Errors in suricata rules

kunal · March 29, 2023, 4:16am

I am using security onion 2.3 In which I am using Suricata as IDS, there are some errors in my all.rules file. Below is the screenshot of the errors I am facing, can anyone help me debug this error.

465 rules are failing

sbhardwaj · March 31, 2023, 3:59am

Hello! Welcome to our community!
It seems to me that the rule language is flawed. Please choose one rule and let us know

what did you expect
source of the rule
what is unclear in the error message

It would be difficult to debug 465 rules at once so please disable them and try one at a time. If you did not write these rules, it would be nice to reach out to the actual rule writer and ask them for assistance.

kunal · March 31, 2023, 4:13am

I am running suricata 6.0.5. Just for example I have taken one rule from error logs.

Rule:
“alert tcp $EXTE RNAL_NET any → $HOME_NET $HTTP_PORTS (msg:“SERVER-WEBAPP Multiple products DVR admin password leak attempt”; flow:to_server,established; content:”/device.rsp"; fast_pattern:only; http_uri; content:“uid=”; http_raw_cookie; content:" cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop , service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)"

The above rule was working fine but two days back, it including 464 rules were failed.

The above rule is giving this error - 31/3/2023 – 04:08:36 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature.

Is there any way to know which rule belongs to ETPro and ETOpen.

sbhardwaj · March 31, 2023, 6:09am

Not sure what happened but when I tried your rule, there are a bunch of issues:

unicode characters in rule language like →
broken variables $EXTE RNAL (there should be no space)
http_raw_cookie, there is no keyword like that in Suricata. ref: 6.12. HTTP Keywords — Suricata 6.0.5 documentation

Are you sure that it’s a Suricata rule?

I don’t think this rule is ET at all. Ref: https://doc.emergingthreats.net/bin/view/Main/SidAllocation

Let us know if it doesn’t help determine the issue.

kunal · March 31, 2023, 6:19am

Sure I will explore more on this. The error was in securityonion’s suricata, I got to know that it uses different ruleset.

satta · April 3, 2023, 7:20am

http_raw_cookie seems to be Snort-specific: http_cookie and http_raw_cookie - Snort 3 Rule Writing Guide

kunal · April 3, 2023, 8:11am

Yes I got to know about that

Topic		Replies	Views
Segmentation fault / Rule errors Help rules , suricata	11	639	August 22, 2023
Duplicate signature and error parsing signature errors Help rules	3	120	July 29, 2024
<Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed Rules	33	7744	October 12, 2020
Suricata rule not detect Rules	9	2616	October 7, 2021
Rule doesn't load Help	5	1738	August 20, 2020

Errors in suricata rules

Related Topics