[Oisf-users] next silly question: error parsing rules

Russell Fulton r.fulton at auckland.ac.nz
Fri Jul 27 00:33:26 UTC 2012


Fixed original issue with rule parsing — pulledpork was picking up the snort tarball rather than the suricata one.  I thought that I must somehow be using the snort rules but it took me a while to figure out what I screwed up.

Now when I run suricata -T I get a warning:

[rful011 at nevil-res4 ~]$ sudo /usr/local/suricata/bin/suricata -T -c /usr/local/suricata/etc/suricata.yaml
[sudo] password for rful011: 
27/7/2012 -- 12:17:55 - <Info> - Running suricata under test mode
27/7/2012 -- 12:17:55 - <Info> - This is Suricata version 1.3 RELEASE
27/7/2012 -- 12:17:55 - <Info> - CPUs/cores online: 4
27/7/2012 -- 12:17:55 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
27/7/2012 -- 12:17:55 - <Info> - preallocated 1024 packets. Total memory 4302848
27/7/2012 -- 12:17:55 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56
27/7/2012 -- 12:17:55 - <Info> - preallocated 1000 hosts of size 112
27/7/2012 -- 12:17:55 - <Info> - host memory usage: 341376 bytes, maximum: 16777216
27/7/2012 -- 12:17:55 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56
27/7/2012 -- 12:17:55 - <Info> - preallocated 10000 flows of size 272
27/7/2012 -- 12:17:55 - <Info> - flow memory usage: 6390016 bytes, maximum: 33554432
27/7/2012 -- 12:17:55 - <Info> - using magic-file /usr/share/file/magic
27/7/2012 -- 12:17:57 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /usr/local/suricata/etc/rules/local.rules

No hints as to why nothing was loaded and and I can't post the contents since some of the rules there are from sources that forbid sharing.  

What things should I look out for when converting rules for suricata?

when I try and run it with -D I get:

[rful011 at nevil-res4 ~]$ sudo /usr/local/suricata/bin/suricata -D -c /usr/local/suricata/etc/suricata.yaml
27/7/2012 -- 12:18:34 - <Info> - This is Suricata version 1.3 RELEASE
27/7/2012 -- 12:18:34 - <Info> - CPUs/cores online: 4
Suricata 1.3
USAGE: /usr/local/suricata/bin/suricata

	-c <path>                    : path to configuration file
.
.
.

nothing in /var/log/messages or /var/log/suricata/*

Is it just the warning which is stopping suri starting?

Russell


On 26/07/2012, at 2:10 PM, Russell Fulton wrote:

> [rful011 at nevil-res4 suricata-1.3]$ sudo /usr/local/suricata/bin/suricata -T -c /usr/local/suricata/etc/suricata.yaml
> 26/7/2012 -- 14:06:59 - <Info> - Running suricata under test mode
> 26/7/2012 -- 14:06:59 - <Info> - This is Suricata version 1.3 RELEASE
> 26/7/2012 -- 14:06:59 - <Info> - CPUs/cores online: 4
> 26/7/2012 -- 14:06:59 - <Info> - AutoFP mode using default "Active Packets" flow load balancer
> 26/7/2012 -- 14:06:59 - <Info> - preallocated 1024 packets. Total memory 4302848
> 26/7/2012 -- 14:06:59 - <Info> - allocated 229376 bytes of memory for the host hash... 4096 buckets of size 56
> 26/7/2012 -- 14:06:59 - <Info> - preallocated 1000 hosts of size 112
> 26/7/2012 -- 14:06:59 - <Info> - host memory usage: 341376 bytes, maximum: 16777216
> 26/7/2012 -- 14:06:59 - <Info> - allocated 3670016 bytes of memory for the flow hash... 65536 buckets of size 56
> 26/7/2012 -- 14:06:59 - <Info> - preallocated 10000 flows of size 272
> 26/7/2012 -- 14:06:59 - <Info> - flow memory usage: 6390016 bytes, maximum: 33554432
> 26/7/2012 -- 14:06:59 - <Info> - using magic-file /usr/share/file/magic
> 26/7/2012 -- 14:06:59 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
> 26/7/2012 -- 14:06:59 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature parsing failed: "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data"; flow:established,to_server; dsize:>400; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:8;)"
> 
> 
> These are rules from the PRO ruleset that have been post processed by pulled pork.
> 
> Russell
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users




More information about the Oisf-users mailing list