Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-12-2013, 03:03 AM
|
#1
|
LQ Newbie
Registered: Mar 2009
Posts: 26
Rep:
|
Suricata failed to parse address
I want to check subnet but exclude one ip .
I've read a documentation at https://redmine.openinfosecfoundatio...Suricata_Rules and report this example :
Code:
[10.0.0.0/24, !10.0.0.5] (10.0.0.0/24 except for 10.0.0.5)
Now, in my suricata configuration I've set HOME_NET wit :
Code:
HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
But, when I start suricata receive this error :
Quote:
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247"
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247]". Please check it's syntax
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
|
I've Suricata version 1.4.5 RELEASE .
How can I exclude one ip from check, what is correct syntax .
Thanks
|
|
|
08-13-2013, 03:28 PM
|
#2
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
The only thing I can see that is potentially wrong with your rules is leaving off the $ in front of HOME_NET, hence the error, failed to parse address var "HOME_NET". I think that this is a bit confusing in the documentation. If you haven't yet, please see this: https://redmine.openinfosecfoundatio...Suricata_Rules
From the examples (which are the same as yours)
Code:
$HOME_NET (Your setting of HOME_NET in yaml)
[$EXTERNAL_NET, !$HOME_NET] (EXTERNAL_NET and not HOME_NET)
[10.0.0.0/24, !10.0.0.5] (10.0.0.0/24 except for 10.0.0.5)
As you can see the 10.0.0.0/24, !10.0.0.5 is a valid syntactical statement, but the HOME_NET has a $ in front, but yours does not.
|
|
|
08-14-2013, 03:39 AM
|
#3
|
LQ Newbie
Registered: Mar 2009
Posts: 26
Original Poster
Rep:
|
Quote:
Originally Posted by Noway2
The only thing I can see that is potentially wrong with your rules is leaving off the $ in front of HOME_NET, hence the error, failed to parse address var "HOME_NET". I think that this is a bit confusing in the documentation. If you haven't yet, please see this: https://redmine.openinfosecfoundatio...Suricata_Rules
From the examples (which are the same as yours)
Code:
$HOME_NET (Your setting of HOME_NET in yaml)
[$EXTERNAL_NET, !$HOME_NET] (EXTERNAL_NET and not HOME_NET)
[10.0.0.0/24, !10.0.0.5] (10.0.0.0/24 except for 10.0.0.5)
As you can see the 10.0.0.0/24, !10.0.0.5 is a valid syntactical statement, but the HOME_NET has a $ in front, but yours does not.
|
Code:
$HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
Same error
|
|
|
08-14-2013, 11:09 AM
|
#4
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
In follow up, I think I agree with the advice given at linux.org; that there is probably something wrong with your yamal file. Here is a link to the code that does the parsing. The code first checks for Ipv4 or ipv6, then looks to see if your using CIDR (/xx) or xxx.xxx.xxx.xxx notation for the mask. It also looks for starting with a !. One the string has been parsed, standard functions like inet_pton are called to convert the string data into network integers. Overall, it is pretty straight forward. The error would seem to indicate that the string being parsed is not matching the correct format. The natural extension to this would be that what is being read isn't in the right format. I would suggest having a look at the following: http://en.wikipedia.org/wiki/YAML, in particular look at the section on Syntax. When you look at your file, it is common for the actual error to be either a few lines above or below the one that is actually causing the problem. Be careful about tabs versus space, and that you have a : in the section where required. By default strings are in quotes (" "), meaning that your IP address should be in the proper data type.
|
|
|
08-16-2013, 03:18 AM
|
#5
|
LQ Newbie
Registered: Mar 2009
Posts: 26
Original Poster
Rep:
|
I have read a documentation and example but I dont understand what is the correct syntax .
You can post an example ?
Thanks
|
|
|
08-22-2013, 04:31 AM
|
#6
|
LQ Newbie
Registered: Mar 2009
Posts: 26
Original Poster
Rep:
|
any help ?
|
|
|
08-22-2013, 08:39 AM
|
#7
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
Rather than asking for the community to post an example, why don't you post your configuration file and perhaps someone will be able to identify the error?
|
|
|
08-22-2013, 08:44 AM
|
#8
|
LQ Newbie
Registered: Mar 2009
Posts: 26
Original Poster
Rep:
|
Code:
HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
Code:
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247"
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247]". Please check it's syntax
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
|
|
|
08-22-2013, 08:54 AM
|
#9
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
As we previously discussed, there appears to be some sort of error in you yaml file as indicated by "Please check /etc/suricata/suricata.yaml for errors". If you are having trouble identifying the error, consider posting your yaml file.
|
|
|
08-22-2013, 08:58 AM
|
#10
|
LQ Newbie
Registered: Mar 2009
Posts: 26
Original Poster
Rep:
|
Quote:
Originally Posted by Noway2
As we previously discussed, there appears to be some sort of error in you yaml file as indicated by "Please check /etc/suricata/suricata.yaml for errors". If you are having trouble identifying the error, consider posting your yaml file.
|
My suricata.yaml file is a default file ... I only change var :
Code:
HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
If I change it with
Code:
HOME_NET: "[10.10.10.0/24]"
Suricata works fine
|
|
|
08-22-2013, 10:37 AM
|
#11
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
Here is the relevant section from the default yaml file:
Code:
# Holds variables that would be used by the engine.
vars:
# Holds the address group vars that would be passed in a Signature.
# These would be retrieved during the Signature address parsing stage.
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
# Holds the port group vars that would be passed in a Signature.
# These would be retrieved during the Signature port parsing stage.
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
There is something about the way you are entering information that the system does not like. Did you alter the white space, use tabs, or something like that violates the syntax? According to the comments on the thread running on linux.org, others are saying that this configuration works.
I'm sorry, but I don't know what to suggest.
|
|
|
08-23-2013, 09:11 AM
|
#12
|
LQ Newbie
Registered: Mar 2009
Posts: 26
Original Poster
Rep:
|
Code:
$HOME_NET (Your setting of HOME_NET in yaml)
[$EXTERNAL_NET, !$HOME_NET] (EXTERNAL_NET and not HOME_NET)
[10.0.0.0/24, !10.0.0.5] (10.0.0.0/24 except for 10.0.0.5) <---- this is what I want
Code:
vars:
# Holds the address group vars that would be passed in a Signature.
# These would be retrieved during the Signature address parsing stage.
address-groups:
HOME_NET: "[10.10.10.0/24, !10.10.10.247/255.255.255.0]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
Code:
23/8/2013 -- 15:05:47 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247/255.255.255.0"
23/8/2013 -- 15:05:47 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247/255.255.255.0]". Please check it's syntax
23/8/2013 -- 15:05:47 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
Code:
vars:
# Holds the address group vars that would be passed in a Signature.
# These would be retrieved during the Signature address parsing stage.
address-groups:
HOME_NET: "[10.10.10.0/24, !10.10.10.247/32]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
Code:
23/8/2013 -- 15:04:44 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247/32"
23/8/2013 -- 15:04:44 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247/32]". Please check it's syntax
23/8/2013 -- 15:04:44 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
Code:
vars:
# Holds the address group vars that would be passed in a Signature.
# These would be retrieved during the Signature address parsing stage.
address-groups:
HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
Code:
23/8/2013 -- 15:07:19 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247"
23/8/2013 -- 15:07:19 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247]". Please check it's syntax
23/8/2013 -- 15:07:19 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
|
|
|
08-23-2013, 10:35 AM
|
#14
|
LQ Newbie
Registered: Mar 2009
Posts: 26
Original Poster
Rep:
|
Yes, It is my post
|
|
|
All times are GMT -5. The time now is 09:20 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|