[Oisf-users] Suricata fails to load snort (2970) rules

Fri Dec 19 08:03:26 UTC 2014

On 19/12/14 at 13:11, altang78 at gogo.mn wrote:
> Hi all, 
> 
> I'm newbie to Suricata at all. I'm trying to experiment
> Suricata with VRT Snort rule set and using Oinkmaster as a rule management.
> Snort rules v.2970 were downloaded and extracted by Oinkmaster. I've
> downloaded classification and reference.conf file from Snort.org also. When
> I try to start suricata with the command: suricata -c suricata.yaml -i eth0
> it displays a lot of error message on parsing the rules like following:

You might wanna download the suricata ruleset instead of the snort
rulesets.

As you can see here for example:

https://rules.emergingthreats.net/open/

There are different rulesets.

> 
> ====================================================================================================================
> 
> 
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> previous keyword has a fast_pattern:only; set. Can't have relative keywords
> around a fast_pattern only content 
> 
> 19/12/2014 -- 12:50:00 - - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
> $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft
> Forefront Unified Access Gateway null session cookie denial of service";
> flow:to_server,established; content:"|3D 3B|NLSession"; fast_pattern:only;
> content:"Cookie|3A 20|"; http_header; content:"NLSession"; http_cookie;
> content:"|3D 3B|NLSession"; within:50; distance:1; http_cookie;
> metadata:policy balanced-ips drop, policy security-ips drop, service http;
> reference:cve,2011-2012;
> reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-079;
> classtype:attempted-user; sid:30209; rev:3;)" from file
> /etc/suricata/rules/server-webapp.rules at line 1563 
> 
> 19/12/2014 --
> 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - unknown byte_extract
> var seen in within - exifLen 
> 
> 19/12/2014 -- 12:50:00 - - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
> $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Embedded
> php in Exif data upload attempt"; flow:to_server,established; content:"|FF
> D8 FF E0|"; http_client_body; content:"|FF E1|"; distance:0;
> http_client_body; byte_extract:2,0,exifLen,relative;
> content:"eval|28|base64_decode|28|"; within:exifLen; http_client_body;
> metadata:policy balanced-ips drop, policy security-ips drop, service http;
> reference:url,www.virustotal.com/en/file/ab85eb33605f3013989f4e8a9bfd5e89dd82d1f80231d4e4a2ceb82744bf287c/analysis/1381324711/;
> classtype:attempted-admin; sid:30249; rev:1;)" from file
> /etc/suricata/rules/server-webapp.rules at line 1566 
> 
> 19/12/2014 --
> 12:50:00 - - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable
> "FILE_DATA_PORTS" is not defined in configuration file 
> 
> 19/12/2014 --
> 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing
> signature "alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any
> (msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_client,
> established; file_data; content:"root:x:0:0:root:/root:/";
> fast_pattern:only; content:!"html"; metadata:policy balanced-ips drop,
> policy security-ips drop, service ft

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

-- 
Andreas Herz