<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<div id="divtagdefaultwrapper" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;" dir="ltr">
<p style="margin-top:0;margin-bottom:0">thank you for reply.</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0"></p>
<ol style="margin-bottom: 0px; margin-top: 0px;">
<li><span style="font-size: 12pt;"></span>instead of "xbits:noalert", noalert works, no error. <br>
</li><li>now the error is <span><Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - "isset,Metasploit.ContentKeeper.recon" is not a valid setting for xbits</span></li></ol>
<p></p>
<div id="divtagdefaultwrapper" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;" dir="ltr">
<br>
</div>
Thanks</div>
<div id="divtagdefaultwrapper" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;" dir="ltr">
Su<br>
<br>
<div style="color: rgb(0, 0, 0);">
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>发件人:</b> Peter Manev <petermanev@gmail.com><br>
<b>发送时间:</b> 2018年9月7日 0:34<br>
<b>收件人:</b> suzhe_ffgg@outlook.com<br>
<b>抄送:</b> Open Information Security Foundation<br>
<b>主题:</b> Re: [Oisf-users] suricata do not support "xbits"</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">On Fri, Sep 7, 2018 at 9:09 AM 苏 哲 <suzhe_ffgg@outlook.com> wrote:<br>
><br>
><br>
><br>
><br>
> Hi,<br>
><br>
> I try suricata 4.0.5 and 4.1.0 and try "xbits" with this example, I receive error:<br>
><br>
><br>
> "noalert" is not a valid setting for xbits.<br>
><br>
<br>
instead of "xbits:noalert;"<br>
can you try just "noalert;" ?<br>
<br>
> "isset,is_attack_step1" is not a valid setting for xbits.<br>
<br>
That name - "is_attack_step1" is not present/set anywhere in the<br>
example , is that expected ? (so it can naturally complain about it)<br>
<br>
><br>
><br>
> I google xbits and those errors, but didn't find anyone talking about it.<br>
><br>
><br>
> is there anyone know what is the reason? and what should I do?<br>
><br>
><br>
> Thanks.<br>
><br>
> Su<br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>
> Site: <a href="http://suricata-ids.org" id="LPlnk764446" class="OWAAutoLink" previewremoved="true">
http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" id="LPlnk818254" class="OWAAutoLink" previewremoved="true">
http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" id="LPlnk961823" class="OWAAutoLink" previewremoved="true">
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net" id="LPlnk473744" class="OWAAutoLink" previewremoved="true">
https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" id="LPlnk53485" class="OWAAutoLink" previewremoved="true">
https://suricata-ids.org/training/</a><br>
<br>
<br>
<br>
-- <br>
Regards,<br>
Peter Manev<br>
</div>
</span></font></div>
</div>
</div>
</div>
</body>
</html>