<div dir="ltr">Guessing you are probably grabbing the wrong version of the rules. Should be something like..<div><div><br></div><div><a href="http://rules.emergingthreatspro.com/xxxxxxxxxxx/suricata/etpro.rules.tar.gz" target="_blank" style="font-family:arial,sans-serif;font-size:13px">http://rules.emergingthreatspro.com/xxxxxxxxxxx/suricata-2.0/etpro.rules.tar.gz</a><br>
</div></div><div class="gmail_extra"><br><br>Regards,</div><div class="gmail_extra"><br></div><div class="gmail_extra">Will<br><br><div class="gmail_quote">On Wed, Aug 20, 2014 at 4:08 PM, Russell Fulton <span dir="ltr"><<a href="mailto:r.fulton@auckland.ac.nz" target="_blank">r.fulton@auckland.ac.nz</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So far as I can the pulled pork has not fiddled with these so I am puzzled as to why they are generating errors:<br>
<br>
Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> - [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two preceding content or uricontent options<br>
Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 05 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; content:"|ef bb bf 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}\r\n<script>(?:var [a-zA-Z0-9]{1,20}\x3b){1,20}[a-zA-Z0-9]{1,20}\s*?=/R"; classtype:trojan-activity; sid:2018451; rev:3;)" from file /home/sensors/dmzo/Rules/snort.rules at line 5286<br>

Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> - [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two preceding content or uricontent options<br>
Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SUSPICIOUS Possible WebShell Login Form (Outbound)"; flow:established,from_server; content:"<pre align=center><form method=post>Password|3a| <input type=password name=pass><input type=submit value=|27|>>|27|></form></pre>"; within:120; isdataat:!2,relative; reference:url,<a href="http://blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html" target="_blank">blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html</a>; classtype:trojan-activity; sid:2018459; rev:3;)" from file /home/sensors/dmzo/Rules/snort.rules at line 5293<br>

Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> - [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two preceding content or uricontent options<br>
Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; content:"|ef bb bf|<html>|0d 0a|<body bgcolor|3d 22|#"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}<script>var/R"; classtype:trojan-activity; sid:2018595; rev:4;)" from file /home/sensors/dmzo/Rules/snort.rules at line 5419<br>

<br>
Rules pulled from:<br>
<br>
<a href="http://rules.emergingthreatspro.com/xxxxxxxxxxx/suricata/etpro.rules.tar.gz" target="_blank">http://rules.emergingthreatspro.com/xxxxxxxxxxx/suricata/etpro.rules.tar.gz</a><br>
<br>
Russell<br>
<br>
PS I *really* appreciate that suri skips rules with errors and logs the whole rule!<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div><br></div></div>