[Oisf-users] Errors fro 3 ET Rules

Wed Aug 20 21:10:56 UTC 2014

On 08/20/2014 11:08 PM, Russell Fulton wrote:
> So far as I can the pulled pork has not fiddled with these so I am puzzled as to why they are generating errors:
> 
> Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> - [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two preceding content or uricontent options 
> Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 05 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; content:"|ef bb bf 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}\r\n<script>(?:var [a-zA-Z0-9]{1,20}\x3b){1,20}[a-zA-Z0-9]{1,20}\s*?=/R"; classtype:trojan-activity; sid:2018451; rev:3;)" from file /home/sensors/dmzo/Rules/snort.rules at line 5286 
> Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> - [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two preceding content or uricontent options 
> Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SUSPICIOUS Possible WebShell Login Form (Outbound)"; flow:established,from_server; content:"<pre align=center><form method=post>Password|3a| <input type=password name=pass><input type=submit value=|27|>>|27|></form></pre>"; within:120; isdataat:!2,relative; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:trojan-activity; sid:2018459; rev:3;)" from file /home/sensors/dmzo/Rules/snort.rules at line 5293 
> Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> - [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two preceding content or uricontent options 
> Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; content:"|ef bb bf|<html>|0d 0a|<body bgcolor|3d 22|#"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}<script>var/R"; classtype:trojan-activity; sid:2018595; rev:4;)" from file /home/sensors/dmzo/Rules/snort.rules at line 5419 
> 
> Rules pulled from:
> 
> http://rules.emergingthreatspro.com/xxxxxxxxxxx/suricata/etpro.rules.tar.gz

Replace suricata by suricata-2.0 should get you the best ruleset.

> PS I *really* appreciate that suri skips rules with errors and logs the whole rule!

Great. Btw, --init-errors-fatal makes each rule error fatal.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------