[Oisf-users] Rule Sets

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Jul 11 19:12:09 UTC 2011


How are you defining home and external nets and such?

Matt


On Jul 11, 2011, at 1:50 PM, Brant Wells wrote:

> Hey Guys,
> 
> I have tried both of the following URLs in my oinkmaster.conf for pulling in the rules.
> 
> url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
> url = http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz
> 
> The log entry below is what I get when running suricata without the --init-errors-fatal switch.
> I have also attached my suricata.yaml as a text file.  
> 
> NOTE: IP Address Ranges have been changed...  I know 192.168.0.0/8 ain't valid.
> 
> Any other ideas?
> 
> [LOG ENTRY]
> [28480] 11/7/2011 -- 13:31:23 - (flow.c:787) <Info> (FlowInitConfig) -- initializing flow engine...
> [28480] 11/7/2011 -- 13:31:23 - (flow.c:874) <Info> (FlowInitConfig) -- allocated 524288 bytes of memory for the flow hash... 65536 buckets of size 8
> [28480] 11/7/2011 -- 13:31:23 - (flow.c:893) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 164
> [28480] 11/7/2011 -- 13:31:23 - (flow.c:895) <Info> (FlowInitConfig) -- flow memory usage: 2164288 bytes, maximum: 33554432
> [28480] 11/7/2011 -- 13:31:23 - (detect.c:503) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:"/screens/frameset.html"; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/\x2Fscreens\x2Fframeset\x2Ehtml.+Authorization\x3A Basic.{120}/msi"; classtype:attempted-dos; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_WLAN; sid:2010674; rev:5;)" from file /etc/suricata/rules/emerging-dos.rules at line 66
> [END LOG ENTRY]
> 
> [BOTTOM OF LOG FILE]
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:635) <Info> (SigLoadSignatures) -- 7 rule files processed. 35 rules succesfully loaded, 6266 rules failed
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:2396) <Info> (SigAddressPrepareStage1) -- 35 signatures processed. 0 are IP-only rules, 28 are inspecting packet payload, 13 inspect application layer, 0 are decoder event only
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:2399) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3041) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3598) <Info> (SigAddressPrepareStage3) -- MPM memory 49690 (dynamic 49690, ctxs 0, avg per ctx 0)
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3600) <Info> (SigAddressPrepareStage3) -- max sig id 35, array size 5
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3611) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
> [28709] 11/7/2011 -- 13:42:52 - (util-threshold-config.c:138) <Info> (SCThresholdConfInitContext) -- Global thresholding options defined
> [28709] 11/7/2011 -- 13:42:52 - (alert-fastlog.c:372) <Info> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log
> [28709] 11/7/2011 -- 13:42:52 - (alert-unified2-alert.c:889) <Info> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename unified2.alert, limit 32 MB
> [28709] 11/7/2011 -- 13:42:52 - (runmodes.c:336) <Warning> (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named alert-prelude, ignoring
> [28709] 11/7/2011 -- 13:42:52 - (log-droplog.c:182) <Info> (LogDropLogInitCtx) -- Drop log output initialized, filename: drop.log
> [28710] 11/7/2011 -- 13:42:52 - (source-pcap.c:389) <Info> (ReceivePcapThreadInit) -- using interface eth0
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:355) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:367) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:384) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:392) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:408) <Info> (StreamTcpInitConfig) -- stream "checksum_validation": enabled
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:419) <Info> (StreamTcpInitConfig) -- stream."inline": disabled
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:428) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:438) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:461) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:463) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560
> [28709] 11/7/2011 -- 13:42:52 - (tm-threads.c:1488) <Info> (TmThreadWaitOnThreadInit) -- all 10 packet processing threads, 3 management threads initialized, engine started.
> [END BOTTOM OF LOG FILE]
> 
> On Mon, Jul 11, 2011 at 11:44 AM, Peter Manev <petermanev at gmail.com> wrote:
> Hi Brant, 
> It would be helpful if you could  some info regarding this frome your suricata.log file,  if possible, if you have configured that in your yaml file.
> 
> Thank you
> 
> On 11 Jul 2011 17:24, "Brant Wells" <bwells at tfc.edu> wrote:
> > Hi All,
> > 
> > Not sure if this should be posted on the dev list or the users lists, so I
> > thought I'd ask here first...
> > 
> > I'd like to use the Emerging Threats open rule sets for Suricata. However,
> > when I updated the rules, now when I run Suricata, with --init-errors-fatal,
> > I get
> > 
> > [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert udp
> > $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS";
> > content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; classtype: attempted-dos;
> > reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml;
> > reference:url,doc.emergingthreats.net/bin/view/Main/2000010; reference:url,
> > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_514_UDP_DoS;
> > sid:2000010; rev:11;)" from file /etc/suricata/rules/emerging-dos.rules at
> > line 54
> > 
> > A ton of rule errors like that. How can I find / fix them? I am running
> > 1.1 beta 2 (rev 047b19d) from the git repo...
> > 
> > See Yas!
> > ~Brant
> 
> <suricata.txt>_______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110711/378df7f3/attachment-0002.html>


More information about the Oisf-users mailing list