<br><br><div class="gmail_quote">On Fri, Jul 27, 2012 at 2:33 AM, Russell Fulton <span dir="ltr"><<a href="mailto:r.fulton@auckland.ac.nz" target="_blank">r.fulton@auckland.ac.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Fixed original issue with rule parsing — pulledpork was picking up the snort tarball rather than the suricata one. I thought that I must somehow be using the snort rules but it took me a while to figure out what I screwed up.<br>
<br>
Now when I run suricata -T I get a warning:<br>
<br>
[rful011@nevil-res4 ~]$ sudo /usr/local/suricata/bin/suricata -T -c /usr/local/suricata/etc/suricata.yaml<br>
[sudo] password for rful011:<br>
27/7/2012 -- 12:17:55 - <Info> - Running suricata under test mode<br>
27/7/2012 -- 12:17:55 - <Info> - This is Suricata version 1.3 RELEASE<br>
27/7/2012 -- 12:17:55 - <Info> - CPUs/cores online: 4<br>
27/7/2012 -- 12:17:55 - <Info> - AutoFP mode using default "Active Packets" flow load balancer<br>
27/7/2012 -- 12:17:55 - <Info> - preallocated 1024 packets. Total memory 4302848<br>
27/7/2012 -- 12:17:55 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56<br>
27/7/2012 -- 12:17:55 - <Info> - preallocated 1000 hosts of size 112<br>
27/7/2012 -- 12:17:55 - <Info> - host memory usage: 341376 bytes, maximum: 16777216<br>
27/7/2012 -- 12:17:55 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56<br>
27/7/2012 -- 12:17:55 - <Info> - preallocated 10000 flows of size 272<br>
27/7/2012 -- 12:17:55 - <Info> - flow memory usage: 6390016 bytes, maximum: 33554432<br>
27/7/2012 -- 12:17:55 - <Info> - using magic-file /usr/share/file/magic<br>
27/7/2012 -- 12:17:57 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/local/suricata/etc/rules/local.rules <br></blockquote><div>1. Is this file existing and in that directory ?<br>2. is it empty?<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
No hints as to why nothing was loaded and and I can't post the contents since some of the rules there are from sources that forbid sharing.<br>
<br>
What things should I look out for when converting rules for suricata?<br>
<br>
when I try and run it with -D I get:<br>
<br>
[rful011@nevil-res4 ~]$ sudo /usr/local/suricata/bin/suricata -D -c /usr/local/suricata/etc/suricata.yaml<br></blockquote><div><br>Here you are missing the interface - <br> sudo /usr/local/suricata/bin/suricata -D -c /usr/local/suricata/etc/suricata.yaml <u><b>-i eth0</b></u><br>
<br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
27/7/2012 -- 12:18:34 - <Info> - This is Suricata version 1.3 RELEASE<br>
27/7/2012 -- 12:18:34 - <Info> - CPUs/cores online: 4<br>
Suricata 1.3<br>
USAGE: /usr/local/suricata/bin/suricata<br>
<br>
-c <path> : path to configuration file<br>
.<br>
.<br>
.<br>
<br>
nothing in /var/log/messages or /var/log/suricata/*<br>
<br>
Is it just the warning which is stopping suri starting?<br>
<span class="HOEnZb"><font color="#888888"><br>
Russell<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
On 26/07/2012, at 2:10 PM, Russell Fulton wrote:<br>
<br>
> [rful011@nevil-res4 suricata-1.3]$ sudo /usr/local/suricata/bin/suricata -T -c /usr/local/suricata/etc/suricata.yaml<br>
> 26/7/2012 -- 14:06:59 - <Info> - Running suricata under test mode<br>
> 26/7/2012 -- 14:06:59 - <Info> - This is Suricata version 1.3 RELEASE<br>
> 26/7/2012 -- 14:06:59 - <Info> - CPUs/cores online: 4<br>
> 26/7/2012 -- 14:06:59 - <Info> - AutoFP mode using default "Active Packets" flow load balancer<br>
> 26/7/2012 -- 14:06:59 - <Info> - preallocated 1024 packets. Total memory 4302848<br>
> 26/7/2012 -- 14:06:59 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56<br>
> 26/7/2012 -- 14:06:59 - <Info> - preallocated 1000 hosts of size 112<br>
> 26/7/2012 -- 14:06:59 - <Info> - host memory usage: 341376 bytes, maximum: 16777216<br>
> 26/7/2012 -- 14:06:59 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56<br>
> 26/7/2012 -- 14:06:59 - <Info> - preallocated 10000 flows of size 272<br>
> 26/7/2012 -- 14:06:59 - <Info> - flow memory usage: 6390016 bytes, maximum: 33554432<br>
> 26/7/2012 -- 14:06:59 - <Info> - using magic-file /usr/share/file/magic<br>
> 26/7/2012 -- 14:06:59 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).<br>
> 26/7/2012 -- 14:06:59 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature parsing failed: "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data"; flow:established,to_server; dsize:>400; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,<a href="http://doc.emergingthreats.net/2006385" target="_blank">doc.emergingthreats.net/2006385</a>; classtype:trojan-activity; sid:2006385; rev:8;)"<br>
><br>
><br>
> These are rules from the PRO ruleset that have been post processed by pulled pork.<br>
><br>
> Russell<br>
> _______________________________________________<br>
> Oisf-users mailing list<br>
> <a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div>Regards,</div>
<div>Peter Manev</div><br>