<html><body><div style="font-family: courier new,courier,monaco,monospace,sans-serif; font-size: 10pt; color: #000000"><div style="font-family: courier new,courier,monaco,monospace,sans-serif; font-size: 10pt; color: #000000">Resolved. Had a strange character in the file.<br><br><span id="zwchr" data-marker="__DIVIDER__">----- On 3 Nov, 2017, at 15:09, Phil Daws <uxbod@splatnix.net> wrote:<br></span><div data-marker="__QUOTED_TEXT__"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div style="font-family: courier new,courier,monaco,monospace,sans-serif; font-size: 10pt; color: #000000"><div>Hello,<br><br>Have upgraded to Suricata v4.0.1 and now the IP reputation is no longer working.  The error when I check the configuration is:<br><br>3/11/2017 -- 14:38:01 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown iprep category "BadHosts"<br>3/11/2017 -- 14:38:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> any any (msg:"IPREP High Risk"; iprep:src,BadHosts,>,99; sid:3790031; rev:1;)" from file /etc/suricata/rules/local.rules at line 2<br>3/11/2017 -- 14:38:01 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.<br><br>and the rule that is in use:<br><br>alert ip any any -> any any (msg:"IPREP High Risk"; iprep:src,BadHosts,>,99; sid:3790031; rev:1;)<br><br>It believes that the category is not there but it is:<br><br>cat /etc/suricata/iprep/categories.txt<br>1,BadHosts,Bad Host<br>2,GoodHosts,Known Good Host<br><br>and is being referenced correctly in suricata.yaml:<br><br># IP Reputation<br>reputation-categories-file: /etc/suricata/iprep/categories.txt<br>default-reputation-path: /etc/suricata/iprep<br>reputation-files:<br> - reputation.list<br><br>Any thoughts as to what the error is please ?<br><br>Thanks - Phil</div><br></div>
<br><br>
<br><pre></pre><br><br>_______________________________________________<br>Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br><br>Conference: https://suricon.net<br>Trainings: https://suricata-ids.org/training/</blockquote></div></div><br></div>
<br><br>
<br><pre></pre><br></body></html>