<div dir="ltr"><div dir="ltr">If you check docs the "track" keyword is not optional.<div>You should add it.</div><div><br></div><div>Also check example signatures here <a href="https://suricata.readthedocs.io/en/latest/rules/xbits.html#creating-a-ssh-blacklist">https://suricata.readthedocs.io/en/latest/rules/xbits.html#creating-a-ssh-blacklist</a></div><div><br></div><div>Regards</div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-09-10 13:53 GMT+02:00 苏 哲 <span dir="ltr"><<a href="mailto:suzhe_ffgg@outlook.com" target="_blank">suzhe_ffgg@outlook.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div dir="ltr">
<div id="m_-2897372227489976159divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif" dir="ltr">
<p style="margin-top:0;margin-bottom:0">Hi Eric, </p>
<p style="margin-top:0;margin-bottom:0">Thank you for your reply.</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I read the whole document of suricata which is the link you provide. </p>
<p style="margin-top:0;margin-bottom:0">In 4.9 chapter , it said syntax is :</p>
<p style="margin-top:0;margin-bottom:0"></p>
<pre style="box-sizing:border-box;font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",Courier,monospace;font-size:12px;margin-top:0px;margin-bottom:0px;padding:12px;overflow:auto;line-height:normal;color:rgb(64,64,64)"><span class="m_-2897372227489976159n" style="box-sizing:border-box">xbits</span><span class="m_-2897372227489976159p" style="box-sizing:border-box">:</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">noalert</span><span class="m_-2897372227489976159p" style="box-sizing:border-box">;</span>
<span class="m_-2897372227489976159n" style="box-sizing:border-box">xbits</span><span class="m_-2897372227489976159p" style="box-sizing:border-box">:</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)"><</span><span class="m_-2897372227489976159nb" style="box-sizing:border-box;color:rgb(0,112,32)">set</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">unset</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">isset</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">toggle</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">></span><span class="m_-2897372227489976159p" style="box-sizing:border-box"><wbr>,</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)"><</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">name</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">></span><span class="m_-2897372227489976159p" style="box-sizing:border-box">,</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">track</span> <span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)"><</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">ip_src</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">ip_dst</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">ip_pair</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">></span><span class="m_-2897372227489976159p" style="box-sizing:border-box">;</span>
<span class="m_-2897372227489976159n" style="box-sizing:border-box">xbits</span><span class="m_-2897372227489976159p" style="box-sizing:border-box">:</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)"><</span><span class="m_-2897372227489976159nb" style="box-sizing:border-box;color:rgb(0,112,32)">set</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">unset</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">isset</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">toggle</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">></span><span class="m_-2897372227489976159p" style="box-sizing:border-box"><wbr>,</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)"><</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">name</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">></span><span class="m_-2897372227489976159p" style="box-sizing:border-box">,</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">track</span> <span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)"><</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">ip_src</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">ip_dst</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">ip_pair</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">></span> \
    <span class="m_-2897372227489976159p" style="box-sizing:border-box">[,</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">expire</span> <span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)"><</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">seconds</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">></span><span class="m_-2897372227489976159p" style="box-sizing:border-box">];</span>
<span class="m_-2897372227489976159n" style="box-sizing:border-box">xbits</span><span class="m_-2897372227489976159p" style="box-sizing:border-box">:</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)"><</span><span class="m_-2897372227489976159nb" style="box-sizing:border-box;color:rgb(0,112,32)">set</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">unset</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">isset</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">toggle</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">></span><span class="m_-2897372227489976159p" style="box-sizing:border-box"><wbr>,</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)"><</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">name</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">></span><span class="m_-2897372227489976159p" style="box-sizing:border-box">,</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">track</span> <span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)"><</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">ip_src</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">ip_dst</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">|</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">ip_pair</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">></span> \
    <span class="m_-2897372227489976159p" style="box-sizing:border-box">[,</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">expire</span> <span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)"><</span><span class="m_-2897372227489976159n" style="box-sizing:border-box">seconds</span><span class="m_-2897372227489976159o" style="box-sizing:border-box;color:rgb(102,102,102)">></span><span class="m_-2897372227489976159p" style="box-sizing:border-box">];</span></pre>
<br>
<p></p>
<p style="margin-top:0;margin-bottom:0">but as I try the example (<a href="https://cipherdyne.org/fwsnort/xbits_metasploit_example.rules" class="m_-2897372227489976159OWAAutoLink" id="m_-2897372227489976159LPlnk194753" target="_blank">https://cipherdyne.org/<wbr>fwsnort/xbits_metasploit_<wbr>example.rules</a>),
 I find that it pop up error said:</p>
<p style="margin-top:0;margin-bottom:0"><span style="color:rgb(33,33,33);font-family:"Microsoft YaHei UI","Microsoft YaHei",微软雅黑,SimSun,宋体,sans-serif,serif,EmojiFont;font-size:14.6667px"><Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] -</span><span style="color:rgb(33,33,33);font-family:"Microsoft YaHei UI","Microsoft YaHei",微软雅黑,SimSun,宋体,sans-serif,serif,EmojiFont;font-size:14.6667px">"isset,Metasploit.<wbr>ContentKeeper.recon"
 is not a valid setting for</span><span style="color:rgb(33,33,33);font-family:"Microsoft YaHei UI","Microsoft YaHei",微软雅黑,SimSun,宋体,sans-serif,serif,EmojiFont;font-size:14.6667px"> xbits.</span><br>
</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I wonder whether anyone use xbits? you didn't met same error?</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">Thanks</p>
<p style="margin-top:0;margin-bottom:0">Su</p>
</div>
<hr style="display:inline-block;width:98%">
<div id="m_-2897372227489976159divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>发件人:</b> Eric Leblond <<a href="mailto:eric@regit.org" target="_blank">eric@regit.org</a>><br>
<b>发送时间:</b> 2018年9月10日 0:30:53<br>
<b>收件人:</b> 苏 哲; Peter Manev<span class=""><br>
<b>抄送:</b> Open Information Security Foundation<br>
</span><b>主题:</b> Re: [Oisf-users] 答复: suricata do not support "xbits"</font>
<div> </div>
</div><div><div class="h5">
<div class="m_-2897372227489976159BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="m_-2897372227489976159PlainText">Hi,<br>
<br>
On Mon, 2018-09-10 at 07:08 +0000, 苏 哲 wrote:<br>
> is there anyone know how to use xbits?<br>
<br>
Did you check :<br>
<a href="https://suricata.readthedocs.io/en/suricata-4.0.5/rules/xbits.html" target="_blank">https://suricata.readthedocs.<wbr>io/en/suricata-4.0.5/rules/<wbr>xbits.html</a><br>
<br>
BR,<br>
<br>
> 发件人: 苏 哲<br>
> 发送时间: 2018年9月7日 6:01:23<br>
> 收件人: Peter Manev<br>
> 抄送: Open Information Security Foundation<br>
> 主题: 答复: [Oisf-users] suricata do not support "xbits"<br>
>  <br>
> thank you for reply.<br>
> <br>
> instead of "xbits:noalert", noalert works, no error. <br>
> now the error is  <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] -<br>
> "isset,Metasploit.<wbr>ContentKeeper.recon" is not a valid setting for<br>
> xbits<br>
> <br>
> Thanks<br>
> Su<br>
> <br>
> 发件人: Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>><br>
> 发送时间: 2018年9月7日 0:34<br>
> 收件人: <a href="mailto:suzhe_ffgg@outlook.com" target="_blank">suzhe_ffgg@outlook.com</a><br>
> 抄送: Open Information Security Foundation<br>
> 主题: Re: [Oisf-users] suricata do not support "xbits"<br>
>  <br>
> On Fri, Sep 7, 2018 at 9:09 AM 苏 哲 <<a href="mailto:suzhe_ffgg@outlook.com" target="_blank">suzhe_ffgg@outlook.com</a>> wrote:<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Hi,<br>
> ><br>
> > I try suricata 4.0.5 and 4.1.0 and try "xbits" with this example, I<br>
> receive error:<br>
> ><br>
> ><br>
> > "noalert" is not a valid setting for xbits.<br>
> ><br>
> <br>
> instead of "xbits:noalert;"<br>
> can you try just "noalert;" ?<br>
> <br>
> > "isset,is_attack_step1" is not a valid setting for xbits.<br>
> <br>
> That name  - "is_attack_step1" is not present/set anywhere in the<br>
> example , is that expected ? (so it can naturally complain about it)<br>
> <br>
> ><br>
> ><br>
> > I google xbits and those errors, but didn't find anyone talking<br>
> about it.<br>
> ><br>
> ><br>
> > is there anyone know what is the reason? and what should I do?<br>
> ><br>
> ><br>
> > Thanks.<br>
> ><br>
> > Su<br>
> ><br>
> > ______________________________<wbr>_________________<br>
> > Suricata IDS Users mailing list: <br>
> <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> > Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:
<br>
> <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> > List: <br>
> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
> ><br>
> > Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><br>
> > Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/<wbr>training/</a><br>
> <br>
> <br>
> <br>
> ______________________________<wbr>_________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@<wbr>openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <br>
> <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
> List: <br>
> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
> <br>
> Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/<wbr>training/</a><br>
-- <br>
Eric Leblond <<a href="mailto:eric@regit.org" target="_blank">eric@regit.org</a>><br>
<br>
</div>
</span></font></div>
</div></div></div>

<br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><table border="0" cellspacing="0" cellpadding="0" style="font-family:"Times New Roman";width:420px"><tbody><tr valign="top"><td><table border="0" cellspacing="0" cellpadding="0"><tbody><tr valign="top"><td style="text-align:initial;vertical-align:top;padding:0px 8px"><a href="http://www.certego.net/" target="_blank"><img width="96" height="96" src="http://www.certego.net/email/certego.png" alt="" style="border-radius:0px"></a></td><td style="text-align:initial;vertical-align:top;padding:4px 0px"><div style="padding-top:2px;color:rgb(0,172,237);font-weight:bold;font-stretch:normal;font-size:18px;line-height:normal;font-family:sans-serif;letter-spacing:1px">Davide Setti</div><div style="padding-top:2px;color:rgb(32,32,32);font-weight:bold;font-stretch:normal;font-size:14px;line-height:normal;font-family:sans-serif">R&D and Incident Response Team, Certego</div><div style="padding-top:6px"><a href="http://www.linkedin.com/company/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/linkedin.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a> <a href="http://twitter.com/Certego_IRT" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/twitter.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a> <a href="http://github.com/certego" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/github.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a> <a href="http://www.youtube.com/CERTEGOsrl" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/youtube.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a> <a href="http://plus.google.com/117641917176532015312" target="_blank"><img width="24" height="24" src="http://www.certego.net/email/googleplus.png" style="border-radius:0px;border:0px;width:24px;min-height:24px"></a></div></td></tr></tbody></table></td></tr></tbody></table><div style="width:420px;text-align:justify;vertical-align:top;padding:8px 0px;color:rgb(224,224,224);font-stretch:normal;font-size:8px;line-height:normal;font-family:sans-serif">Use of the information within this document constitutes acceptance for use in an "as is" condition. There are no warranties with regard to this information; Certego has verified the data as thoroughly as possible. Any use of this information lies within the user's responsibility. In no event shall Certego be liable for any consequences or damages, including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information.</div></div></div></div></div>
</div></div>