<p dir="ltr">Have you defined all vars? </p>
<p dir="ltr">Also, Suricata will still start, sans the rules it couldn't read. Plus one on using ET ruleset over VRT. </p>
<p dir="ltr">--<br>
Jeremy<br>
<a href="mailto:jskier@gmail.com">jskier@gmail.com</a></p>
<div class="gmail_quote">On Dec 18, 2014 11:18 PM,  <<a href="mailto:altang78@gogo.mn">altang78@gogo.mn</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p><span style="font-size:small">Hi all,</span></p>
<p><span style="font-size:small">I'm newbie to Suricata at all. I'm trying to experiment Suricata with VRT Snort rule set and using Oinkmaster as a rule management. Snort rules v.2970 were downloaded and extracted by Oinkmaster. I've downloaded classification and reference.conf file from Snort.org also. When I try to start suricata with the command: suricata -c suricata.yaml -i eth0 it displays a lot of error message on parsing the rules like following:</span></p>
<p>====================================================================================================================</p>
<p>19/12/2014 -- 12:50:00 -  - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content</p>
<p>19/12/2014 -- 12:50:00 -  - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Forefront Unified Access Gateway null session cookie denial of service"; flow:to_server,established; content:"|3D 3B|NLSession"; fast_pattern:only; content:"Cookie|3A 20|"; http_header; content:"NLSession"; http_cookie; content:"|3D 3B|NLSession"; within:50; distance:1; http_cookie; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-2012; reference:url,<a href="http://technet.microsoft.com/en-us/security/bulletin/ms11-079" target="_blank">technet.microsoft.com/en-us/security/bulletin/ms11-079</a>; classtype:attempted-user; sid:30209; rev:3;)" from file /etc/suricata/rules/server-webapp.rules at line 1563</p>
<p>19/12/2014 -- 12:50:00 -  - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - unknown byte_extract var seen in within - exifLen</p>
<p> </p>
<p>19/12/2014 -- 12:50:00 -  - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Embedded php in Exif data upload attempt"; flow:to_server,established; content:"|FF D8 FF E0|"; http_client_body; content:"|FF E1|"; distance:0; http_client_body; byte_extract:2,0,exifLen,relative; content:"eval|28|base64_decode|28|"; within:exifLen; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,<a href="http://www.virustotal.com/en/file/ab85eb33605f3013989f4e8a9bfd5e89dd82d1f80231d4e4a2ceb82744bf287c/analysis/1381324711/" target="_blank">www.virustotal.com/en/file/ab85eb33605f3013989f4e8a9bfd5e89dd82d1f80231d4e4a2ceb82744bf287c/analysis/1381324711/</a>; classtype:attempted-admin; sid:30249; rev:1;)" from file /etc/suricata/rules/server-webapp.rules at line 1566</p>
<p>19/12/2014 -- 12:50:00 -  - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "FILE_DATA_PORTS" is not defined in configuration file</p>
<p>19/12/2014 -- 12:50:00 -  - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_client, established; file_data; content:"root:x:0:0:root:/root:/"; fast_pattern:only; content:!"html"; metadata:policy balanced-ips drop, policy security-ips drop, service ft</p><br>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br></blockquote></div>