[Oisf-users] next silly question: error parsing rules

Peter Manev petermanev at gmail.com
Fri Jul 27 06:58:48 UTC 2012 

On Fri, Jul 27, 2012 at 2:33 AM, Russell Fulton <r.fulton at auckland.ac.nz>wrote:

>
> Fixed original issue with rule parsing — pulledpork was picking up the
> snort tarball rather than the suricata one.  I thought that I must somehow
> be using the snort rules but it took me a while to figure out what I
> screwed up.
>
> Now when I run suricata -T I get a warning:
>
> [rful011 at nevil-res4 ~]$ sudo /usr/local/suricata/bin/suricata -T -c
> /usr/local/suricata/etc/suricata.yaml
> [sudo] password for rful011:
> 27/7/2012 -- 12:17:55 - <Info> - Running suricata under test mode
> 27/7/2012 -- 12:17:55 - <Info> - This is Suricata version 1.3 RELEASE
> 27/7/2012 -- 12:17:55 - <Info> - CPUs/cores online: 4
> 27/7/2012 -- 12:17:55 - <Info> - AutoFP mode using default "Active
> Packets" flow load balancer
> 27/7/2012 -- 12:17:55 - <Info> - preallocated 1024 packets. Total memory
> 4302848
> 27/7/2012 -- 12:17:55 - <Info> - allocated 229376 bytes of memory for the
> host hash... 4096 buckets of size 56
> 27/7/2012 -- 12:17:55 - <Info> - preallocated 1000 hosts of size 112
> 27/7/2012 -- 12:17:55 - <Info> - host memory usage: 341376 bytes, maximum:
> 16777216
> 27/7/2012 -- 12:17:55 - <Info> - allocated 3670016 bytes of memory for the
> flow hash... 65536 buckets of size 56
> 27/7/2012 -- 12:17:55 - <Info> - preallocated 10000 flows of size 272
> 27/7/2012 -- 12:17:55 - <Info> - flow memory usage: 6390016 bytes,
> maximum: 33554432
> 27/7/2012 -- 12:17:55 - <Info> - using magic-file /usr/share/file/magic
> 27/7/2012 -- 12:17:57 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No
> rules loaded from /usr/local/suricata/etc/rules/local.rules
>
1. Is this file existing and in that directory ?
2. is it empty?

>
> No hints as to why nothing was loaded and and I can't post the contents
> since some of the rules there are from sources that forbid sharing.
>
> What things should I look out for when converting rules for suricata?
>
> when I try and run it with -D I get:
>
> [rful011 at nevil-res4 ~]$ sudo /usr/local/suricata/bin/suricata -D -c
> /usr/local/suricata/etc/suricata.yaml
>

Here you are missing the interface -
sudo /usr/local/suricata/bin/suricata -D -c
/usr/local/suricata/etc/suricata.yaml *-i eth0*



> 27/7/2012 -- 12:18:34 - <Info> - This is Suricata version 1.3 RELEASE
> 27/7/2012 -- 12:18:34 - <Info> - CPUs/cores online: 4
> Suricata 1.3
> USAGE: /usr/local/suricata/bin/suricata
>
>         -c <path>                    : path to configuration file
> .
> .
> .
>
> nothing in /var/log/messages or /var/log/suricata/*
>
> Is it just the warning which is stopping suri starting?
>
> Russell
>
>
> On 26/07/2012, at 2:10 PM, Russell Fulton wrote:
>
> > [rful011 at nevil-res4 suricata-1.3]$ sudo
> /usr/local/suricata/bin/suricata -T -c /usr/local/suricata/etc/suricata.yaml
> > 26/7/2012 -- 14:06:59 - <Info> - Running suricata under test mode
> > 26/7/2012 -- 14:06:59 - <Info> - This is Suricata version 1.3 RELEASE
> > 26/7/2012 -- 14:06:59 - <Info> - CPUs/cores online: 4
> > 26/7/2012 -- 14:06:59 - <Info> - AutoFP mode using default "Active
> Packets" flow load balancer
> > 26/7/2012 -- 14:06:59 - <Info> - preallocated 1024 packets. Total memory
> 4302848
> > 26/7/2012 -- 14:06:59 - <Info> - allocated 229376 bytes of memory for
> the host hash... 4096 buckets of size 56
> > 26/7/2012 -- 14:06:59 - <Info> - preallocated 1000 hosts of size 112
> > 26/7/2012 -- 14:06:59 - <Info> - host memory usage: 341376 bytes,
> maximum: 16777216
> > 26/7/2012 -- 14:06:59 - <Info> - allocated 3670016 bytes of memory for
> the flow hash... 65536 buckets of size 56
> > 26/7/2012 -- 14:06:59 - <Info> - preallocated 10000 flows of size 272
> > 26/7/2012 -- 14:06:59 - <Info> - flow memory usage: 6390016 bytes,
> maximum: 33554432
> > 26/7/2012 -- 14:06:59 - <Info> - using magic-file /usr/share/file/magic
> > 26/7/2012 -- 14:06:59 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
> (like dsize, flags, ttl) with stream / state matching by matching on app
> layer proto (like using http_* keywords).
> > 26/7/2012 -- 14:06:59 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - Signature parsing failed: "alert tcp
> $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch
> posting data"; flow:established,to_server; dsize:>400; content:"POST";
> nocase; http_method; content:"a="; http_client_body; nocase; content:"&b=";
> http_client_body; nocase; content:"&d="; http_client_body; nocase;
> content:".bin&"; fast_pattern; http_client_body; nocase; content:"u=";
> http_client_body; nocase; content:"&c="; nocase; http_client_body;
> reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity;
> sid:2006385; rev:8;)"
> >
> >
> > These are rules from the PRO ruleset that have been post processed by
> pulled pork.
> >
> > Russell
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Regards,
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120727/fe14887e/attachment-0002.html>

More information about the Oisf-users mailing list