[Oisf-users] Suricata fails to load snort (2970) rules

Victor Julien lists at inliniac.net
Sun Dec 21 08:47:39 UTC 2014


On 12/21/2014 07:10 AM, altang78 at gogo.mn wrote:
> Thanks Peter,
> 
> I did not find documentation on declaring variables in suricata.yaml. I've
> evaluated Suricata with ET rules already. To compare efficiency on
> different rule sets I'm trying with VRT rules. 
> 

Please see
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml#Rule-vars

Cheers,
Victor

> Regards,
> Aggie
> 
> On Sat, 20 Dec 2014 17:52:19 +0100, Peter Manev <petermanev at gmail.com>
> wrote:
>> On Fri, Dec 19, 2014 at 6:11 AM,  <altang78 at gogo.mn> wrote:
>>> Hi all,
>>>
>>> I'm newbie to Suricata at all. I'm trying to experiment Suricata with
> VRT
>>> Snort rule set and using Oinkmaster as a rule management. Snort rules
>>> v.2970
>>> were downloaded and extracted by Oinkmaster. I've downloaded
>>> classification
>>> and reference.conf file from Snort.org also. When I try to start
> suricata
>>> with the command: suricata -c suricata.yaml -i eth0 it displays a lot of
>>> error message on parsing the rules like following:
>>>
>>>
> ====================================================================================================================
>>>
>>> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
>>> previous keyword has a fast_pattern:only; set. Can't have relative
>>> keywords
>>> around a fast_pattern only content
>>>
>>> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
>>> error
>>> parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>> (msg:"SERVER-WEBAPP Microsoft Forefront Unified Access Gateway null
>>> session
>>> cookie denial of service"; flow:to_server,established; content:"|3D
>>> 3B|NLSession"; fast_pattern:only; content:"Cookie|3A 20|"; http_header;
>>> content:"NLSession"; http_cookie; content:"|3D 3B|NLSession"; within:50;
>>> distance:1; http_cookie; metadata:policy balanced-ips drop, policy
>>> security-ips drop, service http; reference:cve,2011-2012;
>>> reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-079;
>>> classtype:attempted-user; sid:30209; rev:3;)" from file
>>> /etc/suricata/rules/server-webapp.rules at line 1563
>>>
>>> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
>>> unknown
>>> byte_extract var seen in within - exifLen
>>>
>>>
>>>
>>> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
>>> error
>>> parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
>>> $HTTP_PORTS
>>> (msg:"SERVER-WEBAPP Embedded php in Exif data upload attempt";
>>> flow:to_server,established; content:"|FF D8 FF E0|"; http_client_body;
>>> content:"|FF E1|"; distance:0; http_client_body;
>>> byte_extract:2,0,exifLen,relative; content:"eval|28|base64_decode|28|";
>>> within:exifLen; http_client_body; metadata:policy balanced-ips drop,
>>> policy
>>> security-ips drop, service http;
>>>
> reference:url,www.virustotal.com/en/file/ab85eb33605f3013989f4e8a9bfd5e89dd82d1f80231d4e4a2ceb82744bf287c/analysis/1381324711/;
>>> classtype:attempted-admin; sid:30249; rev:1;)" from file
>>> /etc/suricata/rules/server-webapp.rules at line 1566
>>>
>>> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] -
>>> Variable
>>> "FILE_DATA_PORTS" is not defined in configuration file
>>>
>>> 19/12/2014 -- 12:50:00 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
>>> error
>>> parsing signature "alert tcp $HOME_NET $FILE_DATA_PORTS -> $EXTERNAL_NET
>>> any
>>> (msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_client,
>>> established; file_data; content:"root:x:0:0:root:/root:/";
>>> fast_pattern:only; content:!"html"; metadata:policy balanced-ips drop,
>>> policy security-ips drop, service ft
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
>>> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> Training now available: http://suricata-ids.org/training/
>>
>> Some keywords from the  ruleset are not supported in Suricata - hence
>> those particular rules will not be loaded(fail to load).
>> Some errs that you get  - Variable "FILE_DATA_PORTS" is not defined in
>> configuration file  - just mean you have not defined that variable in
>> suricata.yaml
>>
>> If you would like - you can also try the ET (or ETPro) rule-sets
>> written (and perf tuned) to make use of Suricata's specific features:
>> http://rules.emergingthreats.net/open/suricata/
>>
>> Some more tips (should you consider)-
>>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
>>
>> thanks
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list