[Oisf-users] Rules

Anas.B a.bouhsaina at gmail.com
Mon Jun 21 10:23:14 UTC 2010 

Hello,

What should we use as rules ? snort rules, ET rules, others ? or both ?

are they the same ? "repeated" ?

How Can i uninstall Suricata ? (to try 0.9.2 v)


Regards :).

2010/6/17 Will Metcalf <william.metcalf at gmail.com>

> Those rules are not loaded. We are still working on adding support for
> some keywords.  In all honestly we will probably never have 100%
> support all snort content/modifier combinations but we trying to get
> as close to this as we can.
>
> Regards,
>
> Will
>
> On Wed, Jun 16, 2010 at 8:52 AM, Anas.B <a.bouhsaina at gmail.com> wrote:
> > Hello,
> >
> > I've addedd the 2.8.5.3 rules
> > But still these errors !!!
> >
> > [6521] 16/6/2010 -- 14:52:10 - (detect-bytetest.c:538) <Error>
> > (DetectBytetestSetup) -- [ERRCODE: SC_ERR_BYTETEST_MISSING_CONTENT(104)]
> -
> > relative bytetest match needs a previous content option
> > [6521] 16/6/2010 -- 14:52:10 - (detect.c:297) <Error> (DetectLoadSigFile)
> --
> > [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert
> tcp
> > $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC client
> > negative Content-Length attempt"; flow:to_server,established;
> > content:"Content-Length|3A|"; nocase; http_header;
> > byte_test:4,>,0x7FFFFFFF,0,relative,string,dec; metadata:policy
> balanced-ips
> > drop, policy security-ips drop, service http; reference:bugtraq,17879;
> > reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576;
> > reference:cve,2004-0095; reference:cve,2006-2162; classtype:misc-attack;
> > sid:2278; rev:15;)" from file /etc/suricata/rules/web-misc.rules at line
> 366
> > [6521] 16/6/2010 -- 14:52:10 - (detect-http-method.c:180) <Error>
> > (DetectHttpMethodSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] -
> > http_method cannot be used with "fast_pattern"
> > [6521] 16/6/2010 -- 14:52:10 - (detect.c:297) <Error> (DetectLoadSigFile)
> --
> > [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "alert
> tcp
> > $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Sun Java System
> > Web Server 7.0 WebDAV format string exploit attempt - LOCK method";
> > flow:to_server,established; content:"LOCK"; fast_pattern; nocase;
> > http_method; content:"encoding";
> > pcre:"/\<\?xml[^\>]+encoding\s*\=\s*(\'|\")[^\'\"\>\%]*\%/";
> metadata:policy
> > balanced-ips drop, policy security-ips drop, service http;
> > reference:bugtraq,37910; reference:cve,2010-0388;
> classtype:attempted-user;
> > sid:16427; rev:1;)" from file /etc/suricata/rules/web-misc.rules at line
> 555
> > [6521] 16/6/2010 -- 14:52:12 - (detect.c:341) <Error> (SigLoadSignatures)
> --
> > [ERRCODE: SC_ERR_NO_RULES(40)] - No rules loaded from
> > /etc/suricata/rules/emerging-web.rules
> > [6521] 16/6/2010 -- 14:52:19 - (detect.c:382) <Info> (SigLoadSignatures)
> --
> > 71 rule files processed. 11678 rules succesfully loaded, 482 rules failed
> >
> > The rules are loaded or not ?
> >
> > Thanks to you
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20100621/dc4dc17e/attachment-0002.html>

More information about the Oisf-users mailing list