[Emerging-Sigs] 2013400

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 25 20:16:19 EDT 2011


Fixed up!

Matt


On Oct 25, 2011, at 6:06 PM, Victor Julien wrote:

> Suricata kicks 2013400 out: it doesn't like this bit "content: offset:5;
> depth:64;". Seems the content is malformed.
> 
> [29002] 25/10/2011 -- 22:04:22 - (detect-content.c:117) <Error>
> (DetectContentDataParse) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> content keywords's argument should be always enclosed in double quotes.
> Invalid content keyword passed in this rule - " offset:5"
> [29002] 25/10/2011 -- 22:04:22 - (detect.c:499) <Error>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error
> parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any
> (msg:"ET POLICY Request to Suspicious Games at pcgame.gamedia.cn";
> flow:established,to_server; content:"GET"; http_method;
> content:"|2e|html|3f|GameID|3d|0|2c|Path|3d|c|3a|"; content: offset:5;
> depth:64; classtype:policy-violation; sid:2013400; rev:5;)" from file
> /etc/suricata/rules/policy.rules at line 2667
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list