Bug #303
closedunknown rule keyword 'replace'
Description
[11180] 27/7/2011 -- 10:33:15 - (detect-parse.c:675) <Error> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(100)] - unknown rule keyword 'replace'.
[11180] 27/7/2011 -- 10:33:15 - (detect.c:503) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CONTENT-REPLACE Yahoo Messenger deny outbound login attempt"; flow:established,to_server; content:"YMSG"; depth:4; content:"|00|W"; depth:2; offset:10; replace:"|FF FF|"; classtype:policy-violation; sid:15429; rev:2;)" from file /etc/suricata/rules/content-replace.rules at line 39
[11180] 27/7/2011 -- 10:33:15 - (detect-parse.c:675) <Error> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(100)] - unknown rule keyword 'replace'.
[11180] 27/7/2011 -- 10:33:15 - (detect.c:503) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CONTENT-REPLACE QQ 2009 deny tcp login"; flow:established,to_server; content:"|00|N|02 12|Q|00|"; depth:6; replace:"|FF FF FF FF FF FF|"; metadata:policy security-ips alert; classtype:policy-violation; sid:15441; rev:1;)" from file /etc/suricata/rules/content-replace.rules at line 42
Files
Updated by Eric Leblond about 13 years ago
- Assignee set to Eric Leblond
- Estimated time set to 4.00 h
Updated by Eric Leblond about 13 years ago
- File ticket303.tgz ticket303.tgz added
The attached patchset adds the feature to the latest master at the time of the writing (commit:b3f7e6a2fcdaae0ceb1c988fc9c6c16233364cc5). You can use 'replace' has described in the ticket.
Updated by Victor Julien almost 13 years ago
- Status changed from New to Closed
- Target version set to 1.1beta3
- % Done changed from 80 to 100
Reworked patchset was applied a while ago. Thanks again Eric!