Suricata: test rule not working (content replace)
by ////// from LinuxQuestions.org on (#5DNDH)
hello to all.
i have been testing suricata on a IPS mode and have written couple of test rules.
Code:drop tcp any any -> any any (msg:"facebook is blocked"; content:"facebook"; classtype:policy-violation; sid:990000;)rule above works.
but this rule ...
Code:drop tcp any any -> any any (msg:"Replaced Iframe to XXXXXX"; content:"iframe"; nocase; replace:"XXXXXX"; nocase; sid: 90000001;)... doesn't.
Code:2/2/2021 -- 19:30:02 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> any any (msg:"Replaced Iframe to XXXXXX"; content:"iframe"; replace:"XXXXXX"; nocase; sid: 90000001;)" from file /etc/suricata/rules/suricata_replace.rules at line 1i am sure it is easy one but i am baffled.
Code:[root@arch ~]# suricata --build-info | grep NFQ
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
NFQueue support: yes
[root@arch ~]#
i have been testing suricata on a IPS mode and have written couple of test rules.
Code:drop tcp any any -> any any (msg:"facebook is blocked"; content:"facebook"; classtype:policy-violation; sid:990000;)rule above works.
but this rule ...
Code:drop tcp any any -> any any (msg:"Replaced Iframe to XXXXXX"; content:"iframe"; nocase; replace:"XXXXXX"; nocase; sid: 90000001;)... doesn't.
Code:2/2/2021 -- 19:30:02 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> any any (msg:"Replaced Iframe to XXXXXX"; content:"iframe"; replace:"XXXXXX"; nocase; sid: 90000001;)" from file /etc/suricata/rules/suricata_replace.rules at line 1i am sure it is easy one but i am baffled.
Code:[root@arch ~]# suricata --build-info | grep NFQ
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
NFQueue support: yes
[root@arch ~]#