[Oisf-users] Suricata fails to load snort (2970) rules

altang78 at gogo.mn altang78 at gogo.mn
Sun Dec 21 06:10:48 UTC 2014 

Thanks Peter,

I did not find documentation on declaring variables in suricata.yaml. I've
evaluated Suricata with ET rules already. To compare efficiency on
different rule sets I'm trying with VRT rules. 


Regards,
Aggie

On Sat, 20 Dec 2014 17:52:19 +0100, Peter Manev <petermanev at gmail.com>
wrote:
> On Fri, Dec 19, 2014 at 6:11 AM,  <altang78 at gogo.mn> wrote:
>> Hi all,
>>
>> I'm newbie to Suricata at all. I'm trying to experiment Suricata with
VRT
>> Snort rule set and using Oinkmaster as a rule management. Snort rules
>> v.2970
>> were downloaded and extracted by Oinkmaster. I've downloaded
>> classification
>> and reference.conf file from Snort.org also. When I try to start
suricata
>> with the command: suricata -c suricata.yaml -i eth0 it displays a lot of
>> error message on parsing the rules like following:
>>
>>
====================================================================================================================
>>
>> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
>> previous keyword has a fast_pattern:only; set. Can't have relative
>> keywords
>> around a fast_pattern only content
>>
>> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
>> error
>> parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"SERVER-WEBAPP Microsoft Forefront Unified Access Gateway null
>> session
>> cookie denial of service"; flow:to_server,established; content:"|3D
>> 3B|NLSession"; fast_pattern:only; content:"Cookie|3A 20|"; http_header;
>> content:"NLSession"; http_cookie; content:"|3D 3B|NLSession"; within:50;
>> distance:1; http_cookie; metadata:policy balanced-ips drop, policy
>> security-ips drop, service http; reference:cve,2011-2012;
>> reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-079;
>> classtype:attempted-user; sid:30209; rev:3;)" from file
>> /etc/suricata/rules/server-webapp.rules at line 1563
>>
>> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
>> unknown
>> byte_extract var seen in within - exifLen
>>
>>
>>
>> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
>> error
>> parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
>> $HTTP_PORTS
>> (msg:"SERVER-WEBAPP Embedded php in Exif data upload attempt";
>> flow:to_server,established; content:"|FF D8 FF E0|"; http_client_body;
>> content:"|FF E1|"; distance:0; http_client_body;
>> byte_extract:2,0,exifLen,relative; content:"eval|28|base64_decode|28|";
>> within:exifLen; http_client_body; metadata:policy balanced-ips drop,
>> policy
>> security-ips drop, service http;
>>
reference:url,www.virustotal.com/en/file/ab85eb33605f3013989f4e8a9bfd5e89dd82d1f80231d4e4a2ceb82744bf287c/analysis/1381324711/;
>> classtype:attempted-admin; sid:30249; rev:1;)" from file
>> /etc/suricata/rules/server-webapp.rules at line 1566
>>
>> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] -
>> Variable
>> "FILE_DATA_PORTS" is not defined in configuration file
>>
>> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
>> error
>> parsing signature "alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET
>> any
>> (msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_client,
>> established; file_data; content:"root:x:0:0:root:/root:/";
>> fast_pattern:only; content:!"html"; metadata:policy balanced-ips drop,
>> policy security-ips drop, service ft
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support:
http://suricata-ids.org/support/
>> List:
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
> 
> Some keywords from the  ruleset are not supported in Suricata - hence
> those particular rules will not be loaded(fail to load).
> Some errs that you get  - Variable "FILE_DATA_PORTS" is not defined in
> configuration file  - just mean you have not defined that variable in
> suricata.yaml
> 
> If you would like - you can also try the ET (or ETPro) rule-sets
> written (and perf tuned) to make use of Suricata's specific features:
> http://rules.emergingthreats.net/open/suricata/
> 
> Some more tips (should you consider)-
>
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
> 
> thanks

More information about the Oisf-users mailing list