[Oisf-users] Suricata fails to load snort (2970) rules

Jay M. jskier at gmail.com
Fri Dec 19 15:39:03 UTC 2014


Have you defined all vars?

Also, Suricata will still start, sans the rules it couldn't read. Plus one
on using ET ruleset over VRT.

--
Jeremy
jskier at gmail.com
On Dec 18, 2014 11:18 PM, <altang78 at gogo.mn> wrote:

> Hi all,
>
> I'm newbie to Suricata at all. I'm trying to experiment Suricata with VRT
> Snort rule set and using Oinkmaster as a rule management. Snort rules
> v.2970 were downloaded and extracted by Oinkmaster. I've downloaded
> classification and reference.conf file from Snort.org also. When I try to
> start suricata with the command: suricata -c suricata.yaml -i eth0 it
> displays a lot of error message on parsing the rules like following:
>
>
> ====================================================================================================================
>
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> previous keyword has a fast_pattern:only; set. Can't have relative keywords
> around a fast_pattern only content
>
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
> parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"SERVER-WEBAPP Microsoft Forefront Unified Access Gateway null session
> cookie denial of service"; flow:to_server,established; content:"|3D
> 3B|NLSession"; fast_pattern:only; content:"Cookie|3A 20|"; http_header;
> content:"NLSession"; http_cookie; content:"|3D 3B|NLSession"; within:50;
> distance:1; http_cookie; metadata:policy balanced-ips drop, policy
> security-ips drop, service http; reference:cve,2011-2012; reference:url,
> technet.microsoft.com/en-us/security/bulletin/ms11-079;
> classtype:attempted-user; sid:30209; rev:3;)" from file
> /etc/suricata/rules/server-webapp.rules at line 1563
>
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> unknown byte_extract var seen in within - exifLen
>
>
>
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
> parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"SERVER-WEBAPP Embedded php in Exif data upload attempt";
> flow:to_server,established; content:"|FF D8 FF E0|"; http_client_body;
> content:"|FF E1|"; distance:0; http_client_body;
> byte_extract:2,0,exifLen,relative; content:"eval|28|base64_decode|28|";
> within:exifLen; http_client_body; metadata:policy balanced-ips drop, policy
> security-ips drop, service http; reference:url,
> www.virustotal.com/en/file/ab85eb33605f3013989f4e8a9bfd5e89dd82d1f80231d4e4a2ceb82744bf287c/analysis/1381324711/;
> classtype:attempted-admin; sid:30249; rev:1;)" from file
> /etc/suricata/rules/server-webapp.rules at line 1566
>
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable
> "FILE_DATA_PORTS" is not defined in configuration file
>
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
> parsing signature "alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET
> any (msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_client,
> established; file_data; content:"root:x:0:0:root:/root:/";
> fast_pattern:only; content:!"html"; metadata:policy balanced-ips drop,
> policy security-ips drop, service ft
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141219/e387dafe/attachment-0002.html>


More information about the Oisf-users mailing list