[Oisf-users] Fail to load test signature from rule file
Victor Julien
victor at inliniac.net
Fri Jul 1 16:14:50 UTC 2011
On 07/01/2011 05:42 PM, Darren Spruell wrote:
> This happened to me when I started using Suri as well. In my case I had messed up a variable definition (my HOME_NET variable was badly formed, missing a trailing ']' on the address list). Although no failure occurred parsing the variable configuration, the rule parser encountered it when loading the rules and saw the rules involving HOME_NET to be malformed. Double check your configuration.
>
> Dev team, update needed to abort on failure when unable to parse variables properly?
The vars are not parsed separately. We simply replace the $VAR in a rule
by the content of the $VAR during rule parsing. It should still give a
proper error of course, will make sure that gets fixed.
Cheers,
Victor
> DS
>
> On Jul 1, 2011, at 2:27 AM, "jankins"<zzhan at cs.utsa.edu> wrote:
>
>> Hello,
>>
>> I am trying to make suricata-1.0.4 work. I simply wrote a test rule file: sig.rules. It has only one line and one rule:
>> alert icmp any any -> $HOME_NET any (msg:"ICMP test"; classtype: unknown; sid:10000001;)
>>
>> When I run it in in IPS mode:
>> suricata -s sig.rules -q 0
>>
>> There is error message showing the signature rule failed to be compiled:
>>
>> [17915] 1/7/2011 -- 04:10:30 - (detect.c:366) <Info> (SigLoadSignatures) -- Loading rule file: sig.rules
>> [17915] 1/7/2011 -- 04:10:30 - (detect.c:307) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert icmp any any -> $HOME_NET any (msg:"ICMP test"; classtype: unknown; sid:10000001;) " from file sig.rules at line 1
>> [17915] 1/7/2011 -- 04:10:30 - (detect.c:372) <Error> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from sig.rules
>> [17915] 1/7/2011 -- 04:10:30 - (detect.c:392) <Info> (SigLoadSignatures) -- 2 rule files processed. 1 rules succesfully loaded, 1 rules failed
>> [17915] 1/7/2011 -- 04:10:30 - (detect-engine-sigorder.c:840) <Info> (SCSigOrderSignatures) -- ordering signatures in memory
>> SCSigOrderSignatures: Total Signatures to be processed by thesigordering module: 1
>> [17915] 1/7/2011 -- 04:10:30 - (detect-engine-sigorder.c:883) <Info> (SCSigOrderSignatures) -- total signatures reordered by the sigordering module: 1
>> [17915] 1/7/2011 -- 04:10:30 - (detect.c:1512) <Info> (SigAddressPrepareStage1) -- 1 signatures processed. 1 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
>> [17915] 1/7/2011 -- 04:10:30 - (detect.c:1515) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... done
>>
>> I tried other rules too. None of them suceeded. Please help me about it.
>>
>> My os is Debian Squeeze 32-bit.
>>
>> Thanks so much for your help.
>>
>> Jankins
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list