[Oisf-users] Rule Sets

Brant Wells bwells at tfc.edu
Mon Jul 11 19:53:48 UTC 2011 

I just checked the suricata.yaml file from the GIT repo...  the
EXTERNAL_NET: any doesn't have any quotes...  However, if you want to change
it to something other than any, put the quotes around it...

ie: EXTERNAL_NET: !$HOME_NET

should actually be:

EXTERNAL_NET: "!$HOME_NET"

Somebody should put a note in the .yaml file somewhere!

See Yas!
~Brant

On Mon, Jul 11, 2011 at 3:37 PM, Matthew Jonkman <
jonkman at emergingthreatspro.com> wrote:

> Have you tried with 192.168.0.0/16? I suspect suri is not liking the
> incorrect cidr mask....
>
> Matt
>
>
> On Jul 11, 2011, at 3:15 PM, Brant Wells wrote:
>
> Hey Matt,
>
> HOME_NET: "[192.168.0.0/8, 208.67.222.222,208.67.220.220]"
> EXTERNAL_NET: !$HOME_NET
>
>
>
> On Mon, Jul 11, 2011 at 3:12 PM, Matthew Jonkman <
> jonkman at emergingthreatspro.com> wrote:
>
>> How are you defining home and external nets and such?
>>
>> Matt
>>
>>
>> On Jul 11, 2011, at 1:50 PM, Brant Wells wrote:
>>
>> Hey Guys,
>>
>> I have tried both of the following URLs in my oinkmaster.conf for pulling
>> in the rules.
>>
>> url =
>> http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
>> url =
>> http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz
>>
>> The log entry below is what I get when running suricata without the
>> --init-errors-fatal switch.
>> I have also attached my suricata.yaml as a text file.
>>
>> NOTE: IP Address Ranges have been changed...  I know 192.168.0.0/8 ain't
>> valid.
>>
>> Any other ideas?
>>
>> [LOG ENTRY]
>> [28480] 11/7/2011 -- 13:31:23 - (flow.c:787) <Info> (FlowInitConfig) --
>> initializing flow engine...
>> [28480] 11/7/2011 -- 13:31:23 - (flow.c:874) <Info> (FlowInitConfig) --
>> allocated 524288 bytes of memory for the flow hash... 65536 buckets of size
>> 8
>> [28480] 11/7/2011 -- 13:31:23 - (flow.c:893) <Info> (FlowInitConfig) --
>> preallocated 10000 flows of size 164
>> [28480] 11/7/2011 -- 13:31:23 - (flow.c:895) <Info> (FlowInitConfig) --
>> flow memory usage: 2164288 bytes, maximum: 33554432
>> [28480] 11/7/2011 -- 13:31:23 - (detect.c:503) <Error> (DetectLoadSigFile)
>> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert
>> http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco 4200
>> Wireless Lan Controller Long Authorisation Denial of Service Attempt";
>> flow:to_server,established; content:"GET "; depth:4; nocase;
>> uricontent:"/screens/frameset.html"; nocase; content:"Authorization|3A
>> 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118;
>> isdataat:120,relative;
>> pcre:"/\x2Fscreens\x2Fframeset\x2Ehtml.+Authorization\x3A Basic.{120}/msi";
>> classtype:attempted-dos; reference:url,www.securityfocus.com/bid/35805;
>> reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml;
>> reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674;
>> reference:url,
>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_WLAN;
>> sid:2010674; rev:5;)" from file /etc/suricata/rules/emerging-dos.rules at
>> line 66
>> [END LOG ENTRY]
>>
>> [BOTTOM OF LOG FILE]
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:635) <Info> (SigLoadSignatures)
>> -- 7 rule files processed. 35 rules succesfully loaded, 6266 rules failed
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:2396) <Info>
>> (SigAddressPrepareStage1) -- 35 signatures processed. 0 are IP-only rules,
>> 28 are inspecting packet payload, 13 inspect application layer, 0 are
>> decoder event only
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:2399) <Info>
>> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1:
>> adding signatures to signature source addresses... complete
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3041) <Info>
>> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2:
>> building source address list... complete
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3598) <Info>
>> (SigAddressPrepareStage3) -- MPM memory 49690 (dynamic 49690, ctxs 0, avg
>> per ctx 0)
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3600) <Info>
>> (SigAddressPrepareStage3) -- max sig id 35, array size 5
>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3611) <Info>
>> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3:
>> building destination address lists... complete
>> [28709] 11/7/2011 -- 13:42:52 - (util-threshold-config.c:138) <Info>
>> (SCThresholdConfInitContext) -- Global thresholding options defined
>> [28709] 11/7/2011 -- 13:42:52 - (alert-fastlog.c:372) <Info>
>> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log
>> [28709] 11/7/2011 -- 13:42:52 - (alert-unified2-alert.c:889) <Info>
>> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename
>> unified2.alert, limit 32 MB
>> [28709] 11/7/2011 -- 13:42:52 - (runmodes.c:336) <Warning>
>> (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No
>> output module named alert-prelude, ignoring
>> [28709] 11/7/2011 -- 13:42:52 - (log-droplog.c:182) <Info>
>> (LogDropLogInitCtx) -- Drop log output initialized, filename: drop.log
>> [28710] 11/7/2011 -- 13:42:52 - (source-pcap.c:389) <Info>
>> (ReceivePcapThreadInit) -- using interface eth0
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:355) <Info>
>> (StreamTcpInitConfig) -- stream "max_sessions": 262144
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:367) <Info>
>> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:377) <Info>
>> (StreamTcpInitConfig) -- stream "memcap": 33554432
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:384) <Info>
>> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:392) <Info>
>> (StreamTcpInitConfig) -- stream "async_oneside": disabled
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:408) <Info>
>> (StreamTcpInitConfig) -- stream "checksum_validation": enabled
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:419) <Info>
>> (StreamTcpInitConfig) -- stream."inline": disabled
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:428) <Info>
>> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:438) <Info>
>> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:461) <Info>
>> (StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560
>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:463) <Info>
>> (StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560
>> [28709] 11/7/2011 -- 13:42:52 - (tm-threads.c:1488) <Info>
>> (TmThreadWaitOnThreadInit) -- all 10 packet processing threads, 3 management
>> threads initialized, engine started.
>> [END BOTTOM OF LOG FILE]
>>
>> On Mon, Jul 11, 2011 at 11:44 AM, Peter Manev <petermanev at gmail.com>wrote:
>>
>>> Hi Brant,
>>> It would be helpful if you could  some info regarding this frome your
>>> suricata.log file,  if possible, if you have configured that in your yaml
>>> file.
>>>
>>> Thank you
>>> On 11 Jul 2011 17:24, "Brant Wells" <bwells at tfc.edu> wrote:
>>> > Hi All,
>>> >
>>> > Not sure if this should be posted on the dev list or the users lists,
>>> so I
>>> > thought I'd ask here first...
>>> >
>>> > I'd like to use the Emerging Threats open rule sets for Suricata.
>>> However,
>>> > when I updated the rules, now when I run Suricata, with
>>> --init-errors-fatal,
>>> > I get
>>> >
>>> > [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature
>>> "alert udp
>>> > $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood
>>> DoS";
>>> > content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; classtype:
>>> attempted-dos;
>>> > reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml;
>>> > reference:url,doc.emergingthreats.net/bin/view/Main/2000010;
>>> reference:url,
>>> >
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_514_UDP_DoS
>>> ;
>>> > sid:2000010; rev:11;)" from file /etc/suricata/rules/emerging-dos.rules
>>> at
>>> > line 54
>>> >
>>> > A ton of rule errors like that. How can I find / fix them? I am running
>>> > 1.1 beta 2 (rev 047b19d) from the git repo...
>>> >
>>> > See Yas!
>>> > ~Brant
>>>
>>
>> <suricata.txt>_______________________________________________
>>
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>>
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emergingthreats.net
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110711/ee774133/attachment-0002.html>

More information about the Oisf-users mailing list