[Oisf-users] Errors on startup using ETPro Rules

[Lee Walker]

Hello
 
I've been successfully using the Open rules on my Suricata installs, but since upgrading to latest ETPro rules I get the follwoing errors on startup:
 
14/4/2016 -- 08:49:10 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'base64_decode'.
 
14/4/2016 -- 08:49:07 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer

14/4/2016 -- 08:49:07 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ETPRO WEB_SPECIFIC_APPS WP Theme LFI Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/wp-content/themes/"; http_uri; fast_pattern:only; content:"download.php?file="; http_uri; pcre:"/[^&]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Ri"; reference:url,packetstormsecurity.net/1412-exploits/wptheme-download.txt; classtype:attempted-admin; sid:2809398; rev:1;)" from file /etc/suricata/pro-rules/rules/web_specific_apps.rules at line 21279
 
These errors will be repeated for several different rules and lines.
 
I can't see anything wrong?
 
Any help appreciated............
 
 
Regards
Lee

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160414/c6ea61b7/attachment.html>