Matt Jonkman jonkman at jonkmans.com
Thu Aug 26 20:54:24 UTC 2010

Aha, go it. It is a rule problem. Thanks to suricata for telling us
about it.

We had direction wrong on the flow, and the http_ports in the wrong place.

I've fixed both, pushing the new rule in just a couple minutes. Can you
update later and let me know if this is resolved?



On 8/26/10 4:47 PM, rmkml wrote:
> Hi higgins,
> Suricata send error because this sig contains "flow:established:from_server" used with uricontent keyword.
> uricontent is for from_client side (or to_server).
> Regards
> Rmkml
> On Thu, 26 Aug 2010, higgins1 at mts.net wrote:
>> Received the following error when starting suricata with the emerging Threats rules
>> [100411] 24/8/2010 -- 13:34:29 - (detect-parse.c:1219) <Error> (SigValidate) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - can't use uricontent with flow:to_client or flow:from_server
>> [100411] 24/8/2010 -- 13:34:29 - (detect.c:302) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET WEB_SERVER Possible Request for Gootkit Iframe Script from Local Webserver"; flow:established,from_server; content:"GET "; nocase; depth:4; uricontent:"/scripts/iframe2.script"; nocase; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011288; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011288; rev:3;)" from file /usr/local/etc/suricata/rules/emerging-web_server.rules at line 164
>> Is it by design that uricontent can't be used with "flow:established:from_server"?
>> I have checked in the Writing Rules section of the latest snort user manual and there is no mention of this.
>> Thanks
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Oisf-users mailing list