[Oisf-users] SC_ERR_INVALID_SIGNATURE(39)

Victor Julien victor at inliniac.net
Mon Nov 29 16:16:49 UTC 2010 

Gerardo De Felice wrote:
> Hi,
> 
> I installated the new version of suricata from git today.
> 
> I get this error:
> 
> 
> [13488] 29/11/2010 -- 16:17:26 - (detect-parse.c:629) <Error>
> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(
> 100)] - unknown rule keyword 'file_data'.
> [13488] 29/11/2010 -- 16:17:26 - (detect.c:402) <Error>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
> parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"ET ACTIVEX DB Software Laboratory VImpX.ocx ActiveX Control
> Multiple Insecure Methods"; flow:to_client,established; file_data;
> content:"CLSID"; nocase; content:"7600707B-9F47-416D-8AB5-6FD96EA37968";
> nocase;  pcre:"/(LogFile|ClearLogFile|SaveToFile)/i";
> classtype:web-application-attack; reference:bugtraq,31907;
> reference:url,milw0rm.com/exploits/6828
> <http://milw0rm.com/exploits/6828>;
> reference:url,doc.emergingthreats.net/2008789
> <http://doc.emergingthreats.net/2008789>;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software
> <http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software>;
> sid:2008789; rev:5;)" from file
> /etc/suricata/rules/emerging-activex.rules at line 1460
> 
> If I remove file_data tag

Yeah, file_data is something we plan to support in 1.0.4.

> i get this error:

This is a different signature.

> [13491] 29/11/2010 -- 16:18:10 - (detect-distance.c:312) <Error>
> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No
> related previous-previous content or pcre keyword
> [13491] 29/11/2010 -- 16:18:10 - (detect.c:402) <Error>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
> parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"ET ACTIVEX Microsoft DirectX 9 msvidctl.dll ActiveX Control Code
> Execution Attempt"; flow:to_client,established;
> content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; distance:0;
> content:".CustomCompositorClass"; nocase;
> pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si";
> classtype:web-application-attack;
> reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt
> <http://packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt>;
> sid:2011589; rev:5;)" from file
> /etc/suricata/rules/emerging-activex.rules at line 1526

This signature has distance:0 after the first content while distance is
meant to make this content relative to the previous content. However
there is no content. I've heard Snort silently accepts such errors,
however we do not.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list