Error Code issues


i am using suricata-6.0.3 version , when I start Suricata I will always get below error. And the suricata.log is as attached.suricata.log (90.2 KB)

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - can’t use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content.

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 2836763 mixes keywords with conflicting directions

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - “http_header” keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.

[ERRCODE: SC_ERR_OFFSET_MISSING_CONTENT(107)] - distance needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent or file_data/dce_stub_data sticky buffer option

[ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword ‘http_raw_cookie’.

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_method pattern with trailing space

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - can’t use multiple distances for the same content.

[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.GenericPhish_Adobe’ is checked but not set.

[ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2013479: SYN-only to port(s) 3389:3389 w/o direction

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Unable to find the sm in any of the sm lists

Those are errors/warnings related to signatures, so you might want to look into those. How did you add which rules? Only ETPro Ruleset or also others?

I also checkd your logfile, for example the signatur 2809381 looks like it’s not the suricata rule but rather the snort rule maybe? I checked it with the official ETPro Ruleset and it’s alert http and not alert tcp.

Also check “2027818” that’s the snort and not the suricata rule

Thank you, the rules are ET Pro + ruleset from 3rd party.
Maybe a stupid question, how should i tell which is of Snort-rule or Suricata? Thank you!

You can compare the ET Open ruleset, but I would talk to the vendor where you bought the ET Pro subscription to provide you with the Suricata ruleset. ET Pro itself offers dedicated ruleset for snort and suricata.

Good to know, thank you.
And one more question, i noticed that there are a lot of rules from ETPRO been commented, is it OK to uncomment them?

Before uncommenting the rules, consider whether the rule has value given your deployment scenarios.

Since you’re using ETPro rules, consider engaging with Proofpoint for advice on individual rules.