[Oisf-users] Most rules fail to load

rmkml rmkml at free.fr
Sat Jan 2 17:52:56 UTC 2010


Hi Rich,
sorry I didn't help,
but I have one question please, if you run suricata on pcap file (-r option), do you "same" pb please ?
Regards
Rmkml
Crusoe-Researches.com


On Sat, 2 Jan 2010, Rich Rumble wrote:

> I've tried on two seperate Fedora boxes now and run into the same
> issue, most rules fail to load from Snort or ET... only 5 rules total,
> out of hundreds if not thousands in all 71 rules files. I assume it's
> a known issue or " --init-errors-fatal" wouldn't be a arg?
>
> Attached is a complete start from this command on Fedora 12
> 2.6.31.9-174.fc12.i686
> /usr/local/bin/suricata -c suricata.yaml -i eth0 -s test.rule
> If it makes a difference I simply made a blank classification.config
> file as I have no idea what that file should contain or where to find
> a proper one, and commenting out the line in suricata.yaml had no
> effect on the error I was recieving for not having one.... I hope it's
> just F(edora)12 or me missing a dep or something...
> The 5 loaded rules come from these two files...
> [9624] 2/1/2010 -- 16:18:22 - (detect.c:268) <Info>
> (DetectLoadSigFile) -- 2 successfully loaded from file
> /etc/suricata/emerging-virus.rules.
> [9624] 2/1/2010 -- 16:18:26 - (detect.c:268) <Info>
> (DetectLoadSigFile) -- 3 successfully loaded from file
> /etc/suricata/emerging-current_events.rules.
> [9624] 2/1/2010 -- 16:18:26 - (detect.c:268) <Info>
> (DetectLoadSigFile) -- 0 successfully loaded from file test.rule.
> [9624] 2/1/2010 -- 16:18:26 - (detect.c:270) <Info>
> (DetectLoadSigFile) -- 1 sigs failed to load from file test.rule.
> That sig in test.rule is:
> alert tcp any any -> $HOME_NET 139:445 (msg:"EXPLOIT Foofus.net
> Password dumping, dll injection"; flow:to_server,established;
> content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|";
> classtype:suspicious-filename-detect; sid:999999; rev:1;)
> -rich
>



More information about the Oisf-users mailing list