[Oisf-users] [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
rmkml
rmkml at free.fr
Thu Aug 26 20:47:05 UTC 2010
Hi higgins,
Suricata send error because this sig contains "flow:established:from_server" used with uricontent keyword.
uricontent is for from_client side (or to_server).
Regards
Rmkml
On Thu, 26 Aug 2010, higgins1 at mts.net wrote:
> Received the following error when starting suricata with the emerging Threats rules
>
> [100411] 24/8/2010 -- 13:34:29 - (detect-parse.c:1219) <Error> (SigValidate) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - can't use uricontent with flow:to_client or flow:from_server
> [100411] 24/8/2010 -- 13:34:29 - (detect.c:302) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET WEB_SERVER Possible Request for Gootkit Iframe Script from Local Webserver"; flow:established,from_server; content:"GET "; nocase; depth:4; uricontent:"/scripts/iframe2.script"; nocase; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011288; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011288; rev:3;)" from file /usr/local/etc/suricata/rules/emerging-web_server.rules at line 164
>
> Is it by design that uricontent can't be used with "flow:established:from_server"?
>
> I have checked in the Writing Rules section of the latest snort user manual and there is no mention of this.
>
> Thanks
More information about the Oisf-users
mailing list