Bug #263
closedNo line number information on certain errors loading signatures
Description
As you can see the sid 2012100 is not loaded, and at the log there's no line information:
"from file /opt/ruledump/suricata/open/all.rules at line\n"
The error of the sig I guess it's related to the first content, that's followed by distance without having a previous content.
[12261] 23/12/2010 -- 13:20:12 - (detect-parse.c:1289) <Error> (SigValidate) -- [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(102)] - within needs two preceeding content or uricontent options
[12261] 23/12/2010 -- 13:20:12 - (detect.c:526) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS > $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow"; flow:to_client,established; flowbits:isset,NtDll.ImageBase.Module.Called; content:"ZwProtectVirtualMemory|22|"; distance:0; content:"strDup|28|"; distance:0; content:"<object|20|" ; distance:0; content:"application|2f|x|2d|java|2d|applet"; within:35; content:"|3c|param|20|name"; distance:0; content:"|22|launchjnlp|22|"; within:20; content:"|3c|param|20|name"; distance:0; content:"|22|docbase|22|"; within:20; content:"|3c|fieldset|3e 3c|legend|3e|"; distance:0; content:"object"; within:10; content:"|2e|innerHTML"; distance:0; classtype:attempted-user; reference:url,www.exploit-db.com/exploits/15241/; reference:cve,2010-3552; reference:bid,44023; sid:2012100; rev:3;)" from file /opt/ruledump/suricata/open/all.rules at line 13:20:12 - (detect.c:653) <Info> (SigLoadSignatures) -- 1 rule files processed. 11640 rules succesfully loaded, 3 rules failed
[12261] 23/12/2010 -
Files
Updated by Victor Julien about 14 years ago
- Due date set to 01/07/2011
- Assignee set to Anoop Saldanha
- Target version set to 1.1beta2
- Estimated time set to 0.50 h
My guess the info is omitted because of an internal limit in the output code... some max line size or similar...
Updated by Anoop Saldanha about 14 years ago
- File 0003-increase-log-buffer-to-1280-from-1024.patch 0003-increase-log-buffer-to-1280-from-1024.patch added
increased the buffer limit to 1280 from 1024.
Updated by Victor Julien almost 14 years ago
Why 1280? If there is no special reason I'd like to increase some more, like 2048 or 4096. Or is there some drawback to that?
Updated by Anoop Saldanha almost 14 years ago
Victor Julien wrote:
Why 1280? If there is no special reason I'd like to increase some more, like 2048 or 4096. Or is there some drawback to that?
No reason. You can increase it if you like.
Updated by Anoop Saldanha almost 14 years ago
- Estimated time changed from 0.50 h to 0.00 h