[Oisf-users] Suricata rule/config errors

Peter Manev petermanev at gmail.com
Mon Sep 15 13:50:12 UTC 2014


On Mon, Sep 15, 2014 at 1:24 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Hi
>
> I get a couple of errors on my sensors when I ask suri to reload rules.
>
> sensors at secmonprd01:~$ suricata -V
> This is Suricata version 2.0.3 RELEASE
>
> sensors at secmonprd01:~$ ls -l Rules/raw/emerging-suri.rules.tar.gz
> -rw-r--r-- 1 sensors sensors 2413408 Sep 14 04:12 Rules/raw/emerging-suri.rules.tar.gz
> sensors at secmonprd01:~$ md5sum Rules/raw/emerging-suri.rules.tar.gz
> 0f818fa4390c17fe78ac7224dcb49c38  Rules/raw/emerging-suri.rules.tar.gz
>
> Which matches http://rules.emergingthreatspro.com/.../suricata-2.0.3/etpro.rules.tar.gz.md5
>
> so I figure I have the right rule file which is processed by pulled pork.
>
> In the logs I get:
>
> 2014 Sep 15 10:44:22 +12:00 secmonprd01.insec.auckland.ac.nz: suricata: '15/9/2014 -- 10:44:22 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content. ‘
>
> 2014 Sep 15 10:44:22 +12:00 secmonprd01.insec.auckland.ac.nz: suricata: '15/9/2014 -- 10:44:22 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC ([country code| +..)"; flow:established,to_server; content:"NICK "; depth:5; pcre: "/\[[A-Z]{2,3}\|/"; within:10; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:5;)" from file /home/sensors/dmzo/Rules/snort.rules at line 5057 ‘
>
> The other problem is that I always get the error:
>
> 2014 Sep 15 10:47:02 +12:00 secmonprd01.insec.auckland.ac.nz: suricata: '15/9/2014 -- 10:47:02 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /home/sensors/dmzo/Rules/local.rules '
>
> but sensors at secmonprd01:~$ cat /home/sensors/dmzo/Rules/local.rules
>
>  alert udp [130.216.0.0/16,!$DNS_SERVERS] any -> ![130.216.0.0/16,202.46.160.4] 53 (msg:"UTCSIG DNS request from non-DNS server"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; sid:9900009; rev:1;)
>
> Puzzled!
>
> Russell
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/


Hi,
I noticed that you have -
Rules/raw/

then you are also referring to -
cat /home/sensors/dmzo/Rules/local.rules

which leads me to the question if your rules directory is the same in
suricata.yaml?



thanks


-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list