LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [SOLVED] Suricata: test rule not working (content replace)
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-02-2021, 11:40 AM   #1
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Arch Linux && OpenBSD 7.4 && Pop!_OS && Kali && Qubes-Os
Posts: 824

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
Suricata: test rule not working (content replace)

hello to all.

i have been testing suricata on a IPS mode and have written couple of test rules.
Code:
drop tcp any any -> any any (msg:"facebook is blocked"; content:"facebook"; classtype:policy-violation; sid:990000;)
rule above works.

but this rule ...
Code:
drop tcp any any -> any any (msg:”Replaced Iframe to XXXXXX”; content:"iframe”; nocase; replace:”XXXXXX”; nocase; sid: 90000001;)
... doesn't.

Code:
2/2/2021 -- 19:30:02 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> any any (msg:”Replaced Iframe to XXXXXX”; content:"iframe”; replace:”XXXXXX”; nocase; sid: 90000001;)" from file /etc/suricata/rules/suricata_replace.rules at line 1
i am sure it is easy one but i am baffled.

Code:
[root@arch ~]#  suricata --build-info | grep NFQ
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
  NFQueue support:                         yes
[root@arch ~]#
Last edited by //////; 02-02-2021 at 12:13 PM. Reason: more info.
 
Old 02-02-2021, 01:18 PM   #2
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Arch Linux && OpenBSD 7.4 && Pop!_OS && Kali && Qubes-Os
Posts: 824

Original Poster
Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
solved it.

had to use these :
Code:
"
instead of these :
Code:
dont know how it happened but i must have downloaded example rules with wrong character '”' instead of '"' .

case closed.
 
  


Reply

Tags
content, replace, suricata, test rule



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Suricata: [ERRCODE: SC_ERR_NFQ_NOSUPPORT(67)] - NFQUEUE not enabled OtagoHarbour CentOS 0 01-28-2015 05:44 AM
LXer: Suricata: The Snort Replacer (Part 2: Configure & Test) LXer Syndicated Linux News 0 07-26-2013 04:20 PM
Load test, boundary test & stress test for USB EHCI/xHCI driver rama_toshiba Linux - Kernel 5 02-29-2012 02:43 PM
[SOLVED] Snort - DynamicPlugin: Rule [##] not enabled in configuration, rule will not be used mhollis Linux - Software 3 08-29-2011 06:06 PM
[SOLVED] Silencing the line "echo test > test/test.txt" in a shell script Arenlor Linux - General 2 06-18-2010 01:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:38 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration