[Oisf-users] Errors fro 3 ET Rules

Wed Aug 20 21:11:55 UTC 2014

Guessing you are probably grabbing the wrong version of the rules. Should
be something like..

http://rules.emergingthreatspro.com/xxxxxxxxxxx/suricata-2.0/etpro.rules.tar.gz
<http://rules.emergingthreatspro.com/xxxxxxxxxxx/suricata/etpro.rules.tar.gz>

Regards,

Will

On Wed, Aug 20, 2014 at 4:08 PM, Russell Fulton <r.fulton at auckland.ac.nz>
wrote:

> So far as I can the pulled pork has not fiddled with these so I am puzzled
> as to why they are generating errors:
>
> Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> -
> [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two
> preceding content or uricontent options
> Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> -
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert
> http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY
> Nuclear EK Landing May 05 2014"; flow:from_server,established; content:"|0d
> 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d
> 0a|X-Powered-By|3a 20|PHP"; http_header; content:"|ef bb bf 3c 68 74 6d 6c
> 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27;
> fast_pattern;
> pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}\r\n<script>(?:var
> [a-zA-Z0-9]{1,20}\x3b){1,20}[a-zA-Z0-9]{1,20}\s*?=/R";
> classtype:trojan-activity; sid:2018451; rev:3;)" from file
> /home/sensors/dmzo/Rules/snort.rules at line 5286
> Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> -
> [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two
> preceding content or uricontent options
> Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> -
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert
> http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SUSPICIOUS
> Possible WebShell Login Form (Outbound)"; flow:established,from_server;
> content:"<pre align=center><form method=post>Password|3a| <input
> type=password name=pass><input type=submit value=|27|>>|27|></form></pre>";
> within:120; isdataat:!2,relative; reference:url,
> blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html;
> classtype:trojan-activity; sid:2018459; rev:3;)" from file
> /home/sensors/dmzo/Rules/snort.rules at line 5293
> Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> -
> [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(104)] - within needs two
> preceding content or uricontent options
> Aug 21 08:45:04 secmonprd01 suricata: 21/8/2014 -- 08:45:04 - <Error> -
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert
> http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY
> Nuclear EK Landing May 23 2014"; flow:from_server,established; content:"|0d
> 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d
> 0a|X-Powered-By|3a 20|PHP"; http_header; content:"|ef bb bf|<html>|0d
> 0a|<body bgcolor|3d 22|#"; within:27; fast_pattern;
> pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}<script>var/R";
> classtype:trojan-activity; sid:2018595; rev:4;)" from file
> /home/sensors/dmzo/Rules/snort.rules at line 5419
>
> Rules pulled from:
>
> http://rules.emergingthreatspro.com/xxxxxxxxxxx/suricata/etpro.rules.tar.gz
>
> Russell
>
> PS I *really* appreciate that suri skips rules with errors and logs the
> whole rule!
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140820/7c7650d2/attachment-0002.html>