LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-12-2013, 03:03 AM   #1
robbtek
LQ Newbie
 
Registered: Mar 2009
Posts: 26

Rep: Reputation: 0
Suricata failed to parse address


I want to check subnet but exclude one ip .
I've read a documentation at https://redmine.openinfosecfoundatio...Suricata_Rules and report this example :

Code:
[10.0.0.0/24, !10.0.0.5]        (10.0.0.0/24 except for 10.0.0.5)
Now, in my suricata configuration I've set HOME_NET wit :

Code:
HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
But, when I start suricata receive this error :

Quote:
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247"
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247]". Please check it's syntax
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
I've Suricata version 1.4.5 RELEASE .

How can I exclude one ip from check, what is correct syntax .

Thanks
 
Old 08-13-2013, 03:28 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
The only thing I can see that is potentially wrong with your rules is leaving off the $ in front of HOME_NET, hence the error, failed to parse address var "HOME_NET". I think that this is a bit confusing in the documentation. If you haven't yet, please see this: https://redmine.openinfosecfoundatio...Suricata_Rules

From the examples (which are the same as yours)
Code:
$HOME_NET                       (Your setting of HOME_NET in yaml)
[$EXTERNAL_NET, !$HOME_NET]     (EXTERNAL_NET and not HOME_NET)
[10.0.0.0/24, !10.0.0.5]        (10.0.0.0/24 except for 10.0.0.5)
As you can see the 10.0.0.0/24, !10.0.0.5 is a valid syntactical statement, but the HOME_NET has a $ in front, but yours does not.
 
Old 08-14-2013, 03:39 AM   #3
robbtek
LQ Newbie
 
Registered: Mar 2009
Posts: 26

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Noway2 View Post
The only thing I can see that is potentially wrong with your rules is leaving off the $ in front of HOME_NET, hence the error, failed to parse address var "HOME_NET". I think that this is a bit confusing in the documentation. If you haven't yet, please see this: https://redmine.openinfosecfoundatio...Suricata_Rules

From the examples (which are the same as yours)
Code:
$HOME_NET                       (Your setting of HOME_NET in yaml)
[$EXTERNAL_NET, !$HOME_NET]     (EXTERNAL_NET and not HOME_NET)
[10.0.0.0/24, !10.0.0.5]        (10.0.0.0/24 except for 10.0.0.5)
As you can see the 10.0.0.0/24, !10.0.0.5 is a valid syntactical statement, but the HOME_NET has a $ in front, but yours does not.
Code:
$HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
Same error
 
Old 08-14-2013, 11:09 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
In follow up, I think I agree with the advice given at linux.org; that there is probably something wrong with your yamal file. Here is a link to the code that does the parsing. The code first checks for Ipv4 or ipv6, then looks to see if your using CIDR (/xx) or xxx.xxx.xxx.xxx notation for the mask. It also looks for starting with a !. One the string has been parsed, standard functions like inet_pton are called to convert the string data into network integers. Overall, it is pretty straight forward. The error would seem to indicate that the string being parsed is not matching the correct format. The natural extension to this would be that what is being read isn't in the right format. I would suggest having a look at the following: http://en.wikipedia.org/wiki/YAML, in particular look at the section on Syntax. When you look at your file, it is common for the actual error to be either a few lines above or below the one that is actually causing the problem. Be careful about tabs versus space, and that you have a : in the section where required. By default strings are in quotes (" "), meaning that your IP address should be in the proper data type.
 
Old 08-16-2013, 03:18 AM   #5
robbtek
LQ Newbie
 
Registered: Mar 2009
Posts: 26

Original Poster
Rep: Reputation: 0
I have read a documentation and example but I dont understand what is the correct syntax .

You can post an example ?

Thanks
 
Old 08-22-2013, 04:31 AM   #6
robbtek
LQ Newbie
 
Registered: Mar 2009
Posts: 26

Original Poster
Rep: Reputation: 0
any help ?
 
Old 08-22-2013, 08:39 AM   #7
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Rather than asking for the community to post an example, why don't you post your configuration file and perhaps someone will be able to identify the error?
 
Old 08-22-2013, 08:44 AM   #8
robbtek
LQ Newbie
 
Registered: Mar 2009
Posts: 26

Original Poster
Rep: Reputation: 0
Code:
HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
Code:
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247"
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247]". Please check it's syntax
12/8/2013 -- 08:56:09 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
 
Old 08-22-2013, 08:54 AM   #9
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
As we previously discussed, there appears to be some sort of error in you yaml file as indicated by "Please check /etc/suricata/suricata.yaml for errors". If you are having trouble identifying the error, consider posting your yaml file.
 
Old 08-22-2013, 08:58 AM   #10
robbtek
LQ Newbie
 
Registered: Mar 2009
Posts: 26

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Noway2 View Post
As we previously discussed, there appears to be some sort of error in you yaml file as indicated by "Please check /etc/suricata/suricata.yaml for errors". If you are having trouble identifying the error, consider posting your yaml file.
My suricata.yaml file is a default file ... I only change var :

Code:
HOME_NET: "[10.10.10.0/24, !10.10.10.247]"
If I change it with


Code:
HOME_NET: "[10.10.10.0/24]"
Suricata works fine
 
Old 08-22-2013, 10:37 AM   #11
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Here is the relevant section from the default yaml file:
Code:
# Holds variables that would be used by the engine.

vars:

  # Holds the address group vars that would be passed in a Signature.
  # These would be retrieved during the Signature address parsing stage.
  address-groups:

    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

    EXTERNAL_NET: "!$HOME_NET"

    HTTP_SERVERS: "$HOME_NET"

    SMTP_SERVERS: "$HOME_NET"

    SQL_SERVERS: "$HOME_NET"

    DNS_SERVERS: "$HOME_NET"

    TELNET_SERVERS: "$HOME_NET"

    AIM_SERVERS: "$EXTERNAL_NET"

  # Holds the port group vars that would be passed in a Signature.

  # These would be retrieved during the Signature port parsing stage.

  port-groups:

    HTTP_PORTS: "80"

    SHELLCODE_PORTS: "!80"

    ORACLE_PORTS: 1521

    SSH_PORTS: 22
There is something about the way you are entering information that the system does not like. Did you alter the white space, use tabs, or something like that violates the syntax? According to the comments on the thread running on linux.org, others are saying that this configuration works.

I'm sorry, but I don't know what to suggest.
 
Old 08-23-2013, 09:11 AM   #12
robbtek
LQ Newbie
 
Registered: Mar 2009
Posts: 26

Original Poster
Rep: Reputation: 0
Code:
$HOME_NET                       (Your setting of HOME_NET in yaml)
[$EXTERNAL_NET, !$HOME_NET]     (EXTERNAL_NET and not HOME_NET)
[10.0.0.0/24, !10.0.0.5]        (10.0.0.0/24 except for 10.0.0.5) <---- this is what I want
Code:
vars:

  # Holds the address group vars that would be passed in a Signature.
  # These would be retrieved during the Signature address parsing stage.
  address-groups:

    HOME_NET: "[10.10.10.0/24, !10.10.10.247/255.255.255.0]"

    EXTERNAL_NET: "!$HOME_NET"

    HTTP_SERVERS: "$HOME_NET"

    SMTP_SERVERS: "$HOME_NET"

    SQL_SERVERS: "$HOME_NET"

    DNS_SERVERS: "$HOME_NET"

    TELNET_SERVERS: "$HOME_NET"

    AIM_SERVERS: "$EXTERNAL_NET"

    DNP3_SERVER: "$HOME_NET"

    DNP3_CLIENT: "$HOME_NET"

    MODBUS_CLIENT: "$HOME_NET"

    MODBUS_SERVER: "$HOME_NET"

    ENIP_CLIENT: "$HOME_NET"

    ENIP_SERVER: "$HOME_NET"
Code:
23/8/2013 -- 15:05:47 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247/255.255.255.0"
23/8/2013 -- 15:05:47 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247/255.255.255.0]". Please check it's syntax
23/8/2013 -- 15:05:47 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
Code:
vars:

  # Holds the address group vars that would be passed in a Signature.
  # These would be retrieved during the Signature address parsing stage.
  address-groups:

    HOME_NET: "[10.10.10.0/24, !10.10.10.247/32]"

    EXTERNAL_NET: "!$HOME_NET"

    HTTP_SERVERS: "$HOME_NET"

    SMTP_SERVERS: "$HOME_NET"

    SQL_SERVERS: "$HOME_NET"

    DNS_SERVERS: "$HOME_NET"

    TELNET_SERVERS: "$HOME_NET"

    AIM_SERVERS: "$EXTERNAL_NET"

    DNP3_SERVER: "$HOME_NET"

    DNP3_CLIENT: "$HOME_NET"

    MODBUS_CLIENT: "$HOME_NET"

    MODBUS_SERVER: "$HOME_NET"

    ENIP_CLIENT: "$HOME_NET"

    ENIP_SERVER: "$HOME_NET"
Code:
23/8/2013 -- 15:04:44 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247/32"
23/8/2013 -- 15:04:44 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247/32]". Please check it's syntax
23/8/2013 -- 15:04:44 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
Code:
vars:

  # Holds the address group vars that would be passed in a Signature.
  # These would be retrieved during the Signature address parsing stage.
  address-groups:

    HOME_NET: "[10.10.10.0/24, !10.10.10.247]"

    EXTERNAL_NET: "!$HOME_NET"

    HTTP_SERVERS: "$HOME_NET"

    SMTP_SERVERS: "$HOME_NET"

    SQL_SERVERS: "$HOME_NET"

    DNS_SERVERS: "$HOME_NET"

    TELNET_SERVERS: "$HOME_NET"

    AIM_SERVERS: "$EXTERNAL_NET"

    DNP3_SERVER: "$HOME_NET"

    DNP3_CLIENT: "$HOME_NET"

    MODBUS_CLIENT: "$HOME_NET"

    MODBUS_SERVER: "$HOME_NET"

    ENIP_CLIENT: "$HOME_NET"

    ENIP_SERVER: "$HOME_NET"
Code:
23/8/2013 -- 15:07:19 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address " 10.10.10.247"
23/8/2013 -- 15:07:19 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - failed to parse address var "HOME_NET" with value "[10.10.10.0/24, !10.10.10.247]". Please check it's syntax
23/8/2013 -- 15:07:19 - <Error> - [ERRCODE: SC_ERR_INVALID_YAML_CONF_ENTRY(139)] - basic address vars test failed. Please check /etc/suricata/suricata.yaml for errors
 
Old 08-23-2013, 10:32 AM   #13
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Did you see this: https://redmine.openinfosecfoundation.org/issues/920

It looks like this problem is a known bug and it has been assigned high priority with the developer.
 
Old 08-23-2013, 10:35 AM   #14
robbtek
LQ Newbie
 
Registered: Mar 2009
Posts: 26

Original Poster
Rep: Reputation: 0
Yes, It is my post
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
suricata integrate with iptables niraj.vara Linux - Security 3 04-24-2013 05:32 PM
Wlan0: option 43 has zero length, failed to parse packet BobNutfield Linux - Networking 14 12-09-2010 08:45 PM
parse a file to find an ip address gurucg Programming 14 08-14-2007 02:30 AM
host: parse of /etc/resolv.conf failed D.A. Linux - Software 4 08-09-2007 01:30 PM
Failed to parse block device name for /dev/hda2 anon061 Arch 9 06-24-2007 06:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration