Project

General

Profile

Actions

Bug #263

closed

No line number information on certain errors loading signatures

Added by Pablo Rincon about 14 years ago. Updated almost 14 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

As you can see the sid 2012100 is not loaded, and at the log there's no line information:
"from file /opt/ruledump/suricata/open/all.rules at line\n"

The error of the sig I guess it's related to the first content, that's followed by distance without having a previous content.

[12261] 23/12/2010 -- 13:20:12 - (detect-parse.c:1289) <Error> (SigValidate) -- [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(102)] - within needs two preceeding content or uricontent options
[12261] 23/12/2010 -- 13:20:12 - (detect.c:526) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS > $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow"; flow:to_client,established; flowbits:isset,NtDll.ImageBase.Module.Called; content:"ZwProtectVirtualMemory|22|"; distance:0; content:"strDup|28|"; distance:0; content:"<object|20|" ; distance:0; content:"application|2f|x|2d|java|2d|applet"; within:35; content:"|3c|param|20|name"; distance:0; content:"|22|launchjnlp|22|"; within:20; content:"|3c|param|20|name"; distance:0; content:"|22|docbase|22|"; within:20; content:"|3c|fieldset|3e 3c|legend|3e|"; distance:0; content:"object"; within:10; content:"|2e|innerHTML"; distance:0; classtype:attempted-user; reference:url,www.exploit-db.com/exploits/15241/; reference:cve,2010-3552; reference:bid,44023; sid:2012100; rev:3;)" from file /opt/ruledump/suricata/open/all.rules at line
[12261] 23/12/2010 -
13:20:12 - (detect.c:653) <Info> (SigLoadSignatures) -- 1 rule files processed. 11640 rules succesfully loaded, 3 rules failed


Files

Actions

Also available in: Atom PDF