[Oisf-users] SC_ERR_INVALID_SIGNATURE(39)
rmkml
rmkml at free.fr
Mon Nov 29 20:00:11 UTC 2010
Hi,
could you remove "fwsam" option please?
Regards
Rmkml
On Mon, 29 Nov 2010, Gerardo De Felice wrote:
> Hi everyone,
>
> I remove "distance:0;" tag, and the rules is processed. Now, i have a other
> error:
>
> [13621] 29/11/2010 -- 17:29:13 - (detect-parse.c:629) <Error>
> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(100)] - unknown
> rule keyword 'fwsam'.
> [13621] 29/11/2010 -- 17:29:13 - (detect.c:402) <Error> (DetectLoadSigFile)
> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert
> tcp $HOME_NET any <>
> [109.123.106.28,109.123.108.61,109.123.91.37,109.169.55.173,109.169.64.17,109.235.53.153,109.74.195.116,109.74.196.127,109.74.200.40,109.74.201.108]
> any (msg:"ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING SOURCE";
> flags:S; reference:url,www.shadowserver.org; reference:url,abuse.ch;
> threshold: type limit, track by_src, seconds 3600, count 1;
> classtype:trojan-activity; sid:2405000; rev:2126; fwsam: dst, 30 days;)" from
> file /etc/suricata/rules/emerging-botcc-BLOCK.rules at line 41
>
> I can send the errors on this mailing-list or I must send the errors in other
> place?
>
> I dont' want abuse of your courtesy.
>
> Thank you.
>
> Best regards!
>
>
> On 29/11/2010 17.24, rmkml wrote:
>> Hi Gerardo,
>> Could you test with remove "distance:0;" for sid 2011589 please?
>> Emerging: could you remove "distance:0;" for sid 2011589 please?
>> Regards
>> Rmkml
>>
>>
>>
>> On Mon, 29 Nov 2010, Gerardo De Felice wrote:
>>
>>> Hi,
>>>
>>> I installated the new version of suricata from git today.
>>>
>>> I get this error:
>>>
>>>
>>> [13488] 29/11/2010 -- 16:17:26 - (detect-parse.c:629) <Error>
>>> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN( 100)] -
>>> unknown rule keyword 'file_data'.
>>> [13488] 29/11/2010 -- 16:17:26 - (detect.c:402) <Error>
>>> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
>>> parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>>> (msg:"ET ACTIVEX DB Software
>>> Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods";
>>> flow:to_client,established; file_data; content:"CLSID"; nocase;
>>> content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase;
>>> pcre:"/(LogFile|ClearLogFile|SaveToFile)/i";
>>> classtype:web-application-attack; reference:bugtraq,31907;
>>> reference:url,milw0rm.com/exploits/6828;
>>> reference:url,doc.emergingthreats.net/2008789;
>>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software;
>>> sid:2008789; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules
>>> at line 1460
>>>
>>> If I remove file_data tag
>>>
>>> i get this error:
>>>
>>> [13491] 29/11/2010 -- 16:18:10 - (detect-distance.c:312) <Error>
>>> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No
>>> related previous-previous content or pcre keyword
>>> [13491] 29/11/2010 -- 16:18:10 - (detect.c:402) <Error>
>>> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
>>> parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>>> (msg:"ET ACTIVEX Microsoft
>>> DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt";
>>> flow:to_client,established;
>>> content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; distance:0;
>>> content:".CustomCompositorClass"; nocase;
>>> pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si";
>>> classtype:web-application-attack;
>>> reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt;
>>> sid:2011589; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules
>>> at line 1526
>>>
>>>
>>> Best regards!
>>>
>>>
>
>
> --
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-
> -
>
> Gerardo De Felice
> Rete e Sistemi
> Servizi Tecnici
>
> Via di Casal Boccone 188-190, 00137 ROMA
> Tel: +39 (06) 3993.37.33
> Cell: +39 (347) 14.51.239
> Fax: +39 (06) 3993.37.95
>
>
> E-mail: g.defelice at gmatica.it <mailto:g.defelice at gmatica.it>
> Web: /www.gmatica.it/ <http://www.gmatica.it> - /www.gbet.it/
> <http://www.gbet.it>
>
>
> La presente comunicazione (ed eventuali allegati) puo' contenere informazioni
> di carattere estremamente riservato e confidenziale ed e' riservata
> esclusivamente ai destinatari. Qualsiasi suo utilizzo, comunicazione o
> diffusione non autorizzata e' proibita. Se ha ricevuto questa comunicazione
> per errore, la preghiamo di darne immediata comunicazione al mittente e di
> cancellare tutte le informazioni erroneamente acquisite. Qualsivoglia
> utilizzo non autorizzato del contenuto di questo messaggio espone il
> responsabile alle relative conseguenze civili e penali. (Rif. D.Lgs.
> 196/2003). Grazie
>
> This message and its attachments may contain confidential or privileged
> information and are intended only for use by the addressees. Any use,
> re-transmission or dissemination not authorized of it is prohibited. If you
> received this e-mail in error, please inform the sender immediately and
> delete all the material. Any unauthorized use of the content of this message
> is strictly forbidden and the person responsible may incur penalties. (Rif.
> D.Lgs. 196/2003). Thank you.
>
More information about the Oisf-users
mailing list