Project

General

Profile

Actions

Bug #303

closed

unknown rule keyword 'replace'

Added by Peter Manev about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

[11180] 27/7/2011 -- 10:33:15 - (detect-parse.c:675) <Error> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(100)] - unknown rule keyword 'replace'.

[11180] 27/7/2011 -- 10:33:15 - (detect.c:503) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CONTENT-REPLACE Yahoo Messenger deny outbound login attempt"; flow:established,to_server; content:"YMSG"; depth:4; content:"|00|W"; depth:2; offset:10; replace:"|FF FF|"; classtype:policy-violation; sid:15429; rev:2;)" from file /etc/suricata/rules/content-replace.rules at line 39

[11180] 27/7/2011 -- 10:33:15 - (detect-parse.c:675) <Error> (SigParseOptions) -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(100)] - unknown rule keyword 'replace'.

[11180] 27/7/2011 -- 10:33:15 - (detect.c:503) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CONTENT-REPLACE QQ 2009 deny tcp login"; flow:established,to_server; content:"|00|N|02 12|Q|00|"; depth:6; replace:"|FF FF FF FF FF FF|"; metadata:policy security-ips alert; classtype:policy-violation; sid:15441; rev:1;)" from file /etc/suricata/rules/content-replace.rules at line 42


Files

ticket303.tgz (7.88 KB) ticket303.tgz Patchset adding 'replace' keyword Eric Leblond, 08/17/2011 07:53 AM
Actions #1

Updated by Eric Leblond about 10 years ago

  • Assignee set to Eric Leblond
  • Estimated time set to 4.00 h
Actions #2

Updated by Eric Leblond about 10 years ago

  • % Done changed from 0 to 80
Actions #3

Updated by Eric Leblond about 10 years ago

The attached patchset adds the feature to the latest master at the time of the writing (commit:b3f7e6a2fcdaae0ceb1c988fc9c6c16233364cc5). You can use 'replace' has described in the ticket.

Actions #4

Updated by Victor Julien about 10 years ago

  • Status changed from New to Closed
  • Target version set to 1.1beta3
  • % Done changed from 80 to 100

Reworked patchset was applied a while ago. Thanks again Eric!

Actions

Also available in: Atom PDF