[Oisf-users] 答复: 答复: suricata do not support "xbits"
苏 哲
suzhe_ffgg at outlook.com
Mon Sep 10 11:53:17 UTC 2018
Hi Eric,
Thank you for your reply.
I read the whole document of suricata which is the link you provide.
In 4.9 chapter , it said syntax is :
xbits:noalert;
xbits:<set|unset|isset|toggle>,<name>,track <ip_src|ip_dst|ip_pair>;
xbits:<set|unset|isset|toggle>,<name>,track <ip_src|ip_dst|ip_pair> \
[,expire <seconds>];
xbits:<set|unset|isset|toggle>,<name>,track <ip_src|ip_dst|ip_pair> \
[,expire <seconds>];
but as I try the example (https://cipherdyne.org/fwsnort/xbits_metasploit_example.rules), I find that it pop up error said:
<Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] -"isset,Metasploit.ContentKeeper.recon" is not a valid setting for xbits.
I wonder whether anyone use xbits? you didn't met same error?
Thanks
Su
________________________________
发件人: Eric Leblond <eric at regit.org>
发送时间: 2018年9月10日 0:30:53
收件人: 苏 哲; Peter Manev
抄送: Open Information Security Foundation
主题: Re: [Oisf-users] 答复: suricata do not support "xbits"
Hi,
On Mon, 2018-09-10 at 07:08 +0000, 苏 哲 wrote:
> is there anyone know how to use xbits?
Did you check :
https://suricata.readthedocs.io/en/suricata-4.0.5/rules/xbits.html
BR,
> 发件人: 苏 哲
> 发送时间: 2018年9月7日 6:01:23
> 收件人: Peter Manev
> 抄送: Open Information Security Foundation
> 主题: 答复: [Oisf-users] suricata do not support "xbits"
>
> thank you for reply.
>
> instead of "xbits:noalert", noalert works, no error.
> now the error is <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] -
> "isset,Metasploit.ContentKeeper.recon" is not a valid setting for
> xbits
>
> Thanks
> Su
>
> 发件人: Peter Manev <petermanev at gmail.com>
> 发送时间: 2018年9月7日 0:34
> 收件人: suzhe_ffgg at outlook.com
> 抄送: Open Information Security Foundation
> 主题: Re: [Oisf-users] suricata do not support "xbits"
>
> On Fri, Sep 7, 2018 at 9:09 AM 苏 哲 <suzhe_ffgg at outlook.com> wrote:
> >
> >
> >
> >
> > Hi,
> >
> > I try suricata 4.0.5 and 4.1.0 and try "xbits" with this example, I
> receive error:
> >
> >
> > "noalert" is not a valid setting for xbits.
> >
>
> instead of "xbits:noalert;"
> can you try just "noalert;" ?
>
> > "isset,is_attack_step1" is not a valid setting for xbits.
>
> That name - "is_attack_step1" is not present/set anywhere in the
> example , is that expected ? (so it can naturally complain about it)
>
> >
> >
> > I google xbits and those errors, but didn't find anyone talking
> about it.
> >
> >
> > is there anyone know what is the reason? and what should I do?
> >
> >
> > Thanks.
> >
> > Su
> >
> > _______________________________________________
> > Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
--
Eric Leblond <eric at regit.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180910/cb1dc65c/attachment-0001.html>
More information about the Oisf-users
mailing list