[Oisf-users] SC_ERR_INVALID_SIGNATURE(39)

Gerardo De Felice gerardo.defelice at gmail.com
Mon Nov 29 16:07:52 UTC 2010 

Hi,

I installated the new version of suricata from git today.

I get this error:


[13488] 29/11/2010 -- 16:17:26 - (detect-parse.c:629) <Error>
(SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(
100)] - unknown rule keyword 'file_data'.
[13488] 29/11/2010 -- 16:17:26 - (detect.c:402) <Error> (DetectLoadSigFile)
-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert
http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX DB Software
Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods";
flow:to_client,established; file_data; content:"CLSID"; nocase;
content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase;
pcre:"/(LogFile|ClearLogFile|SaveToFile)/i";
classtype:web-application-attack; reference:bugtraq,31907; reference:url,
milw0rm.com/exploits/6828; reference:url,doc.emergingthreats.net/2008789;
reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software;
sid:2008789; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules
at line 1460

If I remove file_data tag

i get this error:

[13491] 29/11/2010 -- 16:18:10 - (detect-distance.c:312) <Error>
(DetectDistanceSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No
related previous-previous content or pcre keyword
[13491] 29/11/2010 -- 16:18:10 - (detect.c:402) <Error> (DetectLoadSigFile)
-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert
http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft
DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt";
flow:to_client,established; content:"24DC3975-09BF-4231-8655-3EE71F43837D";
nocase; distance:0; content:".CustomCompositorClass"; nocase;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si";
classtype:web-application-attack; reference:url,
packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt;
sid:2011589; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules
at line 1526


Best regards!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20101129/7193cf1a/attachment-0002.html>

More information about the Oisf-users mailing list