<div dir="ltr">Hi Guys,<div><br></div><div>I have suricata version 3.2.4 running on CentOS 7 and I am seeing below errors while starting Suricata. I am just starting suricata and not sure why this is appearing.</div><div><br></div><div>################################</div><div><br></div><div><div>31/12/2017 -- 19:36:36 - <Info> - Shortening device name to: eno1..7736</div><div>31/12/2017 -- 19:36:36 - <Notice> -- This is Suricata version 3.2.4 RELEASE</div><div>31/12/2017 -- 19:36:36 - <Info> -- CPUs/cores online: 4</div><div>31/12/2017 -- 19:36:36 - <Info> -- HTTP memcap: 67108864</div><div>31/12/2017 -- 19:36:36 - <Notice> -- using flow hash instead of active packets</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file</div><div><br></div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:ruleset community, service sip; reference:url,<a href="http://www.ietf.org/rfc/rfc3261.txt">www.ietf.org/rfc/rfc3261.txt</a>; classtype:protocol-command-decode; sid:11968; rev:7;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2295</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET 1024:65535 (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/">www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/</a>; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2413</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/">www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/</a>; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2459</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".<a href="http://com.br">com.br</a>|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2499</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN">www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN</a>; reference:url,<a href="http://www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/">www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/</a>; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2558</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html">blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html</a>; classtype:attempted-recon; sid:27899; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2626</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html">blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html</a>; classtype:attempted-recon; sid:27900; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2627</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html">blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html</a>; classtype:attempted-recon; sid:27901; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2628</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server,established; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html">blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html</a>; classtype:attempted-recon; sid:27902; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2629</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html">blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html</a>; classtype:attempted-recon; sid:27903; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2630</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client,established; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html">blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html</a>; classtype:attempted-recon; sid:27904; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2631</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - PUA-ADWARE Linkury outbound time check"; flow:to_server,established; dsize:72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: <a href="http://www.timeapi.org">www.timeapi.org</a>|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/">www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/</a>; classtype:trojan-activity; sid:28156; rev:2;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2678</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/">www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/</a>; classtype:trojan-activity; sid:28406; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2699</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET 80 (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: <a href="http://checkip.dyndns.org">checkip.dyndns.org</a>|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.sans.org/security-resources/malwarefaq/conficker-worm.php">www.sans.org/security-resources/malwarefaq/conficker-worm.php</a>; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2711</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET 80 (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: <a href="http://www.ask.com">www.ask.com</a>|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.sans.org/security-resources/malwarefaq/conficker-worm.php">www.sans.org/security-resources/malwarefaq/conficker-worm.php</a>; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2712</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400">urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400</a>; reference:url,<a href="http://www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/">www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/</a>; classtype:trojan-activity; sid:28807; rev:2;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2725</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: <a href="http://checkip.dyndns.org">checkip.dyndns.org</a>|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/">www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/</a>; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2830</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis">www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis</a>; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2834</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2907</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2908</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2909</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2910</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 2911</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 3002</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 3003</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/">www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/</a>; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 3037</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/">www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/</a>; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 3038</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: <a href="http://windowsupdate.microsoft.com">windowsupdate.microsoft.com</a>|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/">www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/</a>; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 3113</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: <a href="http://ip-addr.es">ip-addr.es</a>|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/">www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/</a>; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 3118</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/">www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/</a>; classtype:trojan-activity; sid:38562; rev:2;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 3278</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.</div><div>31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/">www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/</a>; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 3279</div><div>31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range</div><div>31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> ![any,$SMTP_SERVERS] any (msg:"CleanDNS_Phase1 - ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,<a href="http://doc.emergingthreats.net/2003195">doc.emergingthreats.net/2003195</a>; classtype:bad-unknown; sid:2003195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 4113</div><div>31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range</div><div>31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp ![any,$SMTP_SERVERS] any -> any 53 (msg:"CleanDNS_Phase1 - ET POLICY Possible Spambot Host DNS MX Query High Count"; content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8; threshold:type both, count 30, seconds 10, track by_src; reference:url,<a href="http://doc.emergingthreats.net/2003330">doc.emergingthreats.net/2003330</a>; classtype:bad-unknown; sid:2003330; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 4151</div><div>31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range</div><div>31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp !$SMTP_SERVERS any -> !any 25 (msg:"CleanDNS_Phase1 - ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,<a href="http://doc.emergingthreats.net/2000328">doc.emergingthreats.net/2000328</a>; classtype:misc-activity; sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 4154</div><div>31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range</div><div>31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp !any any -> any 25 (msg:"CleanDNS_Phase1 - ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,<a href="http://doc.emergingthreats.net/2002087">doc.emergingthreats.net/2002087</a>; classtype:misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line 4155</div><div>31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "drop udp any any -> any 53 (msg: "CleanDNS_Phase1: Malicious domain xxlvbrloxvriy2c5.onion"; content:"|10|xxlvbrloxvriy2c5|05|onion|00|"; nocase; reference:url,<a href="http://app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion">app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion</a>; sid:5700006; rev:1;)"</div><div>31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any -> any 53 (msg: "CleanDNS_Phase1: Malicious domain xxlvbrloxvriy2c5.onion"; content:"|10|xxlvbrloxvriy2c5|05|onion|00|"; nocase; reference:url,<a href="http://app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion">app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion</a>; sid:5700006; rev:1;)" from file /usr/local/etc/suricata/suricata_42988_em0/rules/dnstunnel.rules at line 9</div><div>31/12/2017 -- 19:36:37 - <Info> -- 7 rule files processed. 9327 rules successfully loaded, 36 rules failed</div><div>31/12/2017 -- 19:36:37 - <Info> -- 9343 signatures processed. 25 are IP-only rules, 7491 are inspecting packet payload, 1974 inspect application layer, 4 are decoder event only</div><div>31/12/2017 -- 19:36:38 - <Info> -- Threshold config parsed: 0 rule(s) found</div><div>31/12/2017 -- 19:36:38 - <Info> -- fast output device (regular) initialized: alerts.log</div><div>31/12/2017 -- 19:36:38 - <Info> -- unable to find af-packet config for interface "eno16777736" or "default", using default values</div><div>31/12/2017 -- 19:36:38 - <Info> -- Going to use 4 ReceiveAFP receive thread(s)</div><div>31/12/2017 -- 19:36:38 - <Notice> -- all 8 packet processing threads, 2 management threads initialized, engine started.</div><div>31/12/2017 -- 19:36:38 - <Info> -- All AFP capture threads are running.</div></div><div><br></div><div>############################################</div><div><br></div><div><br></div></div>