[Oisf-users] SC_ERR_INVALID_SIGNATURE(39)

Gerardo De Felice g.defelice at gmatica.it
Mon Nov 29 16:36:03 UTC 2010 

Hi everyone,

I remove "distance:0;" tag, and the rules is processed. Now, i have a other error:

[13621] 29/11/2010 -- 17:29:13 - (detect-parse.c:629) <Error> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(100)] - unknown rule keyword 'fwsam'.
[13621] 29/11/2010 -- 17:29:13 - (detect.c:402) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HOME_NET any <> [109.123.106.28,109.123.108.61,109.123.91.37,109.169.55.173,109.169.64.17,109.235.53.153,109.74.195.116,109.74.196.127,109.74.200.40,109.74.201.108] any (msg:"ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING SOURCE"; flags:S; reference:url,www.shadowserver.org; reference:url,abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2405000; rev:2126; fwsam: dst, 30 days;)" from file /etc/suricata/rules/emerging-botcc-BLOCK.rules at line 41

I can send the errors on this mailing-list or I must send the errors in other place?

I dont' want abuse of your courtesy.

Thank you.

Best regards!


On 29/11/2010 17.24, rmkml wrote:
> Hi Gerardo,
> Could you test with remove "distance:0;" for sid 2011589 please?
> Emerging: could you remove "distance:0;" for sid 2011589 please?
> Regards
> Rmkml
>
>
>
> On Mon, 29 Nov 2010, Gerardo De Felice wrote:
>
>> Hi,
>>
>> I installated the new version of suricata from git today.
>>
>> I get this error:
>>
>>
>> [13488] 29/11/2010 -- 16:17:26 - (detect-parse.c:629) <Error> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN( 100)] - unknown rule keyword 'file_data'.
>> [13488] 29/11/2010 -- 16:17:26 - (detect.c:402) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX DB Software
>> Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase;  pcre:"/(LogFile|ClearLogFile|SaveToFile)/i";
>> classtype:web-application-attack; reference:bugtraq,31907; reference:url,milw0rm.com/exploits/6828; reference:url,doc.emergingthreats.net/2008789;
>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software; sid:2008789; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules at line 1460
>>
>> If I remove file_data tag
>>
>> i get this error:
>>
>> [13491] 29/11/2010 -- 16:18:10 - (detect-distance.c:312) <Error> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No related previous-previous content or pcre keyword
>> [13491] 29/11/2010 -- 16:18:10 - (detect.c:402) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft
>> DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; flow:to_client,established; content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; distance:0; content:".CustomCompositorClass"; nocase;
>> pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si"; classtype:web-application-attack; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt;
>> sid:2011589; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules at line 1526
>>
>>
>> Best regards!
>>
>>


-- 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

	Gerardo De Felice
Rete e Sistemi
Servizi Tecnici

Via di Casal Boccone 188-190, 00137 ROMA
Tel: 	+39 (06) 3993.37.33
Cell: 	+39 (347) 14.51.239
Fax: 	+39 (06) 3993.37.95

	
E-mail: 	g.defelice at gmatica.it <mailto:g.defelice at gmatica.it>
Web: 	/www.gmatica.it/ <http://www.gmatica.it> - /www.gbet.it/ <http://www.gbet.it>


La presente comunicazione (ed eventuali allegati) puo' contenere informazioni di carattere estremamente riservato e confidenziale ed e' riservata esclusivamente ai destinatari. Qualsiasi suo utilizzo, comunicazione o diffusione non autorizzata e' proibita. Se ha ricevuto questa comunicazione per errore, la preghiamo di darne immediata comunicazione al mittente e di cancellare tutte le informazioni erroneamente acquisite. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio espone il responsabile alle relative conseguenze civili e penali. (Rif. D.Lgs. 196/2003). Grazie

This message and its attachments may contain confidential or privileged information and are intended only for use by the addressees. Any use, re-transmission or dissemination not authorized of it is prohibited. If you received this e-mail in error, please inform the sender immediately and delete all the material. Any unauthorized use of the content of this message is strictly forbidden and the person responsible may incur penalties. (Rif. D.Lgs. 196/2003). Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20101129/a9a823e1/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3785 bytes
Desc: not available
Url : http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20101129/a9a823e1/image001-0001.png

More information about the Oisf-users mailing list