[Oisf-users] next silly question: error parsing rules
Russell Fulton
r.fulton at auckland.ac.nz
Wed Jul 25 22:10:20 EDT 2012
[rful011 at nevil-res4 suricata-1.3]$ sudo /usr/local/suricata/bin/suricata -T -c /usr/local/suricata/etc/suricata.yaml
26/7/2012 -- 14:06:59 - <Info> - Running suricata under test mode
26/7/2012 -- 14:06:59 - <Info> - This is Suricata version 1.3 RELEASE
26/7/2012 -- 14:06:59 - <Info> - CPUs/cores online: 4
26/7/2012 -- 14:06:59 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
26/7/2012 -- 14:06:59 - <Info> - preallocated 1024 packets. Total memory 4302848
26/7/2012 -- 14:06:59 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56
26/7/2012 -- 14:06:59 - <Info> - preallocated 1000 hosts of size 112
26/7/2012 -- 14:06:59 - <Info> - host memory usage: 341376 bytes, maximum: 16777216
26/7/2012 -- 14:06:59 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56
26/7/2012 -- 14:06:59 - <Info> - preallocated 10000 flows of size 272
26/7/2012 -- 14:06:59 - <Info> - flow memory usage: 6390016 bytes, maximum: 33554432
26/7/2012 -- 14:06:59 - <Info> - using magic-file /usr/share/file/magic
26/7/2012 -- 14:06:59 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
26/7/2012 -- 14:06:59 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature parsing failed: "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data"; flow:established,to_server; dsize:>400; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:8;)"
These are rules from the PRO ruleset that have been post processed by pulled pork.
Russell
More information about the Oisf-users
mailing list