Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata Custom rule: error in with content, offset... How it works? INVALID SIGNATURE

    IDS/IPS
    2
    4
    865
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DmitryDev
      last edited by

      Hello, at start of the rule the error gets out. I'm sure that the problem is in the syntax of the rule, but I can not understand what exactly. Help me please!!
      This rule should detect network packets with signatures from the screen.!

      alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"VNCCCCCCCC"; flow: to_server,established; content:"|00 F9|"; depth:54; content:"|FF 18|"; offset: 2; within:3; sid: 9335126445 rev: 1; )

      rule.png

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        @DmitryDev said in Suricata Custom rule: error in with content, offset... How it works? INVALID SIGNATURE:

        Hello, at start of the rule the error gets out.

        DmitryDev, I'm sorry but this part of your post makes no sense to me as a native English speaker:

        "Hello, at start of the rule the error gets out."

        Can you restate what you said in a different way? I will try to help you, but the translation of your help request into English is confusing me.

        You can also try posting in the International Forums section if there is a sub-forum there for your native language.

        After reading your post several additional times, I think you are saying you get an "Invalid Signature" error when Suricata tries to load the custom rule. Have you reviewed all of the documentation here for Suricata rule syntax? Scanning your rule I don't see any error that jumps out at me, but I confess to not being a prolific Snort or Suricata rule author.

        Look in the suricata.log file for the interface (accessible via the LOGS VIEW tab). When Suricata prints an "Invalid Signature" error it should tell you what part of the rule it does not like.

        D 1 Reply Last reply Reply Quote 0
        • D
          DmitryDev @bmeeks
          last edited by

          @bmeeks Sorry for my very bad English. You understood me correctly.
          I read the documentation from the official Suricata site.

          I'll try to see log file.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @DmitryDev
            last edited by bmeeks

            @DmitryDev said in Suricata Custom rule: error in with content, offset... How it works? INVALID SIGNATURE:

            @bmeeks Sorry for my very bad English. You understood me correctly.
            I read the documentation from the official Suricata site.

            I'll try to see log file.

            I do not mean to fault you for your English! I speak and write only a single language, so I am impressed with those who are multilingual. It's just that the differences in sentence structure among the world's languages make translation a bit tricky sometimes ... ☺ .

            Post back if you need additional help. User @NogBadTheBad frequents this forum and he is a very good rule author.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.