[Oisf-users] VRT or Talos rules and openappid
Peter Manev
petermanev at gmail.com
Fri Dec 30 11:59:09 UTC 2016
> On 30 Dec 2016, at 12:16, Vieri <rentorbuy at yahoo.com> wrote:
>
> Hi,
>
> The docs suggest that Suricata can load the VRT/Talos rulesets but I'm seeing lots of errors such as:
>
Some keywords are not supported.
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
This is a good feedback from Suricata (including for rulewriters) - the err msg is descriptive enough I think - pkt vs stream match.
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /etc/suricata/rules/community.rules at line 2431
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
>
> Can anyone please confirm that the Talos rules cannot be loaded in Suricata?
>
Some rules will not load for the reasons explained above.
> I would also like to know if the openappid LUA scripts can be used in Suricata 3.x with lua:[!]<scriptfilename>;.
>
Luascripts can be used -
http://suricata.readthedocs.io/en/latest/rules/rule-lua-scripting.html
, openappid not.
> Thanks,
>
> Vieri
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161230/851824df/attachment-0002.html>
More information about the Oisf-users
mailing list