[Oisf-users] SC_ERR_INVALID_SIGNATURE(39)

Victor Julien victor at inliniac.net
Fri Dec 3 20:42:17 UTC 2010 

Gerardo De Felice wrote:
>  I removed the -BLOCK rules and I don't have the error.
> 
> Now, I have this error
> 
> [945] 30/11/2010 -- 11:17:59 - (detect-fast-pattern.c:197) <Warning>
> (DetectFastPatternSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] -
> fast_pattern found inside the rule, without a preceding content based
> keyword.  Currently we provide fast_pattern support for content and
> uricontent
> [945] 30/11/2010 -- 11:17:59 - (detect.c:402) <Error>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
> parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP
> 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d
> 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|";
> http_header; fast_pattern; content:"Host|3a 20|"; http_header;
> distance:0; content:!"Referer|3a 20|"; http_header; content:".php?";
> nocase; http_uri; classtype:trojan-activity; sid:2011938; rev:2;)" from
> file /etc/suricata/rules/emerging-malware.rules at line 2649
> 
> I try to remove fast_pattern tag but I received this error:
> 
> [967] 30/11/2010 -- 11:29:24 - (detect-distance.c:171) <Error>
> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_WITHIN_MISSING_CONTENT(103)] -
> within needspreceeding content or uricontent option
> [967] 30/11/2010 -- 11:29:24 - (detect.c:402) <Error>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
> parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP
> 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d
> 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|";
> http_header; content:"Host|3a 20|"; http_header; distance:0;
> content:!"Referer|3a 20|"; http_header; content:".php?"; nocase;
> http_uri; classtype:trojan-activity; sid:2011938; rev:2;)" from file
> /etc/suricata/rules/emerging-malware.rules at line 2649
> 

I think this is due to missing fast_pattern and within (and offset,
depth, distance) support. This will be addressed in the next git master
push, probably after the weekend.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list