[Oisf-users] Most rules fail to load

William Metcalf william.metcalf at gmail.com
Sat Jan 2 22:03:28 UTC 2010 

Currently you need a valid classification.config file which can be  
found in the snort source or in the brt rules.  I think in the future  
will get rid of this requirement by setting some sane default  
classification and priority if the file is not present

Regards,

Will

Sent from my iPhone

On Jan 2, 2010, at 11:52 AM, rmkml <rmkml at free.fr> wrote:

> Hi Rich,
> sorry I didn't help,
> but I have one question please, if you run suricata on pcap file (-r  
> option), do you "same" pb please ?
> Regards
> Rmkml
> Crusoe-Researches.com
>
>
> On Sat, 2 Jan 2010, Rich Rumble wrote:
>
>> I've tried on two seperate Fedora boxes now and run into the same
>> issue, most rules fail to load from Snort or ET... only 5 rules  
>> total,
>> out of hundreds if not thousands in all 71 rules files. I assume it's
>> a known issue or " --init-errors-fatal" wouldn't be a arg?
>>
>> Attached is a complete start from this command on Fedora 12
>> 2.6.31.9-174.fc12.i686
>> /usr/local/bin/suricata -c suricata.yaml -i eth0 -s test.rule
>> If it makes a difference I simply made a blank classification.config
>> file as I have no idea what that file should contain or where to find
>> a proper one, and commenting out the line in suricata.yaml had no
>> effect on the error I was recieving for not having one.... I hope  
>> it's
>> just F(edora)12 or me missing a dep or something...
>> The 5 loaded rules come from these two files...
>> [9624] 2/1/2010 -- 16:18:22 - (detect.c:268) <Info>
>> (DetectLoadSigFile) -- 2 successfully loaded from file
>> /etc/suricata/emerging-virus.rules.
>> [9624] 2/1/2010 -- 16:18:26 - (detect.c:268) <Info>
>> (DetectLoadSigFile) -- 3 successfully loaded from file
>> /etc/suricata/emerging-current_events.rules.
>> [9624] 2/1/2010 -- 16:18:26 - (detect.c:268) <Info>
>> (DetectLoadSigFile) -- 0 successfully loaded from file test.rule.
>> [9624] 2/1/2010 -- 16:18:26 - (detect.c:270) <Info>
>> (DetectLoadSigFile) -- 1 sigs failed to load from file test.rule.
>> That sig in test.rule is:
>> alert tcp any any -> $HOME_NET 139:445 (msg:"EXPLOIT Foofus.net
>> Password dumping, dll injection"; flow:to_server,established;
>> content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|";
>> classtype:suspicious-filename-detect; sid:999999; rev:1;)
>> -rich
>>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list