Alert invalid number of options, command not found

Viesturs · December 24, 2023, 12:11pm

Suricata 7.0.2
Ubuntu 22.04
Installed from PPA

When running

alert ip any any -> any any \(msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;\)

there is the following problem:

Invalid number of options.
content:uid=0|28|root|29|: command not found
classtype:bad-unknown: command not found
sid:2100498: command not found
rev:7: command not found
metadata:created_at: command not found
): command not found

How to fix?

bmurphy · December 24, 2023, 7:23pm

I think the \ before in \(msg:" and \) at the end are probably messing this up.

Can you try removing those and seeing what happens? If that works, then the issue is how/why are those getting in the rule. What ruleset manager are you using?

Viesturs · December 24, 2023, 8:34pm

With the \ removed there is a different problem:

alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
bash: syntax error near unexpected token `('

Andreas_Herz · December 24, 2023, 9:26pm

You need to have this in a rule file and not write the command in the bash shell

Topic		Replies	Views
Suricata dos rule help Help rules , suricata	4	493	August 3, 2023
Suricata HTTP rules not working Rules	4	578	February 17, 2023
Suricata does not create alerts following attack tests Help suricata	4	883	November 9, 2022
Suricata ruleset help Help	7	584	July 14, 2023
Testing ping alert rule Rules suricata	5	3252	July 27, 2022

Alert invalid number of options, command not found

Related Topics