[Oisf-users] Suricata fails to load snort (2970) rules

altang78 at gogo.mn altang78 at gogo.mn
Fri Dec 19 05:11:53 UTC 2014 


Hi all, 

I'm newbie to Suricata at all. I'm trying to experiment
Suricata with VRT Snort rule set and using Oinkmaster as a rule management.
Snort rules v.2970 were downloaded and extracted by Oinkmaster. I've
downloaded classification and reference.conf file from Snort.org also. When
I try to start suricata with the command: suricata -c suricata.yaml -i eth0
it displays a lot of error message on parsing the rules like following:


====================================================================================================================


19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
previous keyword has a fast_pattern:only; set. Can't have relative keywords
around a fast_pattern only content 

19/12/2014 -- 12:50:00 - - [ERRCODE:
SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
$HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft
Forefront Unified Access Gateway null session cookie denial of service";
flow:to_server,established; content:"|3D 3B|NLSession"; fast_pattern:only;
content:"Cookie|3A 20|"; http_header; content:"NLSession"; http_cookie;
content:"|3D 3B|NLSession"; within:50; distance:1; http_cookie;
metadata:policy balanced-ips drop, policy security-ips drop, service http;
reference:cve,2011-2012;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-079;
classtype:attempted-user; sid:30209; rev:3;)" from file
/etc/suricata/rules/server-webapp.rules at line 1563 

19/12/2014 --
12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - unknown byte_extract
var seen in within - exifLen 

19/12/2014 -- 12:50:00 - - [ERRCODE:
SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
$EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Embedded
php in Exif data upload attempt"; flow:to_server,established; content:"|FF
D8 FF E0|"; http_client_body; content:"|FF E1|"; distance:0;
http_client_body; byte_extract:2,0,exifLen,relative;
content:"eval|28|base64_decode|28|"; within:exifLen; http_client_body;
metadata:policy balanced-ips drop, policy security-ips drop, service http;
reference:url,www.virustotal.com/en/file/ab85eb33605f3013989f4e8a9bfd5e89dd82d1f80231d4e4a2ceb82744bf287c/analysis/1381324711/;
classtype:attempted-admin; sid:30249; rev:1;)" from file
/etc/suricata/rules/server-webapp.rules at line 1566 

19/12/2014 --
12:50:00 - - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable
"FILE_DATA_PORTS" is not defined in configuration file 

19/12/2014 --
12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing
signature "alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any
(msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_client,
established; file_data; content:"root:x:0:0:root:/root:/";
fast_pattern:only; content:!"html"; metadata:policy balanced-ips drop,
policy security-ips drop, service ft
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141219/6f85118c/attachment.html>

More information about the Oisf-users mailing list