[Oisf-users] SC_ERR_INVALID_SIGNATURE(39)

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Nov 29 16:51:22 UTC 2010 

Fixing that stray distance 0 and a few others...

Matt

On Nov 29, 2010, at 11:24 AM, rmkml wrote:

> Hi Gerardo,
> Could you test with remove "distance:0;" for sid 2011589 please?
> Emerging: could you remove "distance:0;" for sid 2011589 please?
> Regards
> Rmkml
> 
> 
> 
> On Mon, 29 Nov 2010, Gerardo De Felice wrote:
> 
>> Hi,
>> I installated the new version of suricata from git today.
>> I get this error:
>> [13488] 29/11/2010 -- 16:17:26 - (detect-parse.c:629) <Error> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN( 100)] - unknown rule keyword 'file_data'.
>> [13488] 29/11/2010 -- 16:17:26 - (detect.c:402) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX DB Software
>> Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase;  pcre:"/(LogFile|ClearLogFile|SaveToFile)/i";
>> classtype:web-application-attack; reference:bugtraq,31907; reference:url,milw0rm.com/exploits/6828; reference:url,doc.emergingthreats.net/2008789;
>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software; sid:2008789; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules at line 1460
>> If I remove file_data tag
>> i get this error:
>> [13491] 29/11/2010 -- 16:18:10 - (detect-distance.c:312) <Error> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No related previous-previous content or pcre keyword
>> [13491] 29/11/2010 -- 16:18:10 - (detect.c:402) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft
>> DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; flow:to_client,established; content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; distance:0; content:".CustomCompositorClass"; nocase;
>> pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si"; classtype:web-application-attack; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt;
>> sid:2011589; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules at line 1526
>> Best regards!
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Oisf-users mailing list