[Oisf-users] VRT or Talos rules and openappid

Peter Manev petermanev at gmail.com
Fri Dec 30 11:59:09 UTC 2016

> On 30 Dec 2016, at 12:16, Vieri <rentorbuy at yahoo.com> wrote:
> Hi,
> The docs suggest that Suricata can load the VRT/Talos rulesets but I'm seeing lots of errors such as:

Some keywords are not supported.

> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).

This is a good feedback from Suricata (including for rulewriters) - the err msg is descriptive enough I think - pkt vs stream match.

> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /etc/suricata/rules/community.rules at line 2431
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
> Can anyone please confirm that the Talos rules cannot be loaded in Suricata?

Some rules will not load for the reasons explained above.

> I would also like to know if the openappid LUA scripts can be used in Suricata 3.x with lua:[!]<scriptfilename>;.

Luascripts can be used - 
, openappid not.

> Thanks,
> Vieri
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161230/851824df/attachment-0002.html>

More information about the Oisf-users mailing list