Irregular Expressions

Feb 21 2010   11:55PM GMT

Installing Suricata on FreeBSD – Part 2

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

With everything in place you can now start suricata.

suricata -c /usr/local/etc/suricata.yaml -i em0

Got a good start.

70 rule files processed. 7977 rules succesfully loaded, 5 rules failed

Here is the 5 that did not load, I only added the emerging threats rules not the snort release set ( those caused Suricata to crash ).

[100072] 20/2/2010 -- 22:20:51 - (detect-bytetest.c:267)  (DetectBytetestParse) -- [ERRCODE: SC_ERR_INVALID_OPERATOR(111)] - Invalid operator
[100072] 20/2/2010 -- 22:20:51 - (detect.c:291)  (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(29)] - Error parsing signature "alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Hello Request (2)"; content:"|e4 10|"; depth:2; byte_test:2,<=,65535,16,relative; byte_test:2,<=,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; classtype:policy-violation; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/P2P/P2P_eMule; sid:2009971; rev:4;)" from file /usr/local/etc/suricata/rules/emerging-p2p.rules at line 194
[100072] 20/2/2010 -- 22:20:52 - (detect-distance.c:48)  (DetectDistanceSetup) -- [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(88)] - distance needs two preceeding content options
[100072] 20/2/2010 -- 22:20:52 - (detect.c:291)  (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(29)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Egspy Infection Report via HTTP"; flow:established,to_server; uricontent:"/keylogkontrol/"; content:"|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; distance:0; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Egyspy; sid:2008047; rev:2;)" from file /usr/local/etc/suricata/rules/emerging-virus.rules at line 915
[100072] 20/2/2010 -- 22:20:52 - (detect-distance.c:48)  (DetectDistanceSetup) -- [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(88)] - distance needs two preceeding content options
[100072] 20/2/2010 -- 22:20:52 - (detect.c:291)  (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(29)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Spambot (often Tibs) Post-Infection Checkin"; flow:established,to_server; uricontent:"/access.php?"; nocase; uricontent:"w="; nocase; uricontent:"&a="; nocase; content:"|0d 0a|Host\: "; distance:0; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; content:"|0d 0a|Cache-Control\: no-cache|0d 0a|"; content:!"|0d 0a|User-Agent\: "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008174; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Tibs; sid:2008174; rev:2;)" from file /usr/local/etc/suricata/rules/emerging-virus.rules at line 2240
[100072] 20/2/2010 -- 22:20:52 - (detect.c:335)  (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES(32)] - No rules loaded from /usr/local/etc/suricata/rules/emerging-web.rules
[100072] 20/2/2010 -- 22:20:55 - (detect-uricontent.c:303)  (DoDetectUricontentSetup) -- [ERRCODE: SC_ERR_NO_URICONTENT_NEGATION(92)] - uricontent negation is not supported at this time. See bug #31.
[100072] 20/2/2010 -- 22:20:55 - (detect.c:291)  (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(29)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Mozilla User-Agent - Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent\: Mozilla/5.0|0d 0a|"; nocase; uricontent:!"|0d 0a|Host\: download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection\: Close|0d 0a 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009295; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_Agents_Suspicious; sid:2009295; rev:6;)" from file /usr/local/etc/suricata/rules/emerging-user_agents.rules at line 483
[100072] 20/2/2010 -- 22:20:55 - (detect-distance.c:48)  (DetectDistanceSetup) -- [ERRCODE: SC_ERR_DISTANCE_MISSING_CONTENT(88)] - distance needs two preceeding content options
[100072] 20/2/2010 -- 22:20:55 - (detect.c:291)  (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(29)] - Error parsing signature "alert udp any any -> any 53 (msg:"ET CURRENT_EVENTS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"|00 00 06|"; distance:8; content:"|c0 0c 00 ff|"; distance:2; reference:cve,2009-0696; classtype:attempted-dos; reference:url,doc.emergingthreats.net/2009701; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Bind; sid:2009701; rev:3;)" from file /usr/local/etc/suricata/rules/emerging-current_events.rules at line 65
[100072] 20/2/2010 -- 22:20:55 - (detect.c:376)  (SigLoadSignatures) -- 70 rule files processed. 7977 rules succesfully loaded, 5 rules failed
[100072] 20/2/2010 -- 22:20:55 - (detect-engine-sigorder.c:787)  (SCSigOrderSignatures) -- ordering signatures in memory
SCSigOrderSignatures: Total Signatures to be processed by thesigordering module: 7989

Let’s to check to make sure the ids system is logging, check the config file for the logging dir, the default is /var/log/suricata/.  You may have to create a noise rule ( any any -> any any ), but there should start to be alerts hitting the fast.log file.

Now that we know it kinda works, there is some configuration to do in part 3.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: