[Oisf-users] Fail to load test signature from rule file

Darren Spruell phatbuckett at gmail.com
Fri Jul 1 15:42:30 UTC 2011 

This happened to me when I started using Suri as well. In my case I had messed up a variable definition (my HOME_NET variable was badly formed, missing a trailing ']' on the address list). Although no failure occurred parsing the variable configuration, the rule parser encountered it when loading the rules and saw the rules involving HOME_NET to be malformed. Double check your configuration. 

Dev team, update needed to abort on failure when unable to parse variables properly?

DS

On Jul 1, 2011, at 2:27 AM, "jankins"<zzhan at cs.utsa.edu> wrote:

> Hello,
>  
> I am trying to make suricata-1.0.4 work. I simply wrote a test rule file: sig.rules. It has only one line and one rule:
> alert icmp any any -> $HOME_NET any (msg:"ICMP test"; classtype: unknown; sid:10000001;)
>  
> When I run it in in IPS mode:
> suricata -s sig.rules -q 0
>  
> There is error message showing the signature rule failed to be compiled:
>  
> [17915] 1/7/2011 -- 04:10:30 - (detect.c:366) <Info> (SigLoadSignatures) -- Loading rule file: sig.rules
> [17915] 1/7/2011 -- 04:10:30 - (detect.c:307) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert icmp any any -> $HOME_NET any (msg:"ICMP test"; classtype: unknown; sid:10000001;) " from file sig.rules at line 1
> [17915] 1/7/2011 -- 04:10:30 - (detect.c:372) <Error> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules  loaded from sig.rules
> [17915] 1/7/2011 -- 04:10:30 - (detect.c:392) <Info> (SigLoadSignatures) -- 2 rule files processed. 1 rules succesfully loaded, 1 rules failed
> [17915] 1/7/2011 -- 04:10:30 - (detect-engine-sigorder.c:840) <Info> (SCSigOrderSignatures) -- ordering signatures in memory
> SCSigOrderSignatures: Total Signatures to be processed by thesigordering module: 1
> [17915] 1/7/2011 -- 04:10:30 - (detect-engine-sigorder.c:883) <Info> (SCSigOrderSignatures) -- total signatures reordered by the sigordering module: 1
> [17915] 1/7/2011 -- 04:10:30 - (detect.c:1512) <Info> (SigAddressPrepareStage1) -- 1 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
> [17915] 1/7/2011 -- 04:10:30 - (detect.c:1515) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... done
>  
> I tried other rules too. None of them suceeded. Please help me about it.
>  
> My os is Debian Squeeze 32-bit.
>  
> Thanks so much for your help.
>  
> Jankins
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list