Errors in suricata rules

I am using security onion 2.3 In which I am using Suricata as IDS, there are some errors in my all.rules file. Below is the screenshot of the errors I am facing, can anyone help me debug this error.

465 rules are failing

Hello! Welcome to our community! :slight_smile:
It seems to me that the rule language is flawed. Please choose one rule and let us know

  • what did you expect
  • source of the rule
  • what is unclear in the error message

It would be difficult to debug 465 rules at once so please disable them and try one at a time. If you did not write these rules, it would be nice to reach out to the actual rule writer and ask them for assistance.

I am running suricata 6.0.5. Just for example I have taken one rule from error logs.

Rule:
“alert tcp $EXTE RNAL_NET any → $HOME_NET $HTTP_PORTS (msg:“SERVER-WEBAPP Multiple products DVR admin password leak attempt”; flow:to_server,established; content:”/device.rsp"; fast_pattern:only; http_uri; content:“uid=”; http_raw_cookie; content:" cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop , service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)"

The above rule was working fine but two days back, it including 464 rules were failed.

The above rule is giving this error - 31/3/2023 – 04:08:36 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature.

Is there any way to know which rule belongs to ETPro and ETOpen.

Not sure what happened but when I tried your rule, there are a bunch of issues:

  1. unicode characters in rule language like
  2. broken variables $EXTE RNAL (there should be no space)
  3. http_raw_cookie, there is no keyword like that in Suricata. ref: 6.12. HTTP Keywords — Suricata 6.0.5 documentation

Are you sure that it’s a Suricata rule?

I don’t think this rule is ET at all. Ref: SidAllocation < Main < EmergingThreats

Let us know if it doesn’t help determine the issue.

1 Like

Sure I will explore more on this. The error was in securityonion’s suricata, I got to know that it uses different ruleset.

http_raw_cookie seems to be Snort-specific: http_cookie and http_raw_cookie - Snort 3 Rule Writing Guide

1 Like

Yes I got to know about that