Error Parsing Signature

1,059 views
Skip to first unread message

odoi...@payveris.com

unread,
Nov 15, 2013, 11:14:24 AM11/15/13
to securit...@googlegroups.com
I am new to suricata so this may be ok but here is what I did. I used oinkmaster to pull the rules from emerging threats and all looks good. However when I start suricata, I see a bunch of these:

15/11/2013 -- 11:02:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:2101964; rev:9;)" from file /IDS/suricata/rules/emerging-rpc.rules at line 372
15/11/2013 -- 11:02:21 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102025; rev:10;)"
15/11/2013 -- 11:02:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102025; rev:10;)" from file /IDS/suricata/rules/emerging-rpc.rules at line 384

In the end I have this result:

15/11/2013 -- 11:02:21 - <Info> - 79 rule files processed. 14269 rules successfully loaded, 4472 rules failed


A lot are for duplicates but this seems like a high number of failures.

Thanks for any input,

Olivier

Doug Burks

unread,
Nov 15, 2013, 11:21:40 AM11/15/13
to securit...@googlegroups.com
Hi Olivier,

Why are you using oinkmaster? We use pulledpork and it's already
configured for Emerging Threats.

For more information, please see:
https://code.google.com/p/security-onion/wiki/ManagingAlerts
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.



--
Doug Burks
http://securityonion.net

odoi...@payveris.com

unread,
Nov 15, 2013, 12:12:47 PM11/15/13
to securit...@googlegroups.com
Well looks like pulledpork did work a lot better.

Thanks.

Olivier

Reply all
Reply to author
Forward
0 new messages