[Oisf-users] Rule Errors

Phil Daws uxbod at splatnix.net
Wed May 7 08:19:41 UTC 2014 

Apologies, it was a dumb sleepy user error!
----- Original Message -----
From: "(OISF) Martijn Schoemaker" <oisf at ficture.nl>
To: oisf-users at lists.openinfosecfoundation.org
Sent: Wednesday, 7 May, 2014 9:06:06 AM
Subject: Re: [Oisf-users] Rule Errors

Hi,

At first glance it seems you have typos in your rules (maybe carriage returns etc.). There are also 2 'duplicate' messages which would imply you are using the same sid for different rules.

Did you add any manual rules to your config ? Or did you manualy modify your config files ?

Regards,
Martijn

On 05/07/2014 09:37 AM, Phil Daws wrote:
> Good morning All,
>
> have upgraded to the latest GIT release to try out the HeartBleed code additions and on restarting am seeing a large number of the following rule failures:
>
> May  7 08:30:15 fw1 suricata: [8083] 7/5/2014 -- 08:30:15 - (detect.c:350) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA PPP unsupported protocol"; decode-event:ppp.unsup_proto; sid:2200048; rev:1;)" from file /usr/local/etc/suricata/rules/snort.rules at line 351
> May  7 08:30:15 fw1 suricata: [8083] 7/5/2014 -- 08:30:15 - (detect-parse.c:1843) <Error> (DetectEngineAppendSig) -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert pkthdr any any -> any any (msg:"SURICATA PPPOE packet too small"; decode-event:pppoe.pkt_too_small; sid:2200049; rev:1;)"
> May  7 08:30:15 fw1 suricata: [8083] 7/5/2014 -- 08:30:15 - (detect.c:350) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA PPPOE packet too small"; decode-event:pppoe.pkt_too_small; sid:2200049; rev:1;)" from file /usr/local/etc/suricata/rules/snort.rules at line 352
> May  7 08:30:15 fw1 suricata: [8083] 7/5/2014 -- 08:30:15 - (detect-parse.c:1843) <Error> (DetectEngineAppendSig) -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert pkthdr any any -> any any (msg:"SURICATA PPPOE wrong code"; decode-event:pppoe.wrong_code; sid:2200050; rev:1;)"
>
> How would one go about debugging them please ?
>
> Thanks. Phil
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list