[Oisf-users] Errors on startup using ETPro Rules

Lee Walker leeewalker at hotmail.com
Thu Apr 14 08:51:32 UTC 2016


Victor
 
Thanks for the quick response, I've tried on both v2.0.9 and v3.0.
 
The Rules were downloaded for me, I'll double check they are correct.
 
Thanks
 
Lee
 
> To: oisf-users at lists.openinfosecfoundation.org
> From: lists at inliniac.net
> Date: Thu, 14 Apr 2016 10:46:35 +0200
> Subject: Re: [Oisf-users] Errors on startup using ETPro Rules
> 
> On 14-04-16 10:44, Victor Julien wrote:
> > On 14-04-16 10:42, Lee Walker wrote:
> >> I've been successfully using the Open rules on my Suricata installs, but
> >> since upgrading to latest ETPro rules I get the follwoing errors on startup:
> >>  
> >> 14/4/2016 -- 08:49:10 - <Error> - [ERRCODE:
> >> SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'base64_decode'.
> >>  
> >> 14/4/2016 -- 08:49:07 - <Error> - [ERRCODE:
> >> SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding
> >> match in the same buffer
> >>
> >> 14/4/2016 -- 08:49:07 - <Error> - [ERRCODE:
> >> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
> >> $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ETPRO
> >> WEB_SPECIFIC_APPS WP Theme LFI Attempt"; flow:to_server,established;
> >> content:"GET"; http_method; content:"/wp-content/themes/"; http_uri;
> >> fast_pattern:only; content:"download.php?file="; http_uri;
> >> pcre:"/[^&]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Ri";
> >> reference:url,packetstormsecurity.net/1412-exploits/wptheme-download.txt; classtype:attempted-admin;
> >> sid:2809398; rev:1;)" from file
> >> /etc/suricata/pro-rules/rules/web_specific_apps.rules at line 21279
> >>  
> >> These errors will be repeated for several different rules and lines.
> > 
> > What Suricata version are you running?
> > 
> 
> My version of this rule is quite different. Are you sure you're pulling
> the Suricata version of the ETPro ruleset?
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160414/357254db/attachment-0002.html>


More information about the Oisf-users mailing list