[Oisf-users] Suricata fails to load snort (2970) rules

Sat Dec 20 16:52:19 UTC 2014

On Fri, Dec 19, 2014 at 6:11 AM,  <altang78 at gogo.mn> wrote:
> Hi all,
>
> I'm newbie to Suricata at all. I'm trying to experiment Suricata with VRT
> Snort rule set and using Oinkmaster as a rule management. Snort rules v.2970
> were downloaded and extracted by Oinkmaster. I've downloaded classification
> and reference.conf file from Snort.org also. When I try to start suricata
> with the command: suricata -c suricata.yaml -i eth0 it displays a lot of
> error message on parsing the rules like following:
>
> ====================================================================================================================
>
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> previous keyword has a fast_pattern:only; set. Can't have relative keywords
> around a fast_pattern only content
>
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
> parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"SERVER-WEBAPP Microsoft Forefront Unified Access Gateway null session
> cookie denial of service"; flow:to_server,established; content:"|3D
> 3B|NLSession"; fast_pattern:only; content:"Cookie|3A 20|"; http_header;
> content:"NLSession"; http_cookie; content:"|3D 3B|NLSession"; within:50;
> distance:1; http_cookie; metadata:policy balanced-ips drop, policy
> security-ips drop, service http; reference:cve,2011-2012;
> reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-079;
> classtype:attempted-user; sid:30209; rev:3;)" from file
> /etc/suricata/rules/server-webapp.rules at line 1563
>
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - unknown
> byte_extract var seen in within - exifLen
>
>
>
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
> parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"SERVER-WEBAPP Embedded php in Exif data upload attempt";
> flow:to_server,established; content:"|FF D8 FF E0|"; http_client_body;
> content:"|FF E1|"; distance:0; http_client_body;
> byte_extract:2,0,exifLen,relative; content:"eval|28|base64_decode|28|";
> within:exifLen; http_client_body; metadata:policy balanced-ips drop, policy
> security-ips drop, service http;
> reference:url,www.virustotal.com/en/file/ab85eb33605f3013989f4e8a9bfd5e89dd82d1f80231d4e4a2ceb82744bf287c/analysis/1381324711/;
> classtype:attempted-admin; sid:30249; rev:1;)" from file
> /etc/suricata/rules/server-webapp.rules at line 1566
>
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable
> "FILE_DATA_PORTS" is not defined in configuration file
>
> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
> parsing signature "alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET any
> (msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_client,
> established; file_data; content:"root:x:0:0:root:/root:/";
> fast_pattern:only; content:!"html"; metadata:policy balanced-ips drop,
> policy security-ips drop, service ft
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

Some keywords from the  ruleset are not supported in Suricata - hence
those particular rules will not be loaded(fail to load).
Some errs that you get  - Variable "FILE_DATA_PORTS" is not defined in
configuration file  - just mean you have not defined that variable in
suricata.yaml

If you would like - you can also try the ET (or ETPro) rule-sets
written (and perf tuned) to make use of Suricata's specific features:
http://rules.emergingthreats.net/open/suricata/

Some more tips (should you consider)-
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup

thanks

-- 
Regards,
Peter Manev