[Oisf-users] Errors on startup using ETPro Rules

Victor Julien lists at inliniac.net
Thu Apr 14 08:46:35 UTC 2016


On 14-04-16 10:44, Victor Julien wrote:
> On 14-04-16 10:42, Lee Walker wrote:
>> I've been successfully using the Open rules on my Suricata installs, but
>> since upgrading to latest ETPro rules I get the follwoing errors on startup:
>>  
>> 14/4/2016 -- 08:49:10 - <Error> - [ERRCODE:
>> SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'base64_decode'.
>>  
>> 14/4/2016 -- 08:49:07 - <Error> - [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding
>> match in the same buffer
>>
>> 14/4/2016 -- 08:49:07 - <Error> - [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
>> $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ETPRO
>> WEB_SPECIFIC_APPS WP Theme LFI Attempt"; flow:to_server,established;
>> content:"GET"; http_method; content:"/wp-content/themes/"; http_uri;
>> fast_pattern:only; content:"download.php?file="; http_uri;
>> pcre:"/[^&]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Ri";
>> reference:url,packetstormsecurity.net/1412-exploits/wptheme-download.txt; classtype:attempted-admin;
>> sid:2809398; rev:1;)" from file
>> /etc/suricata/pro-rules/rules/web_specific_apps.rules at line 21279
>>  
>> These errors will be repeated for several different rules and lines.
> 
> What Suricata version are you running?
> 

My version of this rule is quite different. Are you sure you're pulling
the Suricata version of the ETPro ruleset?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list