710] 11/7/2011 -- 13:42:52 - (source-pcap.c:389) <Info> (ReceivePcapThreadInit) -- using interface eth0</div><div>[28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:355) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144</div>
<div>[28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:367) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768</div><div>[28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432</div>
<div>[28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:384) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled</div><div>[28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:392) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled</div>
<div>[28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:408) <Info> (StreamTcpInitConfig) -- stream "checksum_validation": enabled</div><div>[28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:419) <Info> (StreamTcpInitConfig) -- stream."inline": disabled</div>
<div>[28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:428) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864</div><div>[28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:438) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576</div>
<div>[28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:461) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560</div><div>[28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:463) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560</div>
<div>[28709] 11/7/2011 -- 13:42:52 - (tm-threads.c:1488) <Info> (TmThreadWaitOnThreadInit) -- all 10 packet processing threads, 3 management threads initialized, engine started.</div></div><div>[END BOTTOM OF LOG FILE]</div>
<br><div class="gmail_quote">On Mon, Jul 11, 2011 at 11:44 AM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p>Hi Brant, <br>
It would be helpful if you could some info regarding this frome your suricata.log file, if possible, if you have configured that in your yaml file.</p><p>Thank you</p><div><div></div><div>
<div class="gmail_quote">On 11 Jul 2011 17:24, "Brant Wells" <<a href="mailto:bwells@tfc.edu" target="_blank">bwells@tfc.edu</a>> wrote:<br type="attribution">> Hi All,<br>> <br>> Not sure if this should be posted on the dev list or the users lists, so I<br>
> thought I'd ask here first...<br>> <br>> I'd like to use the Emerging Threats open rule sets for Suricata. However,<br>> when I updated the rules, now when I run Suricata, with --init-errors-fatal,<br>
> I get<br>> <br>> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert udp<br>> $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS";<br>> content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; classtype: attempted-dos;<br>
> reference:url,<a href="http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml" target="_blank">www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml</a>;<br>> reference:url,<a href="http://doc.emergingthreats.net/bin/view/Main/2000010" target="_blank">doc.emergingthreats.net/bin/view/Main/2000010</a>; reference:url,<br>
> <a href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_514_UDP_DoS" target="_blank">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_514_UDP_DoS</a>;<br>> sid:2000010; rev:11;)" from file /etc/suricata/rules/emerging-dos.rules at<br>
> line 54<br>> <br>> A ton of rule errors like that. How can I find / fix them? I am running<br>> 1.1 beta 2 (rev 047b19d) from the git repo...<br>> <br>> See Yas!<br>> ~Brant<br></div>
</div></div></blockquote></div><br></div>
</div></div><span><suricata.txt></span>_______________________________________________<div><br>Oisf-users mailing list<br><a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br></div></blockquote></div><div><br><div>
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><div style="word-wrap:break-word">
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><div style="word-wrap:break-word">
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><div style="word-wrap:break-word">
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><div style="word-wrap:break-word">
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="word-wrap:break-word">
<br>----------------------------------------------------<br>Matthew Jonkman</div><div style="word-wrap:break-word"><a href="http://Emergingthreats.net/" target="_blank">Emergingthreats.net</a><br>Emerging Threats Pro<br>
Open Information Security Foundation (OISF)<br>
Phone <a href="tel:866-504-2523%C2%A0x110" value="+18665042523" target="_blank">866-504-2523 x110</a><br><a href="http://www.emergingthreatspro.com/" target="_blank">http://www.emergingthreatspro.com</a><br><a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org</a><br>
----------------------------------------------------<br><br>PGP: <a href="http://www.jonkmans.com/mattjonkman.asc" target="_blank">http://www.jonkmans.com/mattjonkman.asc</a><br><br><br></div></span></div></span></div></span></div>
</span></div></span></div></span></div></span></span>
</div>
<br></div></div></div></blockquote></div><br></div>
_______________________________________________<br>Oisf-users mailing list<br><a href="mailto:Oisf-users@openinfosecfoundation.org" target="_blank">Oisf-users@openinfosecfoundation.org</a><br><a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</blockquote></div><br><div>
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><div style="word-wrap:break-word">
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><div style="word-wrap:break-word">
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><div style="word-wrap:break-word">
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><div style="word-wrap:break-word">
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="word-wrap:break-word">
<span style="border-collapse:separate;color:rgb(0, 0, 0);font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="word-wrap:break-word">
<br>----------------------------------------------------<br>Matthew Jonkman</div><div style="word-wrap:break-word"><a href="http://Emergingthreats.net" target="_blank">Emergingthreats.net</a><br>Emerging Threats Pro<br>Open Information Security Foundation (OISF)<br>
Phone <a href="tel:866-504-2523%C2%A0x110" value="+18665042523" target="_blank">866-504-2523 x110</a><br><a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br><a href="http://www.openinfosecfoundation.org" target="_blank">http://www.openinfosecfoundation.org</a><br>
----------------------------------------------------<br><br>PGP: <a href="http://www.jonkmans.com/mattjonkman.asc" target="_blank">http://www.jonkmans.com/mattjonkman.asc</a><br><br><br></div></span></div></span></div></span></div>
</span></div></span></div></span></div></span></span>
</div>
<br></div></div></div></div></blockquote></div><br></div>