[Oisf-users] SC_ERR_INVALID_SIGNATURE(39)

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Nov 29 20:42:52 UTC 2010 

Ya, looks like you're loading the -BLOCK rules, which are intended for snortsam use. We do not (yet) have a snortsam plugin for suricata. Use the non -BLOCK versions of those rules and you'll be fine!

Matt

On Nov 29, 2010, at 3:00 PM, rmkml wrote:

> Hi,
> could you remove "fwsam" option please?
> Regards
> Rmkml
> 
> 
> On Mon, 29 Nov 2010, Gerardo De Felice wrote:
> 
>> Hi everyone,
>> 
>> I remove "distance:0;" tag, and the rules is processed. Now, i have a other 
>> error:
>> 
>> [13621] 29/11/2010 -- 17:29:13 - (detect-parse.c:629) <Error> 
>> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(100)] - unknown 
>> rule keyword 'fwsam'.
>> [13621] 29/11/2010 -- 17:29:13 - (detect.c:402) <Error> (DetectLoadSigFile) 
>> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert 
>> tcp $HOME_NET any <> 
>> [109.123.106.28,109.123.108.61,109.123.91.37,109.169.55.173,109.169.64.17,109.235.53.153,109.74.195.116,109.74.196.127,109.74.200.40,109.74.201.108] 
>> any (msg:"ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING SOURCE"; 
>> flags:S; reference:url,www.shadowserver.org; reference:url,abuse.ch; 
>> threshold: type limit, track by_src, seconds 3600, count 1; 
>> classtype:trojan-activity; sid:2405000; rev:2126; fwsam: dst, 30 days;)" from 
>> file /etc/suricata/rules/emerging-botcc-BLOCK.rules at line 41
>> 
>> I can send the errors on this mailing-list or I must send the errors in other 
>> place?
>> 
>> I dont' want abuse of your courtesy.
>> 
>> Thank you.
>> 
>> Best regards!
>> 
>> 
>> On 29/11/2010 17.24, rmkml wrote:
>>> Hi Gerardo,
>>> Could you test with remove "distance:0;" for sid 2011589 please?
>>> Emerging: could you remove "distance:0;" for sid 2011589 please?
>>> Regards
>>> Rmkml
>>> 
>>> 
>>> 
>>> On Mon, 29 Nov 2010, Gerardo De Felice wrote:
>>> 
>>>> Hi,
>>>> 
>>>> I installated the new version of suricata from git today.
>>>> 
>>>> I get this error:
>>>> 
>>>> 
>>>> [13488] 29/11/2010 -- 16:17:26 - (detect-parse.c:629) <Error> 
>>>> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN( 100)] - 
>>>> unknown rule keyword 'file_data'.
>>>> [13488] 29/11/2010 -- 16:17:26 - (detect.c:402) <Error> 
>>>> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error 
>>>> parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
>>>> (msg:"ET ACTIVEX DB Software
>>>> Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods"; 
>>>> flow:to_client,established; file_data; content:"CLSID"; nocase; 
>>>> content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase; 
>>>> pcre:"/(LogFile|ClearLogFile|SaveToFile)/i";
>>>> classtype:web-application-attack; reference:bugtraq,31907; 
>>>> reference:url,milw0rm.com/exploits/6828; 
>>>> reference:url,doc.emergingthreats.net/2008789;
>>>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software; 
>>>> sid:2008789; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules 
>>>> at line 1460
>>>> 
>>>> If I remove file_data tag
>>>> 
>>>> i get this error:
>>>> 
>>>> [13491] 29/11/2010 -- 16:18:10 - (detect-distance.c:312) <Error> 
>>>> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No 
>>>> related previous-previous content or pcre keyword
>>>> [13491] 29/11/2010 -- 16:18:10 - (detect.c:402) <Error> 
>>>> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error 
>>>> parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
>>>> (msg:"ET ACTIVEX Microsoft
>>>> DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; 
>>>> flow:to_client,established; 
>>>> content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; distance:0; 
>>>> content:".CustomCompositorClass"; nocase;
>>>> pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si"; 
>>>> classtype:web-application-attack; 
>>>> reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt;
>>>> sid:2011589; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules 
>>>> at line 1526
>>>> 
>>>> 
>>>> Best regards!
>>>> 
>>>> 
>> 
>> 
>> -- 
>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> - 
>> -
>> 
>> 	Gerardo De Felice
>> Rete e Sistemi
>> Servizi Tecnici
>> 
>> Via di Casal Boccone 188-190, 00137 ROMA
>> Tel: 	+39 (06) 3993.37.33
>> Cell: 	+39 (347) 14.51.239
>> Fax: 	+39 (06) 3993.37.95
>> 
>> 
>> E-mail: 	g.defelice at gmatica.it <mailto:g.defelice at gmatica.it>
>> Web: 	/www.gmatica.it/ <http://www.gmatica.it> - /www.gbet.it/ 
>> <http://www.gbet.it>
>> 
>> 
>> La presente comunicazione (ed eventuali allegati) puo' contenere informazioni 
>> di carattere estremamente riservato e confidenziale ed e' riservata 
>> esclusivamente ai destinatari. Qualsiasi suo utilizzo, comunicazione o 
>> diffusione non autorizzata e' proibita. Se ha ricevuto questa comunicazione 
>> per errore, la preghiamo di darne immediata comunicazione al mittente e di 
>> cancellare tutte le informazioni erroneamente acquisite. Qualsivoglia 
>> utilizzo non autorizzato del contenuto di questo messaggio espone il 
>> responsabile alle relative conseguenze civili e penali. (Rif. D.Lgs. 
>> 196/2003). Grazie
>> 
>> This message and its attachments may contain confidential or privileged 
>> information and are intended only for use by the addressees. Any use, 
>> re-transmission or dissemination not authorized of it is prohibited. If you 
>> received this e-mail in error, please inform the sender immediately and 
>> delete all the material. Any unauthorized use of the content of this message 
>> is strictly forbidden and the person responsible may incur penalties. (Rif. 
>> D.Lgs. 196/2003). Thank you.
>> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Oisf-users mailing list