[Oisf-users] Fail to load test signature from rule file

Victor Julien victor at inliniac.net
Fri Jul 1 09:45:30 UTC 2011 

On 07/01/2011 11:27 AM, jankins wrote:
> Hello,
> 
> I am trying to make suricata-1.0.4 work. I simply wrote a test rule file: sig.rules. It has only one line and one rule:
> alert icmp any any -> $HOME_NET any (msg:"ICMP test"; classtype: unknown; sid:10000001;) 

Is the classtype "unknown" valid? Do you have it in your
classifications.config? As a test you could leave out the classtype
completely.

Cheers,
Victor

> 
> When I run it in in IPS mode:
> suricata -s sig.rules -q 0
> 
> There is error message showing the signature rule failed to be compiled:
> 
> [17915] 1/7/2011 -- 04:10:30 - (detect.c:366) <Info> (SigLoadSignatures) -- Loading rule file: sig.rules
> [17915] 1/7/2011 -- 04:10:30 - (detect.c:307) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert icmp any any -> $HOME_NET any (msg:"ICMP test"; classtype: unknown; sid:10000001;) " from file sig.rules at line 1
> [17915] 1/7/2011 -- 04:10:30 - (detect.c:372) <Error> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from sig.rules
> [17915] 1/7/2011 -- 04:10:30 - (detect.c:392) <Info> (SigLoadSignatures) -- 2 rule files processed. 1 rules succesfully loaded, 1 rules failed
> [17915] 1/7/2011 -- 04:10:30 - (detect-engine-sigorder.c:840) <Info> (SCSigOrderSignatures) -- ordering signatures in memory
> SCSigOrderSignatures: Total Signatures to be processed by thesigordering module: 1
> [17915] 1/7/2011 -- 04:10:30 - (detect-engine-sigorder.c:883) <Info> (SCSigOrderSignatures) -- total signatures reordered by the sigordering module: 1
> [17915] 1/7/2011 -- 04:10:30 - (detect.c:1512) <Info> (SigAddressPrepareStage1) -- 1 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
> [17915] 1/7/2011 -- 04:10:30 - (detect.c:1515) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... done
> 
> I tried other rules too. None of them suceeded. Please help me about it. 
> 
> My os is Debian Squeeze 32-bit.
> 
> Thanks so much for your help.
> 
> Jankins
> 
> 
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list