[Oisf-users] Suricata - test rule ignored/not dropping.

Victor Julien victor at inliniac.net
Tue Jul 27 07:56:36 UTC 2010


Morgan Cox wrote:
> Previously I have used
> 
> 
> drop tcp any any -> any 80 (classtype:attempted-user; msg:"Port 80
> connection initiated";)
> 
> But it errors:-
> 
> [1296] 26/7/2010 -- 14:53:01 - (detect.c:301) <Error>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
> parsing signature "drop tcp any any -> any 80 (msg:"Snort_Inline is
> blocking the http link";) " from file
> /etc/suricata/rules/emerging-malware.rules at line 1314

This is a silly bug on our end, as you can see in the error message
there is a trailing space after the signature. Our regex didn't handle
that. Will be fixed in 1.0.1.

Cheers,
Victor
-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list