[Oisf-users] Fail to load test signature from rule file

jankins zzhan at cs.utsa.edu
Fri Jul 1 09:27:40 UTC 2011 

Hello,

I am trying to make suricata-1.0.4 work. I simply wrote a test rule file: sig.rules. It has only one line and one rule:
alert icmp any any -> $HOME_NET any (msg:"ICMP test"; classtype: unknown; sid:10000001;) 

When I run it in in IPS mode:
suricata -s sig.rules -q 0

There is error message showing the signature rule failed to be compiled:

[17915] 1/7/2011 -- 04:10:30 - (detect.c:366) <Info> (SigLoadSignatures) -- Loading rule file: sig.rules
[17915] 1/7/2011 -- 04:10:30 - (detect.c:307) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert icmp any any -> $HOME_NET any (msg:"ICMP test"; classtype: unknown; sid:10000001;) " from file sig.rules at line 1
[17915] 1/7/2011 -- 04:10:30 - (detect.c:372) <Error> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from sig.rules
[17915] 1/7/2011 -- 04:10:30 - (detect.c:392) <Info> (SigLoadSignatures) -- 2 rule files processed. 1 rules succesfully loaded, 1 rules failed
[17915] 1/7/2011 -- 04:10:30 - (detect-engine-sigorder.c:840) <Info> (SCSigOrderSignatures) -- ordering signatures in memory
SCSigOrderSignatures: Total Signatures to be processed by thesigordering module: 1
[17915] 1/7/2011 -- 04:10:30 - (detect-engine-sigorder.c:883) <Info> (SCSigOrderSignatures) -- total signatures reordered by the sigordering module: 1
[17915] 1/7/2011 -- 04:10:30 - (detect.c:1512) <Info> (SigAddressPrepareStage1) -- 1 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
[17915] 1/7/2011 -- 04:10:30 - (detect.c:1515) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... done

I tried other rules too. None of them suceeded. Please help me about it. 

My os is Debian Squeeze 32-bit.

Thanks so much for your help.

Jankins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110701/7ce0bef1/attachment-0002.html>

More information about the Oisf-users mailing list