[Oisf-users] Rule Sets

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Jul 11 19:37:50 UTC 2011 

Have you tried with 192.168.0.0/16? I suspect suri is not liking the incorrect cidr mask....

Matt


On Jul 11, 2011, at 3:15 PM, Brant Wells wrote:

> Hey Matt,
> 
> HOME_NET: "[192.168.0.0/8, 208.67.222.222,208.67.220.220]"
> EXTERNAL_NET: !$HOME_NET
> 
> 
> 
> On Mon, Jul 11, 2011 at 3:12 PM, Matthew Jonkman <jonkman at emergingthreatspro.com> wrote:
> How are you defining home and external nets and such?
> 
> Matt
> 
> 
> On Jul 11, 2011, at 1:50 PM, Brant Wells wrote:
> 
>> Hey Guys,
>> 
>> I have tried both of the following URLs in my oinkmaster.conf for pulling in the rules.
>> 
>> url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
>> url = http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz
>> 
>> The log entry below is what I get when running suricata without the --init-errors-fatal switch.
>> I have also attached my suricata.yaml as a text file.  
>> 
>> NOTE: IP Address Ranges have been changed...  I know 192.168.0.0/8 ain't valid.
>> 
>> Any other ideas?
>> 
>> [LOG ENTRY]
>> [28480] 11/7/2011 -- 13:31:23 - (flow.c:787) <Info> (FlowInitConfig) -- initializing flow engine...
>> [28480] 11/7/2011 -- 13:31:23 - (flow.c:874) <Info> (FlowInitConfig) -- allocated 524288 bytes of memory for the flow hash... 65536 buckets of size 8
>> [28480] 11/7/2011 -- 13:31:23 - (flow.c:893) <Info> (FlowInitConfig) -- preallocated 10000 flows of size 164
>> [28480] 11/7/2011 -- 13:31:23 - (flow.c:895) <Info> (FlowInitConfig) -- flow memory usage: 2164288 bytes, maximum: 33554432
>> [28480] 11/7/2011 -- 13:31:23 - (detect.c:503) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:"/screens/frameset.html"; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/\x2Fscreens\x2Fframeset\x2Ehtml.+Authorization\x3A Basic.{120}/msi"; classtype:attempted-dos; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_WLAN; sid:2010674; rev:5;)" from file /etc/suricata/rules/emerging-dos.rules at line 66
>> [END LOG ENTRY]
>> 
>> [BOTTOM OF LOG FILE]
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:635) <Info> (SigLoadSignatures) -- 7 rule files processed. 35 rules succesfully loaded, 6266 rules failed
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:2396) <Info> (SigAddressPrepareStage1) -- 35 signatures processed. 0 are IP-only rules, 28 are inspecting packet payload, 13 inspect application layer, 0 are decoder event only
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:2399) <Info> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1: adding signatures to signature source addresses... complete
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3041) <Info> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2: building source address list... complete
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3598) <Info> (SigAddressPrepareStage3) -- MPM memory 49690 (dynamic 49690, ctxs 0, avg per ctx 0)
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3600) <Info> (SigAddressPrepareStage3) -- max sig id 35, array size 5
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3611) <Info> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3: building destination address lists... complete
>> [28709] 11/7/2011 -- 13:42:52 - (util-threshold-config.c:138) <Info> (SCThresholdConfInitContext) -- Global thresholding options defined
>> [28709] 11/7/2011 -- 13:42:52 - (alert-fastlog.c:372) <Info> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log
>> [28709] 11/7/2011 -- 13:42:52 - (alert-unified2-alert.c:889) <Info> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename unified2.alert, limit 32 MB
>> [28709] 11/7/2011 -- 13:42:52 - (runmodes.c:336) <Warning> (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No output module named alert-prelude, ignoring
>> [28709] 11/7/2011 -- 13:42:52 - (log-droplog.c:182) <Info> (LogDropLogInitCtx) -- Drop log output initialized, filename: drop.log
>> [28710] 11/7/2011 -- 13:42:52 - (source-pcap.c:389) <Info> (ReceivePcapThreadInit) -- using interface eth0
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:355) <Info> (StreamTcpInitConfig) -- stream "max_sessions": 262144
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:367) <Info> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:377) <Info> (StreamTcpInitConfig) -- stream "memcap": 33554432
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:384) <Info> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:392) <Info> (StreamTcpInitConfig) -- stream "async_oneside": disabled
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:408) <Info> (StreamTcpInitConfig) -- stream "checksum_validation": enabled
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:419) <Info> (StreamTcpInitConfig) -- stream."inline": disabled
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:428) <Info> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:438) <Info> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:461) <Info> (StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:463) <Info> (StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560
>> [28709] 11/7/2011 -- 13:42:52 - (tm-threads.c:1488) <Info> (TmThreadWaitOnThreadInit) -- all 10 packet processing threads, 3 management threads initialized, engine started.
>> [END BOTTOM OF LOG FILE]
>> 
>> On Mon, Jul 11, 2011 at 11:44 AM, Peter Manev <petermanev at gmail.com> wrote:
>> Hi Brant, 
>> It would be helpful if you could  some info regarding this frome your suricata.log file,  if possible, if you have configured that in your yaml file.
>> 
>> Thank you
>> 
>> On 11 Jul 2011 17:24, "Brant Wells" <bwells at tfc.edu> wrote:
>> > Hi All,
>> > 
>> > Not sure if this should be posted on the dev list or the users lists, so I
>> > thought I'd ask here first...
>> > 
>> > I'd like to use the Emerging Threats open rule sets for Suricata. However,
>> > when I updated the rules, now when I run Suricata, with --init-errors-fatal,
>> > I get
>> > 
>> > [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert udp
>> > $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS";
>> > content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; classtype: attempted-dos;
>> > reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml;
>> > reference:url,doc.emergingthreats.net/bin/view/Main/2000010; reference:url,
>> > www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_514_UDP_DoS;
>> > sid:2000010; rev:11;)" from file /etc/suricata/rules/emerging-dos.rules at
>> > line 54
>> > 
>> > A ton of rule errors like that. How can I find / fix them? I am running
>> > 1.1 beta 2 (rev 047b19d) from the git repo...
>> > 
>> > See Yas!
>> > ~Brant
>> 
>> <suricata.txt>_______________________________________________
>> 
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> 
> 
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110711/a73c8fc8/attachment-0002.html>

More information about the Oisf-users mailing list