[Oisf-users] IP Reputation Error
Phil Daws
uxbod at splatnix.net
Fri Nov 3 16:08:16 UTC 2017
Resolved. Had a strange character in the file.
----- On 3 Nov, 2017, at 15:09, Phil Daws <uxbod at splatnix.net> wrote:
> Hello,
> Have upgraded to Suricata v4.0.1 and now the IP reputation is no longer working.
> The error when I check the configuration is:
> 3/11/2017 -- 14:38:01 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown
> iprep category "BadHosts"
> 3/11/2017 -- 14:38:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> error parsing signature "alert ip any any -> any any (msg:"IPREP High Risk";
> iprep:src,BadHosts,>,99; sid:3790031; rev:1;)" from file
> /etc/suricata/rules/local.rules at line 2
> 3/11/2017 -- 14:38:01 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] -
> Loading signatures failed.
> and the rule that is in use:
> alert ip any any -> any any (msg:"IPREP High Risk"; iprep:src,BadHosts,>,99;
> sid:3790031; rev:1;)
> It believes that the category is not there but it is:
> cat /etc/suricata/iprep/categories.txt
> 1,BadHosts,Bad Host
> 2,GoodHosts,Known Good Host
> and is being referenced correctly in suricata.yaml:
> # IP Reputation
> reputation-categories-file: /etc/suricata/iprep/categories.txt
> default-reputation-path: /etc/suricata/iprep
> reputation-files:
> - reputation.list
> Any thoughts as to what the error is please ?
> Thanks - Phil
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171103/21a16453/attachment-0002.html>
More information about the Oisf-users
mailing list