Bug #920
closedSuricata failed to parse address
Added by Paolo Dangeli over 12 years ago. Updated over 12 years ago.
Description
I want to check subnet but exclude one ip .
I've read a documentation at https://redmine.openinfosecfoundatio...Suricata_Rules and report this example :
[10.0.0.0/24, !10.0.0.5] (10.0.0.0/24 except for 10.0.0.5)
Now, in my suricata configuration I've set HOME_NET wit :
HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
But, when I start suricata receive this error :
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247"
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247]". Please check it's syntax
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
I've Suricata version 1.4.5 RELEASE and same problem with Suricata version 2.0dev (rev ff668c2).
How can I exclude one ip from check, what is correct syntax .
Thanks
PM Updated by Peter Manev over 12 years ago Actions #1
Can you check:
"[10.10.10.0/24, !10.10.10.247/32]"
?
thanks
PD Updated by Paolo Dangeli over 12 years ago Actions #2
Suricata v2.0dev
[9312] 12/8/2013 -- 14:06:03 - (detect-engine-address.c:827) <Error> (DetectAddressSetup) -- [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247/32" [9312] 12/8/2013 -- 14:06:03 - (detect-engine-address.c:1265) <Error> (DetectAddressTestConfVars) -- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247/32]". Please check it's syntax [9312] 12/8/2013 -- 14:06:03 - (suricata.c:1907) <Error> (main) -- [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricatagit/suricata/suricata.yaml for errors
With Suricata v1.4.5 it works fine .
It's a git version problem ?
PD Updated by Paolo Dangeli over 12 years ago Actions #3
Sorry ,
with suricata v1.4.5 it start fine but continue to check for ip that I dont want to check :(
"[10.10.10.0/24, !10.10.10.247/32]"
AS Updated by Anoop Saldanha over 12 years ago Actions #4
- Assignee set to Anoop Saldanha
AS Updated by Anoop Saldanha over 12 years ago Actions #5
VJ Updated by Victor Julien over 12 years ago Actions #6
- Status changed from New to Closed
- Priority changed from High to Normal
- Target version set to 2.0beta2
- % Done changed from 0 to 100
Merged, thanks Anoop.
PD Updated by Paolo Dangeli over 12 years ago Actions #7
Do not works :(
# /usr/suricatadev/bin/suricata -V This is Suricata version 2.0dev (rev e2f4144)
I have tried
HOME_NET: "[10.10.10.0/24, !10.10.10.247]" HOME_NET: "[10.10.10.0/24, !10.10.10.247/32]" HOME_NET: "[10.10.10.0/24, !10.10.10.247/255.255.255.0]"
Same error
failed to parse address
VJ Updated by Victor Julien over 12 years ago Actions #8
- Status changed from Closed to Assigned
Anoop, can you check this? Also, if it's a still an issue, a new patch should have some tests.
AS Updated by Anoop Saldanha over 12 years ago Actions #9
Seems fine to me.
PD Updated by Paolo Dangeli over 12 years ago Actions #10
sorry, what is the correct syntax to check a subnet but exclude one ip ?
Thanks
AS Updated by Anoop Saldanha over 12 years ago Actions #11
Paolo,
HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
PD Updated by Paolo Dangeli over 12 years ago Actions #12
But I have tried it, and does not work .
PD Updated by Paolo Dangeli over 12 years ago Actions #13
This is a part of log when I start suricata whit your suggested configuration
... [22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; content:"<applet"; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016353; rev:3;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3124 [22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WSO WebShell Activity POST structure 2"; flow:established,to_server; content:"POST"; http_method; content:" name=|22|c|22|"; http_client_body; content:"name=|22|p1|22|"; http_client_body; fast_pattern; pcre:"/name=(?P<q>[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/Pi"; classtype:attempted-user; sid:2016354; rev:3;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3127 [22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page - Received"; flow:established,to_client; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:trojan-activity; sid:2016356; rev:3;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3130 [22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:2;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3133 [22022] 2/9/2013 -- 09:09:44 - (detect.c:351) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:" Java/1."; http_header; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016371; rev:2;)" from file /etc/suricatadev/suricata/rules/emerging-current_events.rules at line 3139 ....
PM Updated by Peter Manev over 12 years ago Actions #14
Does it matter if you leave or not a space between the nets?
PD Updated by Paolo Dangeli over 12 years ago Actions #15
Yes, same problem .
JK Updated by Jesson Kang over 12 years ago Actions #16
I have the same problem as Paolo Dangeli .
[root@wcc-pt-seccheck01 suricata]# suricata -V
This is Suricata version 2.0beta1 RELEASE
JK Updated by Jesson Kang over 12 years ago Actions #17
I have tested the patch in [[https://github.com/inliniac/suricata/pull/508]]
Suricata report a error that like this " error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any" all the same.
I think this is not only because space ,also because in parsing "!".
VJ Updated by Victor Julien over 12 years ago Actions #18
- Assignee changed from Anoop Saldanha to Victor Julien
VJ Updated by Victor Julien over 12 years ago Actions #19
- Status changed from Assigned to Closed
Tests added through https://github.com/inliniac/suricata/pull/660