haoranli
(haoranli)
1
hello suricata team.
I try to use ldap keyword in my ruleset. so I copy that rule from suricata document.
alert ldap any any -> any any (msg:"Test LDAP bind request"; ldap.request.operation:0; sid:1;)
but, I get an error when run suricata with this rule
Error: detect-parse: unknown rule keyword 'ldap.request.operation'. [SigParseOptions:detect-parse.c:898]
Error: detect: error parsing signature "alert ldap any any -> any any (msg:"Test LDAP bind request"; ldap.request.operation:0; sid:1;)" from file /var/lib/suricata/rules/suricata.rules at line 1047 [DetectLoadSigFile:detect-engine-loader.c:182]
Error: suricata: Loading signatures failed. [LoadSignatures:suricata.c:2409]
here is my suricata version
This is Suricata version 8.0.0-dev (11bf3e16e 2024-11-07)
Hello there,
Could you please share the whole command you’ve used to run Suricata, and more of the output, not just the error?
I just tried using that same rule with one of the LDAP pcaps we have in our Suricata-Verify testing suite, and that worked.
Thanks in advance.
haoranli
(haoranli)
3
Thanks for your reply. the command is very simple:
sudo suricata -T
and full suricata.log content :
[383309 - Suricata-Main] 2025-02-27 09:32:07 Notice: suricata: This is Suricata version 8.0.0-dev (11bf3e16e 2024-11-07) running in SYSTEM mode
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: cpu: CPUs/cores online: 18
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: suricata: Running suricata under test mode
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: suricata: Setting engine mode to IDS mode by default
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: exception-policy: master exception-policy set to: auto
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: logopenfile: eve-log output device (regular) initialized: alert.json
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: logopenfile: eve-log output device (regular) initialized: flow.json
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: logopenfile: eve-log output device (regular) initialized: eve.json
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: logopenfile: stats output device (regular) initialized: stats.log
[383309 - Suricata-Main] 2025-02-27 09:32:07 Error: detect-parse: unknown rule keyword 'ldap.request.operation'.
[383309 - Suricata-Main] 2025-02-27 09:32:07 Error: detect: error parsing signature "alert ldap any any -> any any (msg:"Test LDAP bind request"; ldap.request.operation:0; sid:1;)" from file /var/lib/suricata/rules/suricata.rules at line 1047
[383309 - Suricata-Main] 2025-02-27 09:32:07 Info: detect: 9 rule files processed. 1553 rules successfully loaded, 1 rules failed, 0 rules skipped
[383309 - Suricata-Main] 2025-02-27 09:32:07 Error: suricata: Loading signatures failed.
haoranli
(haoranli)
4
Sorry. I’m foolish
. I just pull latest suricata code and run it again. it works.!
1 Like
No foolishness! I see that I should also have noticed that the date of that 8 version was also prior to the merging of that keyword.
I’m glad you got it sorted out 