Error parsing signature

hi
i have recursive error suricata

error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (m sg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potent ial malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; f ast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1 ; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within :1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max -detect-ips drop, policy security-ips drop, ruleset community, service http; ref erence:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef66658 1ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /var/lib/suricata/community-community.rules at line 2581

ty

That error message is related to a rule from the Snort/VRT ruleset. That ruleset is specifically created to work with Snort. A large number also work with Suricata or any other IPS systems. However some Snort signatures are not compatible with Suricata.

It looks like that signature is not compatible. You should unselect that specific rule. It is the highlighted one in this screenshot.

EDIT:
I added the Snort/VRT ruleset to my suricata set and got the same error message.

I applied the ruleset a few times and the error message was repeated. I then unchecked that rule that I highlighted and applied the ruleset and the error message no longer occurred.

Suricata does not allow relative keywords around a fast_pattern only content.
Snort have not followed that approach for their signature.

hi
i have unchecked that rule that I highlighted and applied the ruleset and the error message no longer occurred.
ty