Help modifying a signature from 4.18 to 5.03

stu · June 25, 2020, 8:25pm

Started getting this error once i switched from 4.18 to 5.03.

25/6/2020 – 15:07:51 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 900000 mixes keywords with conflicting directions

I found where the error message (suricata/src/detect-parse.c at 79681bf655bc8039c246ec8a647eb1859666fac9 · OISF/suricata · GitHub) is coming from and it seems like it has to do with my flow option, but I’m not totally sure why it’s throwing the error now.

Rule:

alert http $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“Suspicious Pastebin ‘raw’ Paste Javascript Response”; flow:established, from_server; content:“pastebin.com”; http_host; content:“document.write”; http_server_body; tag:session,5,packets; sid:900000; rev:1;)

syoc · June 26, 2020, 6:48am

I believe these keywords are causing an issue:

http_host; – http request keyword
http_server_body; – http response keyword

combined with

flow:established,from_server; – this keyword says you only want to look at traffic from the server to the client.

Your rule contains a keyword only used on traffic from the client to the server and can therefore never trigger.

stu · June 26, 2020, 1:58pm

Thanks! For some reason, I thought that worked on both directions.

Topic		Replies	Views
Questions about suricata rules directions Help rules	8	1255	January 10, 2022
Error Code issues Help rules	5	2931	September 5, 2021
Problem to create a simple signature Rules	2	720	April 13, 2022
Duplicate signature and error parsing signature errors Help rules	3	282	July 29, 2024
SC_ERR_INVALID_SIGNATURE with Lua Detection Help	2	2342	June 10, 2020

Help modifying a signature from 4.18 to 5.03

Related topics