Project

General

Profile

Actions

Bug #1549

closed

flow keywords rule parsing

Added by Peter Manev over 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

Using Suricata dev 2.1dev (rev a4bce14).
If there is the following - purposefully wrong signature -

alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Wrong Msg"; flow: to_server,establishedWrongHere; sid:11111111; rev:1;)

We get the following err:

[10603] 14/9/2015 -- 21:26:54 - (detect.c:412) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/remove_me.rules
[10603] 14/9/2015 -- 21:26:54 - (detect-flow.c:189) <Error> (DetectFlowParse) -- [ERRCODE: SC_ERR_PCRE_GET_SUBSTRING(4)] - pcre_copy_substring failed
[10603] 14/9/2015 -- 21:26:54 - (detect.c:366) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET
 $HTTP_PORTS (msg:"Wrong Msg"; flow: to_server,establishedWrongHere; sid:11111111; rev:1;)" from file /etc/suricata/rules/remove_me.rules at line 21
[10603] 14/9/2015 -- 21:26:54 - (detect.c:422) <Warning> (ProcessSigFiles) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/remove_me.rules
[10603] 14/9/2015 -- 21:26:54 - (detect.c:513) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
[10603] 14/9/2015 -- 21:26:54 - (detect.c:2976) <Info> (SigAddressPrepareStage1) -- 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application la
yer, 0 are decoder event only

There is a valid error but the error msg is not correct - pcre_copy_substring failed - as there is no pcre inside the rule.

Actions

Also available in: Atom PDF