[Oisf-users] Lot of errors with latest rule updates
Victor Julien
lists at inliniac.net
Tue Dec 16 09:05:05 UTC 2014
On 12/16/2014 09:59 AM, C. L. Martinez wrote:
> Hi all,
>
> After upgrading to suricata 2.0.5 from 2.0.4, suricata returns a lot
> of errors like these:
>
> 16/12/2014 -- 08:56:57 - <Error> - [ERRCODE:
> SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ftp" cannot be used in a
> signature. Either detection for this protocol supported yet OR
> detection has been disabled for protocol through the yaml option
> app-layer.protocols.ftp.detection-enabled
> 16/12/2014 -- 08:56:57 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ftp
> $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ftpchk3.php
> possible upload success"; flow:to_client,established; content:"|0d
> 0a|150 "; content:"ftpchk3.php|0d 0a|226 "; distance:0; nocase;
> reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html;
> reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf;
> classtype:attempted-admin; sid:2018417; rev:3;)" from file
> /data/config/etc/idpsuricata01/rules/ET-emerging-trojan.rules at line
> 2494
>
>
Is your ftp parser disabled?
app-layer:
protocols:
ftp:
enabled: yes
> With 2.0.4 release, these rules works ok. Any idea how to fix these problems?
Previously we didn't properly detect all errors:
https://redmine.openinfosecfoundation.org/issues/1329
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list