Snort mailing list archives
Re: Pulledpork doesn't creates sid-msg.map properly
From: Rob MacGregor <rob.macgregor () gmail com>
Date: Mon, 13 Oct 2014 12:03:47 +0100
On 13 October 2014 10:27, C. L. Martinez <carlopmart () gmail com> wrote:
On Mon, Oct 13, 2014 at 8:27 AM, C. L. Martinez <carlopmart () gmail com> wrote:Hi all, After some days working with pulledpork for suricata 2.0.4 all works ok until today. I have added the following rules in pulledpork's config file as alocal_rules:https://sslbl.abuse.ch/blacklist/sslblacklist.rules After that, sid-msg doesn't creates properly. For emergingthreats rules works ok, but not for these last ones rules: cat sid-msg.rules 2523264 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523266 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 634 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523268 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 635 || url,doc.emergingthreats.net/bin/view/Main/TorRules 2523270 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 636 || url,doc.emergingthreats.net/bin/view/Main/TorRules 3 || FILEEXT BMP file claimed 6 || FILESTORE jpg 648 || GPL SHELLCODE x86 NOOP || arachnids,181 653 || GPL SHELLCODE x86 0x90 unicode NOOP 8 || FILESTORE pdf 9 || FILEMAGIC pdf 902200008 || 902200009 || 902200035 || 902200060 || 902200062 || 902200064 || 902200081 || 902200082 || 902200125 || 902200133 || 902200134 || 902200141 || 902200148 || 902200151 || 902200178 || 902200195 || 902200209 || 902200213 || 902200241 || 902200248 || 902200381 || 902200382 || 902200383 || How can I fix this??
I've seen this where the message contains certain characters that confused
the parser. I'm pretty sure it was the use of colons (":") in the message
that did it in my case.
--
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://p.sf.net/sfu/Zoho
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Pulledpork doesn't creates sid-msg.map properly C. L. Martinez (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly C. L. Martinez (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly Rob MacGregor (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly Shirkdog (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly C. L. Martinez (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly Shirkdog (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly C. L. Martinez (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly Rob MacGregor (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly waldo kitty (Oct 13)
- Re: Pulledpork doesn't creates sid-msg.map properly C. L. Martinez (Oct 13)