Project

General

Profile

Actions

Bug #920

closed

Suricata failed to parse address

Added by Paolo Dangeli over 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I want to check subnet but exclude one ip .

I've read a documentation at https://redmine.openinfosecfoundatio...Suricata_Rules and report this example :

[10.0.0.0/24, !10.0.0.5] (10.0.0.0/24 except for 10.0.0.5)

Now, in my suricata configuration I've set HOME_NET wit :

HOME_NET: "[10.10.10.0/24, !10.10.10.247]"

But, when I start suricata receive this error :

12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247"
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247]". Please check it's syntax
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors

I've Suricata version 1.4.5 RELEASE and same problem with Suricata version 2.0dev (rev ff668c2).

How can I exclude one ip from check, what is correct syntax .

Thanks

Actions #1

Updated by Peter Manev over 11 years ago

Can you check:

"[10.10.10.0/24, !10.10.10.247/32]" 

?

thanks

Actions #2

Updated by Paolo Dangeli over 11 years ago

Suricata v2.0dev

[9312] 12/8/2013 -- 14:06:03 - (detect-engine-address.c:827) <Error> (DetectAddressSetup) -- [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247/32" 
[9312] 12/8/2013 -- 14:06:03 - (detect-engine-address.c:1265) <Error> (DetectAddressTestConfVars) -- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247/32]". Please check it's syntax
[9312] 12/8/2013 -- 14:06:03 - (suricata.c:1907) <Error> (main) -- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricatagit/suricata/suricata.yaml for errors

With Suricata v1.4.5 it works fine .

It's a git version problem ?

Actions #3

Updated by Paolo Dangeli over 11 years ago

Sorry ,

with suricata v1.4.5 it start fine but continue to check for ip that I dont want to check :(

"[10.10.10.0/24, !10.10.10.247/32]" 
Actions #4

Updated by Anoop Saldanha over 11 years ago

  • Assignee set to Anoop Saldanha
Actions #6

Updated by Victor Julien over 11 years ago

  • Status changed from New to Closed
  • Priority changed from High to Normal
  • Target version set to 2.0beta2
  • % Done changed from 0 to 100

Merged, thanks Anoop.

Actions #7

Updated by Paolo Dangeli over 11 years ago

Do not works :(

# /usr/suricatadev/bin/suricata -V
This is Suricata version 2.0dev (rev e2f4144)

I have tried

HOME_NET: "[10.10.10.0/24, !10.10.10.247]" 
HOME_NET: "[10.10.10.0/24, !10.10.10.247/32]" 
HOME_NET: "[10.10.10.0/24, !10.10.10.247/255.255.255.0]" 

Same error

failed to parse address
Actions #8

Updated by Victor Julien over 11 years ago

  • Status changed from Closed to Assigned

Anoop, can you check this? Also, if it's a still an issue, a new patch should have some tests.

Actions #9

Updated by Anoop Saldanha over 11 years ago

Actions #10

Updated by Paolo Dangeli over 11 years ago

sorry, what is the correct syntax to check a subnet but exclude one ip ?

Thanks

Actions #11

Updated by Anoop Saldanha over 11 years ago

Paolo,

HOME_NET: "[10.10.10.0/24, !10.10.10.247]"

Actions #12

Updated by Paolo Dangeli over 11 years ago

But I have tried it, and does not work .

Actions #13

Updated by Paolo Dangeli over 11 years ago

This is a part of log when I start suricata whit your suggested configuration

...
[22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; content:"<applet"; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016353; rev:3;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3124
[22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WSO WebShell Activity POST structure 2"; flow:established,to_server; content:"POST"; http_method; content:" name=|22|c|22|"; http_client_body; content:"name=|22|p1|22|"; http_client_body; fast_pattern; pcre:"/name=(?P<q>[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/Pi"; classtype:attempted-user; sid:2016354; rev:3;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3127
[22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page - Received"; flow:established,to_client; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:trojan-activity; sid:2016356; rev:3;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3130
[22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:2;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3133
[22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:" Java/1."; http_header; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016371; rev:2;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3139
....
Actions #14

Updated by Peter Manev over 11 years ago

Does it matter if you leave or not a space between the nets?

Actions #15

Updated by Paolo Dangeli over 11 years ago

Yes, same problem .

Actions #16

Updated by Jesson Kang over 11 years ago

I have the same problem as Paolo Dangeli .

[root@wcc-pt-seccheck01 suricata]# suricata -V
This is Suricata version 2.0beta1 RELEASE

Actions #17

Updated by Jesson Kang over 11 years ago

I have tested the patch in [[https://github.com/inliniac/suricata/pull/508]]

Suricata report a error that like this " error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any" all the same.
I think this is not only because space ,also because in parsing "!".

Actions #18

Updated by Victor Julien about 11 years ago

  • Assignee changed from Anoop Saldanha to Victor Julien
Actions #19

Updated by Victor Julien about 11 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF