[Oisf-users] Rule Sets

Brant Wells bwells at tfc.edu
Mon Jul 11 19:15:06 UTC 2011 

Hey Matt,

HOME_NET: "[192.168.0.0/8, 208.67.222.222,208.67.220.220]"
EXTERNAL_NET: !$HOME_NET



On Mon, Jul 11, 2011 at 3:12 PM, Matthew Jonkman <
jonkman at emergingthreatspro.com> wrote:

> How are you defining home and external nets and such?
>
> Matt
>
>
> On Jul 11, 2011, at 1:50 PM, Brant Wells wrote:
>
> Hey Guys,
>
> I have tried both of the following URLs in my oinkmaster.conf for pulling
> in the rules.
>
> url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
> url =
> http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz
>
> The log entry below is what I get when running suricata without the
> --init-errors-fatal switch.
> I have also attached my suricata.yaml as a text file.
>
> NOTE: IP Address Ranges have been changed...  I know 192.168.0.0/8 ain't
> valid.
>
> Any other ideas?
>
> [LOG ENTRY]
> [28480] 11/7/2011 -- 13:31:23 - (flow.c:787) <Info> (FlowInitConfig) --
> initializing flow engine...
> [28480] 11/7/2011 -- 13:31:23 - (flow.c:874) <Info> (FlowInitConfig) --
> allocated 524288 bytes of memory for the flow hash... 65536 buckets of size
> 8
> [28480] 11/7/2011 -- 13:31:23 - (flow.c:893) <Info> (FlowInitConfig) --
> preallocated 10000 flows of size 164
> [28480] 11/7/2011 -- 13:31:23 - (flow.c:895) <Info> (FlowInitConfig) --
> flow memory usage: 2164288 bytes, maximum: 33554432
> [28480] 11/7/2011 -- 13:31:23 - (detect.c:503) <Error> (DetectLoadSigFile)
> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert
> http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco 4200
> Wireless Lan Controller Long Authorisation Denial of Service Attempt";
> flow:to_server,established; content:"GET "; depth:4; nocase;
> uricontent:"/screens/frameset.html"; nocase; content:"Authorization|3A
> 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118;
> isdataat:120,relative;
> pcre:"/\x2Fscreens\x2Fframeset\x2Ehtml.+Authorization\x3A Basic.{120}/msi";
> classtype:attempted-dos; reference:url,www.securityfocus.com/bid/35805;
> reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml;
> reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674;
> reference:url,
> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_WLAN;
> sid:2010674; rev:5;)" from file /etc/suricata/rules/emerging-dos.rules at
> line 66
> [END LOG ENTRY]
>
> [BOTTOM OF LOG FILE]
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:635) <Info> (SigLoadSignatures)
> -- 7 rule files processed. 35 rules succesfully loaded, 6266 rules failed
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:2396) <Info>
> (SigAddressPrepareStage1) -- 35 signatures processed. 0 are IP-only rules,
> 28 are inspecting packet payload, 13 inspect application layer, 0 are
> decoder event only
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:2399) <Info>
> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1:
> adding signatures to signature source addresses... complete
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3041) <Info>
> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2:
> building source address list... complete
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3598) <Info>
> (SigAddressPrepareStage3) -- MPM memory 49690 (dynamic 49690, ctxs 0, avg
> per ctx 0)
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3600) <Info>
> (SigAddressPrepareStage3) -- max sig id 35, array size 5
> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3611) <Info>
> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3:
> building destination address lists... complete
> [28709] 11/7/2011 -- 13:42:52 - (util-threshold-config.c:138) <Info>
> (SCThresholdConfInitContext) -- Global thresholding options defined
> [28709] 11/7/2011 -- 13:42:52 - (alert-fastlog.c:372) <Info>
> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log
> [28709] 11/7/2011 -- 13:42:52 - (alert-unified2-alert.c:889) <Info>
> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename
> unified2.alert, limit 32 MB
> [28709] 11/7/2011 -- 13:42:52 - (runmodes.c:336) <Warning>
> (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No
> output module named alert-prelude, ignoring
> [28709] 11/7/2011 -- 13:42:52 - (log-droplog.c:182) <Info>
> (LogDropLogInitCtx) -- Drop log output initialized, filename: drop.log
> [28710] 11/7/2011 -- 13:42:52 - (source-pcap.c:389) <Info>
> (ReceivePcapThreadInit) -- using interface eth0
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:355) <Info>
> (StreamTcpInitConfig) -- stream "max_sessions": 262144
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:367) <Info>
> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:377) <Info>
> (StreamTcpInitConfig) -- stream "memcap": 33554432
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:384) <Info>
> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:392) <Info>
> (StreamTcpInitConfig) -- stream "async_oneside": disabled
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:408) <Info>
> (StreamTcpInitConfig) -- stream "checksum_validation": enabled
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:419) <Info>
> (StreamTcpInitConfig) -- stream."inline": disabled
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:428) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:438) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:461) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560
> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:463) <Info>
> (StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560
> [28709] 11/7/2011 -- 13:42:52 - (tm-threads.c:1488) <Info>
> (TmThreadWaitOnThreadInit) -- all 10 packet processing threads, 3 management
> threads initialized, engine started.
> [END BOTTOM OF LOG FILE]
>
> On Mon, Jul 11, 2011 at 11:44 AM, Peter Manev <petermanev at gmail.com>wrote:
>
>> Hi Brant,
>> It would be helpful if you could  some info regarding this frome your
>> suricata.log file,  if possible, if you have configured that in your yaml
>> file.
>>
>> Thank you
>> On 11 Jul 2011 17:24, "Brant Wells" <bwells at tfc.edu> wrote:
>> > Hi All,
>> >
>> > Not sure if this should be posted on the dev list or the users lists, so
>> I
>> > thought I'd ask here first...
>> >
>> > I'd like to use the Emerging Threats open rule sets for Suricata.
>> However,
>> > when I updated the rules, now when I run Suricata, with
>> --init-errors-fatal,
>> > I get
>> >
>> > [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert
>> udp
>> > $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood
>> DoS";
>> > content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; classtype:
>> attempted-dos;
>> > reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml;
>> > reference:url,doc.emergingthreats.net/bin/view/Main/2000010;
>> reference:url,
>> >
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_514_UDP_DoS
>> ;
>> > sid:2000010; rev:11;)" from file /etc/suricata/rules/emerging-dos.rules
>> at
>> > line 54
>> >
>> > A ton of rule errors like that. How can I find / fix them? I am running
>> > 1.1 beta 2 (rev 047b19d) from the git repo...
>> >
>> > See Yas!
>> > ~Brant
>>
>
> <suricata.txt>_______________________________________________
>
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110711/92138dd6/attachment-0002.html>

More information about the Oisf-users mailing list