[Oisf-users] next silly question: error parsing rules
Russell Fulton
r.fulton at auckland.ac.nz
Thu Jul 26 20:33:26 EDT 2012
Fixed original issue with rule parsing — pulledpork was picking up the snort tarball rather than the suricata one. I thought that I must somehow be using the snort rules but it took me a while to figure out what I screwed up.
Now when I run suricata -T I get a warning:
[rful011 at nevil-res4 ~]$ sudo /usr/local/suricata/bin/suricata -T -c /usr/local/suricata/etc/suricata.yaml
[sudo] password for rful011:
27/7/2012 -- 12:17:55 - <Info> - Running suricata under test mode
27/7/2012 -- 12:17:55 - <Info> - This is Suricata version 1.3 RELEASE
27/7/2012 -- 12:17:55 - <Info> - CPUs/cores online: 4
27/7/2012 -- 12:17:55 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
27/7/2012 -- 12:17:55 - <Info> - preallocated 1024 packets. Total memory 4302848
27/7/2012 -- 12:17:55 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56
27/7/2012 -- 12:17:55 - <Info> - preallocated 1000 hosts of size 112
27/7/2012 -- 12:17:55 - <Info> - host memory usage: 341376 bytes, maximum: 16777216
27/7/2012 -- 12:17:55 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56
27/7/2012 -- 12:17:55 - <Info> - preallocated 10000 flows of size 272
27/7/2012 -- 12:17:55 - <Info> - flow memory usage: 6390016 bytes, maximum: 33554432
27/7/2012 -- 12:17:55 - <Info> - using magic-file /usr/share/file/magic
27/7/2012 -- 12:17:57 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/local/suricata/etc/rules/local.rules
No hints as to why nothing was loaded and and I can't post the contents since some of the rules there are from sources that forbid sharing.
What things should I look out for when converting rules for suricata?
when I try and run it with -D I get:
[rful011 at nevil-res4 ~]$ sudo /usr/local/suricata/bin/suricata -D -c /usr/local/suricata/etc/suricata.yaml
27/7/2012 -- 12:18:34 - <Info> - This is Suricata version 1.3 RELEASE
27/7/2012 -- 12:18:34 - <Info> - CPUs/cores online: 4
Suricata 1.3
USAGE: /usr/local/suricata/bin/suricata
-c <path> : path to configuration file
.
.
.
nothing in /var/log/messages or /var/log/suricata/*
Is it just the warning which is stopping suri starting?
Russell
On 26/07/2012, at 2:10 PM, Russell Fulton wrote:
> [rful011 at nevil-res4 suricata-1.3]$ sudo /usr/local/suricata/bin/suricata -T -c /usr/local/suricata/etc/suricata.yaml
> 26/7/2012 -- 14:06:59 - <Info> - Running suricata under test mode
> 26/7/2012 -- 14:06:59 - <Info> - This is Suricata version 1.3 RELEASE
> 26/7/2012 -- 14:06:59 - <Info> - CPUs/cores online: 4
> 26/7/2012 -- 14:06:59 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
> 26/7/2012 -- 14:06:59 - <Info> - preallocated 1024 packets. Total memory 4302848
> 26/7/2012 -- 14:06:59 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56
> 26/7/2012 -- 14:06:59 - <Info> - preallocated 1000 hosts of size 112
> 26/7/2012 -- 14:06:59 - <Info> - host memory usage: 341376 bytes, maximum: 16777216
> 26/7/2012 -- 14:06:59 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56
> 26/7/2012 -- 14:06:59 - <Info> - preallocated 10000 flows of size 272
> 26/7/2012 -- 14:06:59 - <Info> - flow memory usage: 6390016 bytes, maximum: 33554432
> 26/7/2012 -- 14:06:59 - <Info> - using magic-file /usr/share/file/magic
> 26/7/2012 -- 14:06:59 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
> 26/7/2012 -- 14:06:59 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature parsing failed: "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data"; flow:established,to_server; dsize:>400; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:8;)"
>
>
> These are rules from the PRO ruleset that have been post processed by pulled pork.
>
> Russell
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
More information about the Oisf-users
mailing list