<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Victor<BR> <BR>Thanks for your help. It was indeed the wrong set of rules. Downloaded again and all is good.<BR> <BR>Regards<BR>Lee<BR><br> <BR><div>> To: oisf-users@lists.openinfosecfoundation.org<br>> From: lists@inliniac.net<br>> Date: Thu, 14 Apr 2016 10:46:35 +0200<br>> Subject: Re: [Oisf-users] Errors on startup using ETPro Rules<br>> <br>> On 14-04-16 10:44, Victor Julien wrote:<br>> > On 14-04-16 10:42, Lee Walker wrote:<br>> >> I've been successfully using the Open rules on my Suricata installs, but<br>> >> since upgrading to latest ETPro rules I get the follwoing errors on startup:<br>> >> <br>> >> 14/4/2016 -- 08:49:10 - <Error> - [ERRCODE:<br>> >> SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'base64_decode'.<br>> >> <br>> >> 14/4/2016 -- 08:49:07 - <Error> - [ERRCODE:<br>> >> SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding<br>> >> match in the same buffer<br>> >><br>> >> 14/4/2016 -- 08:49:07 - <Error> - [ERRCODE:<br>> >> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp<br>> >> $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ETPRO<br>> >> WEB_SPECIFIC_APPS WP Theme LFI Attempt"; flow:to_server,established;<br>> >> content:"GET"; http_method; content:"/wp-content/themes/"; http_uri;<br>> >> fast_pattern:only; content:"download.php?file="; http_uri;<br>> >> pcre:"/[^&]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Ri";<br>> >> reference:url,packetstormsecurity.net/1412-exploits/wptheme-download.txt; classtype:attempted-admin;<br>> >> sid:2809398; rev:1;)" from file<br>> >> /etc/suricata/pro-rules/rules/web_specific_apps.rules at line 21279<br>> >> <br>> >> These errors will be repeated for several different rules and lines.<br>> > <br>> > What Suricata version are you running?<br>> > <br>> <br>> My version of this rule is quite different. Are you sure you're pulling<br>> the Suricata version of the ETPro ruleset?<br>> <br>> -- <br>> ---------------------------------------------<br>> Victor Julien<br>> http://www.inliniac.net/<br>> PGP: http://www.inliniac.net/victorjulien.asc<br>> ---------------------------------------------<br>> <br>> _______________________________________________<br>> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net<br></div> </div></body>
</html>