• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Suricata Custom rule: error in with content, offset... How it works? INVALID SIGNATURE

Scheduled Pinned Locked Moved IDS/IPS
4 Posts 2 Posters 900 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    DmitryDev
    last edited by May 13, 2019, 5:34 PM

    Hello, at start of the rule the error gets out. I'm sure that the problem is in the syntax of the rule, but I can not understand what exactly. Help me please!!
    This rule should detect network packets with signatures from the screen.!

    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"VNCCCCCCCC"; flow: to_server,established; content:"|00 F9|"; depth:54; content:"|FF 18|"; offset: 2; within:3; sid: 9335126445 rev: 1; )

    rule.png

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by bmeeks May 13, 2019, 6:02 PM May 13, 2019, 5:48 PM

      @DmitryDev said in Suricata Custom rule: error in with content, offset... How it works? INVALID SIGNATURE:

      Hello, at start of the rule the error gets out.

      DmitryDev, I'm sorry but this part of your post makes no sense to me as a native English speaker:

      "Hello, at start of the rule the error gets out."

      Can you restate what you said in a different way? I will try to help you, but the translation of your help request into English is confusing me.

      You can also try posting in the International Forums section if there is a sub-forum there for your native language.

      After reading your post several additional times, I think you are saying you get an "Invalid Signature" error when Suricata tries to load the custom rule. Have you reviewed all of the documentation here for Suricata rule syntax? Scanning your rule I don't see any error that jumps out at me, but I confess to not being a prolific Snort or Suricata rule author.

      Look in the suricata.log file for the interface (accessible via the LOGS VIEW tab). When Suricata prints an "Invalid Signature" error it should tell you what part of the rule it does not like.

      D 1 Reply Last reply May 13, 2019, 6:11 PM Reply Quote 0
      • D
        DmitryDev @bmeeks
        last edited by May 13, 2019, 6:11 PM

        @bmeeks Sorry for my very bad English. You understood me correctly.
        I read the documentation from the official Suricata site.

        I'll try to see log file.

        B 1 Reply Last reply May 13, 2019, 6:15 PM Reply Quote 0
        • B
          bmeeks @DmitryDev
          last edited by bmeeks May 13, 2019, 6:16 PM May 13, 2019, 6:15 PM

          @DmitryDev said in Suricata Custom rule: error in with content, offset... How it works? INVALID SIGNATURE:

          @bmeeks Sorry for my very bad English. You understood me correctly.
          I read the documentation from the official Suricata site.

          I'll try to see log file.

          I do not mean to fault you for your English! I speak and write only a single language, so I am impressed with those who are multilingual. It's just that the differences in sentence structure among the world's languages make translation a bit tricky sometimes ... ☺ .

          Post back if you need additional help. User @NogBadTheBad frequents this forum and he is a very good rule author.

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received