[Oisf-users] Rule Sets

Tue Jul 12 12:13:52 UTC 2011

Brant, can you check in a bug into our redmine for this? Definitely a bug.

Thanks!
Victor

On 07/11/2011 09:53 PM, Brant Wells wrote:
> I just checked the suricata.yaml file from the GIT repo...  the
> EXTERNAL_NET: any doesn't have any quotes...  However, if you want to change
> it to something other than any, put the quotes around it...
> 
> ie: EXTERNAL_NET: !$HOME_NET
> 
> should actually be:
> 
> EXTERNAL_NET: "!$HOME_NET"
> 
> Somebody should put a note in the .yaml file somewhere!
> 
> See Yas!
> ~Brant
> 
> On Mon, Jul 11, 2011 at 3:37 PM, Matthew Jonkman <
> jonkman at emergingthreatspro.com> wrote:
> 
>> Have you tried with 192.168.0.0/16? I suspect suri is not liking the
>> incorrect cidr mask....
>>
>> Matt
>>
>>
>> On Jul 11, 2011, at 3:15 PM, Brant Wells wrote:
>>
>> Hey Matt,
>>
>> HOME_NET: "[192.168.0.0/8, 208.67.222.222,208.67.220.220]"
>> EXTERNAL_NET: !$HOME_NET
>>
>>
>>
>> On Mon, Jul 11, 2011 at 3:12 PM, Matthew Jonkman <
>> jonkman at emergingthreatspro.com> wrote:
>>
>>> How are you defining home and external nets and such?
>>>
>>> Matt
>>>
>>>
>>> On Jul 11, 2011, at 1:50 PM, Brant Wells wrote:
>>>
>>> Hey Guys,
>>>
>>> I have tried both of the following URLs in my oinkmaster.conf for pulling
>>> in the rules.
>>>
>>> url =
>>> http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
>>> url =
>>> http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz
>>>
>>> The log entry below is what I get when running suricata without the
>>> --init-errors-fatal switch.
>>> I have also attached my suricata.yaml as a text file.
>>>
>>> NOTE: IP Address Ranges have been changed...  I know 192.168.0.0/8 ain't
>>> valid.
>>>
>>> Any other ideas?
>>>
>>> [LOG ENTRY]
>>> [28480] 11/7/2011 -- 13:31:23 - (flow.c:787) <Info> (FlowInitConfig) --
>>> initializing flow engine...
>>> [28480] 11/7/2011 -- 13:31:23 - (flow.c:874) <Info> (FlowInitConfig) --
>>> allocated 524288 bytes of memory for the flow hash... 65536 buckets of size
>>> 8
>>> [28480] 11/7/2011 -- 13:31:23 - (flow.c:893) <Info> (FlowInitConfig) --
>>> preallocated 10000 flows of size 164
>>> [28480] 11/7/2011 -- 13:31:23 - (flow.c:895) <Info> (FlowInitConfig) --
>>> flow memory usage: 2164288 bytes, maximum: 33554432
>>> [28480] 11/7/2011 -- 13:31:23 - (detect.c:503) <Error> (DetectLoadSigFile)
>>> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert
>>> http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Cisco 4200
>>> Wireless Lan Controller Long Authorisation Denial of Service Attempt";
>>> flow:to_server,established; content:"GET "; depth:4; nocase;
>>> uricontent:"/screens/frameset.html"; nocase; content:"Authorization|3A
>>> 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118;
>>> isdataat:120,relative;
>>> pcre:"/\x2Fscreens\x2Fframeset\x2Ehtml.+Authorization\x3A Basic.{120}/msi";
>>> classtype:attempted-dos; reference:url,www.securityfocus.com/bid/35805;
>>> reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml;
>>> reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674;
>>> reference:url,
>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_WLAN;
>>> sid:2010674; rev:5;)" from file /etc/suricata/rules/emerging-dos.rules at
>>> line 66
>>> [END LOG ENTRY]
>>>
>>> [BOTTOM OF LOG FILE]
>>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:635) <Info> (SigLoadSignatures)
>>> -- 7 rule files processed. 35 rules succesfully loaded, 6266 rules failed
>>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:2396) <Info>
>>> (SigAddressPrepareStage1) -- 35 signatures processed. 0 are IP-only rules,
>>> 28 are inspecting packet payload, 13 inspect application layer, 0 are
>>> decoder event only
>>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:2399) <Info>
>>> (SigAddressPrepareStage1) -- building signature grouping structure, stage 1:
>>> adding signatures to signature source addresses... complete
>>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3041) <Info>
>>> (SigAddressPrepareStage2) -- building signature grouping structure, stage 2:
>>> building source address list... complete
>>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3598) <Info>
>>> (SigAddressPrepareStage3) -- MPM memory 49690 (dynamic 49690, ctxs 0, avg
>>> per ctx 0)
>>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3600) <Info>
>>> (SigAddressPrepareStage3) -- max sig id 35, array size 5
>>> [28709] 11/7/2011 -- 13:42:52 - (detect.c:3611) <Info>
>>> (SigAddressPrepareStage3) -- building signature grouping structure, stage 3:
>>> building destination address lists... complete
>>> [28709] 11/7/2011 -- 13:42:52 - (util-threshold-config.c:138) <Info>
>>> (SCThresholdConfInitContext) -- Global thresholding options defined
>>> [28709] 11/7/2011 -- 13:42:52 - (alert-fastlog.c:372) <Info>
>>> (AlertFastLogInitCtx) -- Fast log output initialized, filename: fast.log
>>> [28709] 11/7/2011 -- 13:42:52 - (alert-unified2-alert.c:889) <Info>
>>> (Unified2AlertInitCtx) -- Unified2-alert initialized: filename
>>> unified2.alert, limit 32 MB
>>> [28709] 11/7/2011 -- 13:42:52 - (runmodes.c:336) <Warning>
>>> (RunModeInitializeOutputs) -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - No
>>> output module named alert-prelude, ignoring
>>> [28709] 11/7/2011 -- 13:42:52 - (log-droplog.c:182) <Info>
>>> (LogDropLogInitCtx) -- Drop log output initialized, filename: drop.log
>>> [28710] 11/7/2011 -- 13:42:52 - (source-pcap.c:389) <Info>
>>> (ReceivePcapThreadInit) -- using interface eth0
>>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:355) <Info>
>>> (StreamTcpInitConfig) -- stream "max_sessions": 262144
>>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:367) <Info>
>>> (StreamTcpInitConfig) -- stream "prealloc_sessions": 32768
>>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:377) <Info>
>>> (StreamTcpInitConfig) -- stream "memcap": 33554432
>>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:384) <Info>
>>> (StreamTcpInitConfig) -- stream "midstream" session pickups: disabled
>>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:392) <Info>
>>> (StreamTcpInitConfig) -- stream "async_oneside": disabled
>>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:408) <Info>
>>> (StreamTcpInitConfig) -- stream "checksum_validation": enabled
>>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:419) <Info>
>>> (StreamTcpInitConfig) -- stream."inline": disabled
>>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:428) <Info>
>>> (StreamTcpInitConfig) -- stream.reassembly "memcap": 67108864
>>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:438) <Info>
>>> (StreamTcpInitConfig) -- stream.reassembly "depth": 1048576
>>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:461) <Info>
>>> (StreamTcpInitConfig) -- stream.reassembly "toserver_chunk_size": 2560
>>> [28709] 11/7/2011 -- 13:42:52 - (stream-tcp.c:463) <Info>
>>> (StreamTcpInitConfig) -- stream.reassembly "toclient_chunk_size": 2560
>>> [28709] 11/7/2011 -- 13:42:52 - (tm-threads.c:1488) <Info>
>>> (TmThreadWaitOnThreadInit) -- all 10 packet processing threads, 3 management
>>> threads initialized, engine started.
>>> [END BOTTOM OF LOG FILE]
>>>
>>> On Mon, Jul 11, 2011 at 11:44 AM, Peter Manev <petermanev at gmail.com>wrote:
>>>
>>>> Hi Brant,
>>>> It would be helpful if you could  some info regarding this frome your
>>>> suricata.log file,  if possible, if you have configured that in your yaml
>>>> file.
>>>>
>>>> Thank you
>>>> On 11 Jul 2011 17:24, "Brant Wells" <bwells at tfc.edu> wrote:
>>>>> Hi All,
>>>>>
>>>>> Not sure if this should be posted on the dev list or the users lists,
>>>> so I
>>>>> thought I'd ask here first...
>>>>>
>>>>> I'd like to use the Emerging Threats open rule sets for Suricata.
>>>> However,
>>>>> when I updated the rules, now when I run Suricata, with
>>>> --init-errors-fatal,
>>>>> I get
>>>>>
>>>>> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature
>>>> "alert udp
>>>>> $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood
>>>> DoS";
>>>>> content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; classtype:
>>>> attempted-dos;
>>>>> reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml;
>>>>> reference:url,doc.emergingthreats.net/bin/view/Main/2000010;
>>>> reference:url,
>>>>>
>>>> www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/DOS/DOS_Cisco_514_UDP_DoS
>>>> ;
>>>>> sid:2000010; rev:11;)" from file /etc/suricata/rules/emerging-dos.rules
>>>> at
>>>>> line 54
>>>>>
>>>>> A ton of rule errors like that. How can I find / fix them? I am running
>>>>> 1.1 beta 2 (rev 047b19d) from the git repo...
>>>>>
>>>>> See Yas!
>>>>> ~Brant
>>>>
>>>
>>> <suricata.txt>_______________________________________________
>>>
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>>
>>>
>>> ----------------------------------------------------
>>> Matthew Jonkman
>>> Emergingthreats.net
>>> Emerging Threats Pro
>>> Open Information Security Foundation (OISF)
>>> Phone 866-504-2523 x110
>>> http://www.emergingthreatspro.com
>>> http://www.openinfosecfoundation.org
>>> ----------------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>
>>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>>
>>
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emergingthreats.net
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>
>>
> 
> 
> 
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------