higgins1 at mts.net higgins1 at mts.net
Thu Aug 26 20:14:05 UTC 2010

Received the following error when starting suricata with the emerging Threats rules

[100411] 24/8/2010 -- 13:34:29 - (detect-parse.c:1219) <Error> (SigValidate) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - can't use uricontent with flow:to_client or flow:from_server
[100411] 24/8/2010 -- 13:34:29 - (detect.c:302) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET WEB_SERVER Possible Request for Gootkit Iframe Script from Local Webserver"; flow:established,from_server; content:"GET "; nocase; depth:4; uricontent:"/scripts/iframe2.script"; nocase; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011288; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011288; rev:3;)" from file /usr/local/etc/suricata/rules/emerging-web_server.rules at line 164

Is it by design that uricontent can't be used with "flow:established:from_server"?

I have checked in the Writing Rules section of the latest snort user manual and there is no mention of this. 


More information about the Oisf-users mailing list