[Oisf-users] 答复: 答复: suricata do not support "xbits"

Davide Setti d.setti at certego.net
Mon Sep 10 12:08:56 UTC 2018


If you check docs the "track" keyword is not optional.
You should add it.

Also check example signatures here
https://suricata.readthedocs.io/en/latest/rules/xbits.html#creating-a-ssh-blacklist

Regards

2018-09-10 13:53 GMT+02:00 苏 哲 <suzhe_ffgg at outlook.com>:

> Hi Eric,
>
> Thank you for your reply.
>
>
> I read the whole document of suricata which is the link you provide.
>
> In 4.9 chapter , it said syntax is :
>
> xbits:noalert;xbits:<set|unset|isset|toggle>,<name>,track <ip_src|ip_dst|ip_pair>;xbits:<set|unset|isset|toggle>,<name>,track <ip_src|ip_dst|ip_pair> \
>     [,expire <seconds>];xbits:<set|unset|isset|toggle>,<name>,track <ip_src|ip_dst|ip_pair> \
>     [,expire <seconds>];
>
>
> but as I try the example (https://cipherdyne.org/fwsnort/xbits_metasploit_
> example.rules), I find that it pop up error said:
>
> <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] -"isset,Metasploit.ContentKeeper.recon"
> is not a valid setting for xbits.
>
>
> I wonder whether anyone use xbits? you didn't met same error?
>
>
> Thanks
>
> Su
> ------------------------------
> *发件人:* Eric Leblond <eric at regit.org>
> *发送时间:* 2018年9月10日 0:30:53
> *收件人:* 苏 哲; Peter Manev
> *抄送:* Open Information Security Foundation
> *主题:* Re: [Oisf-users] 答复: suricata do not support "xbits"
>
> Hi,
>
> On Mon, 2018-09-10 at 07:08 +0000, 苏 哲 wrote:
> > is there anyone know how to use xbits?
>
> Did you check :
> https://suricata.readthedocs.io/en/suricata-4.0.5/rules/xbits.html
>
> BR,
>
> > 发件人: 苏 哲
> > 发送时间: 2018年9月7日 6:01:23
> > 收件人: Peter Manev
> > 抄送: Open Information Security Foundation
> > 主题: 答复: [Oisf-users] suricata do not support "xbits"
> >
> > thank you for reply.
> >
> > instead of "xbits:noalert", noalert works, no error.
> > now the error is  <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] -
> > "isset,Metasploit.ContentKeeper.recon" is not a valid setting for
> > xbits
> >
> > Thanks
> > Su
> >
> > 发件人: Peter Manev <petermanev at gmail.com>
> > 发送时间: 2018年9月7日 0:34
> > 收件人: suzhe_ffgg at outlook.com
> > 抄送: Open Information Security Foundation
> > 主题: Re: [Oisf-users] suricata do not support "xbits"
> >
> > On Fri, Sep 7, 2018 at 9:09 AM 苏 哲 <suzhe_ffgg at outlook.com> wrote:
> > >
> > >
> > >
> > >
> > > Hi,
> > >
> > > I try suricata 4.0.5 and 4.1.0 and try "xbits" with this example, I
> > receive error:
> > >
> > >
> > > "noalert" is not a valid setting for xbits.
> > >
> >
> > instead of "xbits:noalert;"
> > can you try just "noalert;" ?
> >
> > > "isset,is_attack_step1" is not a valid setting for xbits.
> >
> > That name  - "is_attack_step1" is not present/set anywhere in the
> > example , is that expected ? (so it can naturally complain about it)
> >
> > >
> > >
> > > I google xbits and those errors, but didn't find anyone talking
> > about it.
> > >
> > >
> > > is there anyone know what is the reason? and what should I do?
> > >
> > >
> > > Thanks.
> > >
> > > Su
> > >
> > > _______________________________________________
> > > Suricata IDS Users mailing list:
> > oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/
> > > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
> --
> Eric Leblond <eric at regit.org>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>



-- 
<http://www.certego.net/>
Davide Setti
R&D and Incident Response Team, Certego
<http://www.linkedin.com/company/certego>  <http://twitter.com/Certego_IRT>
<http://github.com/certego>  <http://www.youtube.com/CERTEGOsrl>
<http://plus.google.com/117641917176532015312>
Use of the information within this document constitutes acceptance for use
in an "as is" condition. There are no warranties with regard to this
information; Certego has verified the data as thoroughly as possible. Any
use of this information lies within the user's responsibility. In no event
shall Certego be liable for any consequences or damages, including direct,
indirect, incidental, consequential, loss of business profits or special
damages, arising out of or in connection with the use or spread of this
information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180910/288d8c9c/attachment-0001.html>


More information about the Oisf-users mailing list