<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0">Hi Eric, </p>
<p style="margin-top:0;margin-bottom:0">Thank you for your reply.</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I read the whole document of suricata which is the link you provide. </p>
<p style="margin-top:0;margin-bottom:0">In 4.9 chapter , it said syntax is :</p>
<p style="margin-top:0;margin-bottom:0"></p>
<pre style="box-sizing: border-box; font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", Courier, monospace; font-size: 12px; margin-top: 0px; margin-bottom: 0px; padding: 12px; overflow: auto; line-height: normal; color: rgb(64, 64, 64);"><span class="n" style="box-sizing: border-box;">xbits</span><span class="p" style="box-sizing: border-box;">:</span><span class="n" style="box-sizing: border-box;">noalert</span><span class="p" style="box-sizing: border-box;">;</span>
<span class="n" style="box-sizing: border-box;">xbits</span><span class="p" style="box-sizing: border-box;">:</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);"><</span><span class="nb" style="box-sizing: border-box; color: rgb(0, 112, 32);">set</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">unset</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">isset</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">toggle</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">></span><span class="p" style="box-sizing: border-box;">,</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);"><</span><span class="n" style="box-sizing: border-box;">name</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">></span><span class="p" style="box-sizing: border-box;">,</span><span class="n" style="box-sizing: border-box;">track</span> <span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);"><</span><span class="n" style="box-sizing: border-box;">ip_src</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">ip_dst</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">ip_pair</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">></span><span class="p" style="box-sizing: border-box;">;</span>
<span class="n" style="box-sizing: border-box;">xbits</span><span class="p" style="box-sizing: border-box;">:</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);"><</span><span class="nb" style="box-sizing: border-box; color: rgb(0, 112, 32);">set</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">unset</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">isset</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">toggle</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">></span><span class="p" style="box-sizing: border-box;">,</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);"><</span><span class="n" style="box-sizing: border-box;">name</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">></span><span class="p" style="box-sizing: border-box;">,</span><span class="n" style="box-sizing: border-box;">track</span> <span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);"><</span><span class="n" style="box-sizing: border-box;">ip_src</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">ip_dst</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">ip_pair</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">></span> \
    <span class="p" style="box-sizing: border-box;">[,</span><span class="n" style="box-sizing: border-box;">expire</span> <span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);"><</span><span class="n" style="box-sizing: border-box;">seconds</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">></span><span class="p" style="box-sizing: border-box;">];</span>
<span class="n" style="box-sizing: border-box;">xbits</span><span class="p" style="box-sizing: border-box;">:</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);"><</span><span class="nb" style="box-sizing: border-box; color: rgb(0, 112, 32);">set</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">unset</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">isset</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">toggle</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">></span><span class="p" style="box-sizing: border-box;">,</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);"><</span><span class="n" style="box-sizing: border-box;">name</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">></span><span class="p" style="box-sizing: border-box;">,</span><span class="n" style="box-sizing: border-box;">track</span> <span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);"><</span><span class="n" style="box-sizing: border-box;">ip_src</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">ip_dst</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">|</span><span class="n" style="box-sizing: border-box;">ip_pair</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">></span> \
    <span class="p" style="box-sizing: border-box;">[,</span><span class="n" style="box-sizing: border-box;">expire</span> <span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);"><</span><span class="n" style="box-sizing: border-box;">seconds</span><span class="o" style="box-sizing: border-box; color: rgb(102, 102, 102);">></span><span class="p" style="box-sizing: border-box;">];</span></pre>
<br>
<p></p>
<p style="margin-top:0;margin-bottom:0">but as I try the example (<a href="https://cipherdyne.org/fwsnort/xbits_metasploit_example.rules" class="OWAAutoLink" id="LPlnk194753" previewremoved="true">https://cipherdyne.org/fwsnort/xbits_metasploit_example.rules</a>),
 I find that it pop up error said:</p>
<p style="margin-top:0;margin-bottom:0"><span style="color: rgb(33, 33, 33); font-family: "Microsoft YaHei UI", "Microsoft YaHei", 微软雅黑, SimSun, 宋体, sans-serif, serif, EmojiFont; font-size: 14.6667px;"><Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] -</span><span style="color: rgb(33, 33, 33); font-family: "Microsoft YaHei UI", "Microsoft YaHei", 微软雅黑, SimSun, 宋体, sans-serif, serif, EmojiFont; font-size: 14.6667px;">"isset,Metasploit.ContentKeeper.recon"
 is not a valid setting for</span><span style="color: rgb(33, 33, 33); font-family: "Microsoft YaHei UI", "Microsoft YaHei", 微软雅黑, SimSun, 宋体, sans-serif, serif, EmojiFont; font-size: 14.6667px;"> xbits.</span><br>
</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I wonder whether anyone use xbits? you didn't met same error?</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">Thanks</p>
<p style="margin-top:0;margin-bottom:0">Su</p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>发件人:</b> Eric Leblond <eric@regit.org><br>
<b>发送时间:</b> 2018年9月10日 0:30:53<br>
<b>收件人:</b> 苏 哲; Peter Manev<br>
<b>抄送:</b> Open Information Security Foundation<br>
<b>主题:</b> Re: [Oisf-users] 答复: suricata do not support "xbits"</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Hi,<br>
<br>
On Mon, 2018-09-10 at 07:08 +0000, 苏 哲 wrote:<br>
> is there anyone know how to use xbits?<br>
<br>
Did you check :<br>
<a href="https://suricata.readthedocs.io/en/suricata-4.0.5/rules/xbits.html">https://suricata.readthedocs.io/en/suricata-4.0.5/rules/xbits.html</a><br>
<br>
BR,<br>
<br>
> 发件人: 苏 哲<br>
> 发送时间: 2018年9月7日 6:01:23<br>
> 收件人: Peter Manev<br>
> 抄送: Open Information Security Foundation<br>
> 主题: 答复: [Oisf-users] suricata do not support "xbits"<br>
>  <br>
> thank you for reply.<br>
> <br>
> instead of "xbits:noalert", noalert works, no error. <br>
> now the error is  <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] -<br>
> "isset,Metasploit.ContentKeeper.recon" is not a valid setting for<br>
> xbits<br>
> <br>
> Thanks<br>
> Su<br>
> <br>
> 发件人: Peter Manev <petermanev@gmail.com><br>
> 发送时间: 2018年9月7日 0:34<br>
> 收件人: suzhe_ffgg@outlook.com<br>
> 抄送: Open Information Security Foundation<br>
> 主题: Re: [Oisf-users] suricata do not support "xbits"<br>
>  <br>
> On Fri, Sep 7, 2018 at 9:09 AM 苏 哲 <suzhe_ffgg@outlook.com> wrote:<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Hi,<br>
> ><br>
> > I try suricata 4.0.5 and 4.1.0 and try "xbits" with this example, I<br>
> receive error:<br>
> ><br>
> ><br>
> > "noalert" is not a valid setting for xbits.<br>
> ><br>
> <br>
> instead of "xbits:noalert;"<br>
> can you try just "noalert;" ?<br>
> <br>
> > "isset,is_attack_step1" is not a valid setting for xbits.<br>
> <br>
> That name  - "is_attack_step1" is not present/set anywhere in the<br>
> example , is that expected ? (so it can naturally complain about it)<br>
> <br>
> ><br>
> ><br>
> > I google xbits and those errors, but didn't find anyone talking<br>
> about it.<br>
> ><br>
> ><br>
> > is there anyone know what is the reason? and what should I do?<br>
> ><br>
> ><br>
> > Thanks.<br>
> ><br>
> > Su<br>
> ><br>
> > _______________________________________________<br>
> > Suricata IDS Users mailing list: <br>
> oisf-users@openinfosecfoundation.org<br>
> > Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support:
<br>
> <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a><br>
> > List: <br>
> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> ><br>
> > Conference: <a href="https://suricon.net">https://suricon.net</a><br>
> > Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a><br>
> <br>
> <br>
> <br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>
> Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <br>
> <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a><br>
> List: <br>
> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
> <br>
> Conference: <a href="https://suricon.net">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a><br>
-- <br>
Eric Leblond <eric@regit.org><br>
<br>
</div>
</span></font></div>
</body>
</html>