[Oisf-users] IP Reputation Error

Phil Daws uxbod at splatnix.net
Fri Nov 3 16:08:16 UTC 2017


Resolved. Had a strange character in the file. 

----- On 3 Nov, 2017, at 15:09, Phil Daws <uxbod at splatnix.net> wrote: 

> Hello,

> Have upgraded to Suricata v4.0.1 and now the IP reputation is no longer working.
> The error when I check the configuration is:

> 3/11/2017 -- 14:38:01 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown
> iprep category "BadHosts"
> 3/11/2017 -- 14:38:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> error parsing signature "alert ip any any -> any any (msg:"IPREP High Risk";
> iprep:src,BadHosts,>,99; sid:3790031; rev:1;)" from file
> /etc/suricata/rules/local.rules at line 2
> 3/11/2017 -- 14:38:01 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] -
> Loading signatures failed.

> and the rule that is in use:

> alert ip any any -> any any (msg:"IPREP High Risk"; iprep:src,BadHosts,>,99;
> sid:3790031; rev:1;)

> It believes that the category is not there but it is:

> cat /etc/suricata/iprep/categories.txt
> 1,BadHosts,Bad Host
> 2,GoodHosts,Known Good Host

> and is being referenced correctly in suricata.yaml:

> # IP Reputation
> reputation-categories-file: /etc/suricata/iprep/categories.txt
> default-reputation-path: /etc/suricata/iprep
> reputation-files:
> - reputation.list

> Any thoughts as to what the error is please ?

> Thanks - Phil

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171103/21a16453/attachment-0002.html>


More information about the Oisf-users mailing list