[Emerging-Sigs] 2013400

Victor Julien lists at inliniac.net
Tue Oct 25 18:06:51 EDT 2011


Suricata kicks 2013400 out: it doesn't like this bit "content: offset:5;
depth:64;". Seems the content is malformed.

[29002] 25/10/2011 -- 22:04:22 - (detect-content.c:117) <Error>
(DetectContentDataParse) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
content keywords's argument should be always enclosed in double quotes.
 Invalid content keyword passed in this rule - " offset:5"
[29002] 25/10/2011 -- 22:04:22 - (detect.c:499) <Error>
(DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any
(msg:"ET POLICY Request to Suspicious Games at pcgame.gamedia.cn";
flow:established,to_server; content:"GET"; http_method;
content:"|2e|html|3f|GameID|3d|0|2c|Path|3d|c|3a|"; content: offset:5;
depth:64; classtype:policy-violation; sid:2013400; rev:5;)" from file
/etc/suricata/rules/policy.rules at line 2667

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



More information about the Emerging-sigs mailing list