[Oisf-users] Suricata rule/config errors

Russell Fulton r.fulton at auckland.ac.nz
Sun Sep 14 23:24:31 UTC 2014 

Hi

I get a couple of errors on my sensors when I ask suri to reload rules.

sensors at secmonprd01:~$ suricata -V
This is Suricata version 2.0.3 RELEASE

sensors at secmonprd01:~$ ls -l Rules/raw/emerging-suri.rules.tar.gz
-rw-r--r-- 1 sensors sensors 2413408 Sep 14 04:12 Rules/raw/emerging-suri.rules.tar.gz
sensors at secmonprd01:~$ md5sum Rules/raw/emerging-suri.rules.tar.gz
0f818fa4390c17fe78ac7224dcb49c38  Rules/raw/emerging-suri.rules.tar.gz

Which matches http://rules.emergingthreatspro.com/.../suricata-2.0.3/etpro.rules.tar.gz.md5

so I figure I have the right rule file which is processed by pulled pork.

In the logs I get:

2014 Sep 15 10:44:22 +12:00 secmonprd01.insec.auckland.ac.nz: suricata: '15/9/2014 -- 10:44:22 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content. ‘

2014 Sep 15 10:44:22 +12:00 secmonprd01.insec.auckland.ac.nz: suricata: '15/9/2014 -- 10:44:22 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC ([country code| +..)"; flow:established,to_server; content:"NICK "; depth:5; pcre: "/\[[A-Z]{2,3}\|/"; within:10; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:5;)" from file /home/sensors/dmzo/Rules/snort.rules at line 5057 ‘

The other problem is that I always get the error:

2014 Sep 15 10:47:02 +12:00 secmonprd01.insec.auckland.ac.nz: suricata: '15/9/2014 -- 10:47:02 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /home/sensors/dmzo/Rules/local.rules '

but sensors at secmonprd01:~$ cat /home/sensors/dmzo/Rules/local.rules 

 alert udp [130.216.0.0/16,!$DNS_SERVERS] any -> ![130.216.0.0/16,202.46.160.4] 53 (msg:"UTCSIG DNS request from non-DNS server"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; sid:9900009; rev:1;)

Puzzled!

Russell

More information about the Oisf-users mailing list