Bug #920
closedSuricata failed to parse address
Description
I want to check subnet but exclude one ip .
I've read a documentation at https://redmine.openinfosecfoundatio...Suricata_Rules and report this example :
[10.0.0.0/24, !10.0.0.5] (10.0.0.0/24 except for 10.0.0.5)
Now, in my suricata configuration I've set HOME_NET wit :
HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
But, when I start suricata receive this error :
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247"
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247]". Please check it's syntax
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
I've Suricata version 1.4.5 RELEASE and same problem with Suricata version 2.0dev (rev ff668c2).
How can I exclude one ip from check, what is correct syntax .
Thanks
Updated by Peter Manev over 11 years ago
Can you check:
"[10.10.10.0/24, !10.10.10.247/32]"
?
thanks
Updated by Paolo Dangeli over 11 years ago
Suricata v2.0dev
[9312] 12/8/2013 -- 14:06:03 - (detect-engine-address.c:827) <Error> (DetectAddressSetup) -- [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247/32" [9312] 12/8/2013 -- 14:06:03 - (detect-engine-address.c:1265) <Error> (DetectAddressTestConfVars) -- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247/32]". Please check it's syntax [9312] 12/8/2013 -- 14:06:03 - (suricata.c:1907) <Error> (main) -- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricatagit/suricata/suricata.yaml for errors
With Suricata v1.4.5 it works fine .
It's a git version problem ?
Updated by Paolo Dangeli over 11 years ago
Sorry ,
with suricata v1.4.5 it start fine but continue to check for ip that I dont want to check :(
"[10.10.10.0/24, !10.10.10.247/32]"
Updated by Anoop Saldanha about 11 years ago
Updated by Victor Julien about 11 years ago
- Status changed from New to Closed
- Priority changed from High to Normal
- Target version set to 2.0beta2
- % Done changed from 0 to 100
Merged, thanks Anoop.
Updated by Paolo Dangeli about 11 years ago
Do not works :(
# /usr/suricatadev/bin/suricata -V This is Suricata version 2.0dev (rev e2f4144)
I have tried
HOME_NET: "[10.10.10.0/24, !10.10.10.247]" HOME_NET: "[10.10.10.0/24, !10.10.10.247/32]" HOME_NET: "[10.10.10.0/24, !10.10.10.247/255.255.255.0]"
Same error
failed to parse address
Updated by Victor Julien about 11 years ago
- Status changed from Closed to Assigned
Anoop, can you check this? Also, if it's a still an issue, a new patch should have some tests.
Updated by Anoop Saldanha about 11 years ago
Seems fine to me.
Updated by Paolo Dangeli about 11 years ago
sorry, what is the correct syntax to check a subnet but exclude one ip ?
Thanks
Updated by Anoop Saldanha about 11 years ago
Paolo,
HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
Updated by Paolo Dangeli about 11 years ago
But I have tried it, and does not work .
Updated by Paolo Dangeli about 11 years ago
This is a part of log when I start suricata whit your suggested configuration
... [22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; content:"<applet"; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016353; rev:3;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3124 [22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WSO WebShell Activity POST structure 2"; flow:established,to_server; content:"POST"; http_method; content:" name=|22|c|22|"; http_client_body; content:"name=|22|p1|22|"; http_client_body; fast_pattern; pcre:"/name=(?P<q>[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/Pi"; classtype:attempted-user; sid:2016354; rev:3;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3127 [22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page - Received"; flow:established,to_client; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:trojan-activity; sid:2016356; rev:3;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3130 [22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:2;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3133 [22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:" Java/1."; http_header; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016371; rev:2;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3139 ....
Updated by Peter Manev about 11 years ago
Does it matter if you leave or not a space between the nets?
Updated by Jesson Kang about 11 years ago
I have the same problem as Paolo Dangeli .
[root@wcc-pt-seccheck01 suricata]# suricata -V
This is Suricata version 2.0beta1 RELEASE
Updated by Jesson Kang about 11 years ago
I have tested the patch in [[https://github.com/inliniac/suricata/pull/508]]
Suricata report a error that like this " error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any" all the same.
I think this is not only because space ,also because in parsing "!".
Updated by Victor Julien almost 11 years ago
- Assignee changed from Anoop Saldanha to Victor Julien
Updated by Victor Julien almost 11 years ago
- Status changed from Assigned to Closed
Tests added through https://github.com/inliniac/suricata/pull/660