[Oisf-users] Lot of errors with latest rule updates
C. L. Martinez
carlopmart at gmail.com
Tue Dec 16 09:29:19 UTC 2014
Yes, it is enabled ... Uhmm. Let me see if I have configured something
with pulledpork wrong ...
On Tue, Dec 16, 2014 at 9:05 AM, Victor Julien <lists at inliniac.net> wrote:
> On 12/16/2014 09:59 AM, C. L. Martinez wrote:
>> Hi all,
>>
>> After upgrading to suricata 2.0.5 from 2.0.4, suricata returns a lot
>> of errors like these:
>>
>> 16/12/2014 -- 08:56:57 - <Error> - [ERRCODE:
>> SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ftp" cannot be used in a
>> signature. Either detection for this protocol supported yet OR
>> detection has been disabled for protocol through the yaml option
>> app-layer.protocols.ftp.detection-enabled
>> 16/12/2014 -- 08:56:57 - <Error> - [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ftp
>> $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ftpchk3.php
>> possible upload success"; flow:to_client,established; content:"|0d
>> 0a|150 "; content:"ftpchk3.php|0d 0a|226 "; distance:0; nocase;
>> reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html;
>> reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf;
>> classtype:attempted-admin; sid:2018417; rev:3;)" from file
>> /data/config/etc/idpsuricata01/rules/ET-emerging-trojan.rules at line
>> 2494
>>
>>
>
> Is your ftp parser disabled?
>
> app-layer:
> protocols:
> ftp:
> enabled: yes
>
>> With 2.0.4 release, these rules works ok. Any idea how to fix these problems?
>
> Previously we didn't properly detect all errors:
> https://redmine.openinfosecfoundation.org/issues/1329
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
More information about the Oisf-users
mailing list