<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br></div><div>On 30 Dec 2016, at 12:16, Vieri <<a href="mailto:rentorbuy@yahoo.com">rentorbuy@yahoo.com</a>> wrote:<br><br></div><blockquote type="cite"><div><span>Hi,</span><br><span></span><br><span>The docs suggest that Suricata can load the VRT/Talos rulesets but I'm seeing lots of errors such as:</span><br><span></span><br></div></blockquote><div><br></div><div>Some keywords are not supported.</div><div><br></div><br><blockquote type="cite"><div><span>[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).</span><br></div></blockquote><div><br></div><div>This is a good feedback from Suricata (including for rulewriters) - the err msg is descriptive enough I think - pkt vs stream match.</div><br><blockquote type="cite"><div><span>[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/">www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/</a>; classtype:trojan-activity; sid:25675; rev:7;)" from file /etc/suricata/rules/community.rules at line 2431</span><br><span>[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content</span></div></blockquote><blockquote type="cite"><div><span></span><br><span>Can anyone please confirm that the Talos rules cannot be loaded in Suricata?</span><br><span></span><br></div></blockquote><div><br></div><div>Some rules will not load for the reasons explained above.</div><br><blockquote type="cite"><div><span>I would also like to know if the openappid LUA scripts can be used in Suricata 3.x with lua:[!]<scriptfilename>;.</span><br><span></span><br></div></blockquote><div><br></div><div><br></div><div>Luascripts can be used - </div><div><a href="http://suricata.readthedocs.io/en/latest/rules/rule-lua-scripting.html">http://suricata.readthedocs.io/en/latest/rules/rule-lua-scripting.html</a></div><div>, openappid not.</div><br><blockquote type="cite"><div><span>Thanks,</span><br><span></span><br><span>Vieri</span><br><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br></div></blockquote></body></html>