[Oisf-users] SC_ERR_INVALID_SIGNATURE(39)

Tue Nov 30 11:21:38 UTC 2010

I removed the -BLOCK rules and I don't have the error.

Now, I have this error

[945] 30/11/2010 -- 11:17:59 - (detect-fast-pattern.c:197) <Warning> (DetectFastPatternSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - fast_pattern found inside the rule, without a preceding content based keyword.  Currently we provide fast_pattern support for content and uricontent
[945] 30/11/2010 -- 11:17:59 - (detect.c:402) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; fast_pattern; content:"Host|3a 20|"; http_header; distance:0; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; classtype:trojan-activity; sid:2011938; rev:2;)" from file /etc/suricata/rules/emerging-malware.rules at line 2649

I try to remove fast_pattern tag but I received this error:

[967] 30/11/2010 -- 11:29:24 - (detect-distance.c:171) <Error> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_WITHIN_MISSING_CONTENT(103)] - within needspreceeding content or uricontent option
[967] 30/11/2010 -- 11:29:24 - (detect.c:402) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; http_header; distance:0; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; classtype:trojan-activity; sid:2011938; rev:2;)" from file /etc/suricata/rules/emerging-malware.rules at line 2649

Best regards!.

On 29/11/2010 21.42, Matthew Jonkman wrote:
> Ya, looks like you're loading the -BLOCK rules, which are intended for snortsam use. We do not (yet) have a snortsam plugin for suricata. Use the non -BLOCK versions of those rules and you'll be fine!
>
> Matt
>
> On Nov 29, 2010, at 3:00 PM, rmkml wrote:
>
>> Hi,
>> could you remove "fwsam" option please?
>> Regards
>> Rmkml
>>
>>
>> On Mon, 29 Nov 2010, Gerardo De Felice wrote:
>>
>>> Hi everyone,
>>>
>>> I remove "distance:0;" tag, and the rules is processed. Now, i have a other
>>> error:
>>>
>>> [13621] 29/11/2010 -- 17:29:13 - (detect-parse.c:629)<Error>
>>> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(100)] - unknown
>>> rule keyword 'fwsam'.
>>> [13621] 29/11/2010 -- 17:29:13 - (detect.c:402)<Error>  (DetectLoadSigFile)
>>> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert
>>> tcp $HOME_NET any<>
>>> [109.123.106.28,109.123.108.61,109.123.91.37,109.169.55.173,109.169.64.17,109.235.53.153,109.74.195.116,109.74.196.127,109.74.200.40,109.74.201.108]
>>> any (msg:"ET DROP Known Bot C&C Traffic TCP (group 1) - BLOCKING SOURCE";
>>> flags:S; reference:url,www.shadowserver.org; reference:url,abuse.ch;
>>> threshold: type limit, track by_src, seconds 3600, count 1;
>>> classtype:trojan-activity; sid:2405000; rev:2126; fwsam: dst, 30 days;)" from
>>> file /etc/suricata/rules/emerging-botcc-BLOCK.rules at line 41
>>>
>>> I can send the errors on this mailing-list or I must send the errors in other
>>> place?
>>>
>>> I dont' want abuse of your courtesy.
>>>
>>> Thank you.
>>>
>>> Best regards!
>>>
>>>
>>> On 29/11/2010 17.24, rmkml wrote:
>>>> Hi Gerardo,
>>>> Could you test with remove "distance:0;" for sid 2011589 please?
>>>> Emerging: could you remove "distance:0;" for sid 2011589 please?
>>>> Regards
>>>> Rmkml
>>>>
>>>>
>>>>
>>>> On Mon, 29 Nov 2010, Gerardo De Felice wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I installated the new version of suricata from git today.
>>>>>
>>>>> I get this error:
>>>>>
>>>>>
>>>>> [13488] 29/11/2010 -- 16:17:26 - (detect-parse.c:629)<Error>
>>>>> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN( 100)] -
>>>>> unknown rule keyword 'file_data'.
>>>>> [13488] 29/11/2010 -- 16:17:26 - (detect.c:402)<Error>
>>>>> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
>>>>> parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS ->  $HOME_NET any
>>>>> (msg:"ET ACTIVEX DB Software
>>>>> Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods";
>>>>> flow:to_client,established; file_data; content:"CLSID"; nocase;
>>>>> content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase;
>>>>> pcre:"/(LogFile|ClearLogFile|SaveToFile)/i";
>>>>> classtype:web-application-attack; reference:bugtraq,31907;
>>>>> reference:url,milw0rm.com/exploits/6828;
>>>>> reference:url,doc.emergingthreats.net/2008789;
>>>>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_DB_Software;
>>>>> sid:2008789; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules
>>>>> at line 1460
>>>>>
>>>>> If I remove file_data tag
>>>>>
>>>>> i get this error:
>>>>>
>>>>> [13491] 29/11/2010 -- 16:18:10 - (detect-distance.c:312)<Error>
>>>>> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - No
>>>>> related previous-previous content or pcre keyword
>>>>> [13491] 29/11/2010 -- 16:18:10 - (detect.c:402)<Error>
>>>>> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
>>>>> parsing signature "alert http $EXTERNAL_NET $HTTP_PORTS ->  $HOME_NET any
>>>>> (msg:"ET ACTIVEX Microsoft
>>>>> DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt";
>>>>> flow:to_client,established;
>>>>> content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; distance:0;
>>>>> content:".CustomCompositorClass"; nocase;
>>>>> pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si";
>>>>> classtype:web-application-attack;
>>>>> reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt;
>>>>> sid:2011589; rev:5;)" from file /etc/suricata/rules/emerging-activex.rules
>>>>> at line 1526
>>>>>
>>>>>
>>>>> Best regards!
>>>>>
>>>>>
>>>
>>> -- 
>>> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> -
>>> -
>>>
>>> 	Gerardo De Felice
>>> Rete e Sistemi
>>> Servizi Tecnici
>>>
>>> Via di Casal Boccone 188-190, 00137 ROMA
>>> Tel: 	+39 (06) 3993.37.33
>>> Cell: 	+39 (347) 14.51.239
>>> Fax: 	+39 (06) 3993.37.95
>>>
>>>
>>> E-mail: 	g.defelice at gmatica.it<mailto:g.defelice at gmatica.it>
>>> Web: 	/www.gmatica.it/<http://www.gmatica.it>  - /www.gbet.it/
>>> <http://www.gbet.it>
>>>
>>>
>>> La presente comunicazione (ed eventuali allegati) puo' contenere informazioni
>>> di carattere estremamente riservato e confidenziale ed e' riservata
>>> esclusivamente ai destinatari. Qualsiasi suo utilizzo, comunicazione o
>>> diffusione non autorizzata e' proibita. Se ha ricevuto questa comunicazione
>>> per errore, la preghiamo di darne immediata comunicazione al mittente e di
>>> cancellare tutte le informazioni erroneamente acquisite. Qualsivoglia
>>> utilizzo non autorizzato del contenuto di questo messaggio espone il
>>> responsabile alle relative conseguenze civili e penali. (Rif. D.Lgs.
>>> 196/2003). Grazie
>>>
>>> This message and its attachments may contain confidential or privileged
>>> information and are intended only for use by the addressees. Any use,
>>> re-transmission or dissemination not authorized of it is prohibited. If you
>>> received this e-mail in error, please inform the sender immediately and
>>> delete all the material. Any unauthorized use of the content of this message
>>> is strictly forbidden and the person responsible may incur penalties. (Rif.
>>> D.Lgs. 196/2003). Thank you.
>>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>

-- 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

	Gerardo De Felice
Rete e Sistemi
Servizi Tecnici

Via di Casal Boccone 188-190, 00137 ROMA
Tel: 	+39 (06) 3993.37.33
Cell: 	+39 (347) 14.51.239
Fax: 	+39 (06) 3993.37.95

E-mail: 	g.defelice at gmatica.it <mailto:g.defelice at gmatica.it>
Web: 	/www.gmatica.it/ <http://www.gmatica.it> - /www.gbet.it/ <http://www.gbet.it>

La presente comunicazione (ed eventuali allegati) puo' contenere informazioni di carattere estremamente riservato e confidenziale ed e' riservata esclusivamente ai destinatari. Qualsiasi suo utilizzo, comunicazione o diffusione non autorizzata e' proibita. Se ha ricevuto questa comunicazione per errore, la preghiamo di darne immediata comunicazione al mittente e di cancellare tutte le informazioni erroneamente acquisite. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio espone il responsabile alle relative conseguenze civili e penali. (Rif. D.Lgs. 196/2003). Grazie

This message and its attachments may contain confidential or privileged information and are intended only for use by the addressees. Any use, re-transmission or dissemination not authorized of it is prohibited. If you received this e-mail in error, please inform the sender immediately and delete all the material. Any unauthorized use of the content of this message is strictly forbidden and the person responsible may incur penalties. (Rif. D.Lgs. 196/2003). Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20101130/3502df98/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3785 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20101130/3502df98/attachment.png>