[Oisf-users] Rules

Will Metcalf william.metcalf at gmail.com
Thu Jun 17 12:17:44 UTC 2010 

Those rules are not loaded. We are still working on adding support for
some keywords.  In all honestly we will probably never have 100%
support all snort content/modifier combinations but we trying to get
as close to this as we can.

Regards,

Will

On Wed, Jun 16, 2010 at 8:52 AM, Anas.B <a.bouhsaina at gmail.com> wrote:
> Hello,
>
> I've addedd the 2.8.5.3 rules
> But still these errors !!!
>
> [6521] 16/6/2010 -- 14:52:10 - (detect-bytetest.c:538) <Error>
> (DetectBytetestSetup) -- [ERRCODE: SC_ERR_BYTETEST_MISSING_CONTENT(104)] -
> relative bytetest match needs a previous content option
> [6521] 16/6/2010 -- 14:52:10 - (detect.c:297) <Error> (DetectLoadSigFile) --
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
> $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC client
> negative Content-Length attempt"; flow:to_server,established;
> content:"Content-Length|3A|"; nocase; http_header;
> byte_test:4,>,0x7FFFFFFF,0,relative,string,dec; metadata:policy balanced-ips
> drop, policy security-ips drop, service http; reference:bugtraq,17879;
> reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576;
> reference:cve,2004-0095; reference:cve,2006-2162; classtype:misc-attack;
> sid:2278; rev:15;)" from file /etc/suricata/rules/web-misc.rules at line 366
> [6521] 16/6/2010 -- 14:52:10 - (detect-http-method.c:180) <Error>
> (DetectHttpMethodSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] -
> http_method cannot be used with "fast_pattern"
> [6521] 16/6/2010 -- 14:52:10 - (detect.c:297) <Error> (DetectLoadSigFile) --
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert tcp
> $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Sun Java System
> Web Server 7.0 WebDAV format string exploit attempt - LOCK method";
> flow:to_server,established; content:"LOCK"; fast_pattern; nocase;
> http_method; content:"encoding";
> pcre:"/\<\?xml[^\>]+encoding\s*\=\s*(\'|\")[^\'\"\>\%]*\%/"; metadata:policy
> balanced-ips drop, policy security-ips drop, service http;
> reference:bugtraq,37910; reference:cve,2010-0388; classtype:attempted-user;
> sid:16427; rev:1;)" from file /etc/suricata/rules/web-misc.rules at line 555
> [6521] 16/6/2010 -- 14:52:12 - (detect.c:341) <Error> (SigLoadSignatures) --
> [ERRCODE: SC_ERR_NO_RULES(40)] - No rules loaded from
> /etc/suricata/rules/emerging-web.rules
> [6521] 16/6/2010 -- 14:52:19 - (detect.c:382) <Info> (SigLoadSignatures) --
> 71 rule files processed. 11678 rules succesfully loaded, 482 rules failed
>
> The rules are loaded or not ?
>
> Thanks to you
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>

More information about the Oisf-users mailing list