[Oisf-users] VRT or Talos rules and openappid
Vieri
rentorbuy at yahoo.com
Fri Dec 30 11:16:51 UTC 2016
Hi,
The docs suggest that Suricata can load the VRT/Talos rulesets but I'm seeing lots of errors such as:
[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /etc/suricata/rules/community.rules at line 2431
[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
Can anyone please confirm that the Talos rules cannot be loaded in Suricata?
I would also like to know if the openappid LUA scripts can be used in Suricata 3.x with lua:[!]<scriptfilename>;.
Thanks,
Vieri
More information about the Oisf-users
mailing list