<div dir="ltr">Surprising...<div><br></div><div>I am using EPEL but somehow default installation is fetching 3.2.4.</div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Dec 31, 2017 at 7:59 PM, Jason Ish <span dir="ltr"><<a href="mailto:lists@ish.cx" target="_blank">lists@ish.cx</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Blason,<br>
<br>
See response below...<span class="gmail-"><br>
<br>
On 2017-12-31 08:07 AM, Blason R wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">
Hi Guys,<br>
<br>
I have suricata version 3.2.4 running on CentOS 7 and I am seeing below errors while starting Suricata. I am just starting suricata and not sure why this is appearing.<br>
<br>
##############################<wbr>##<br>
<br>
31/12/2017 -- 19:36:36 - <Info> - Shortening device name to: eno1..7736<br>
31/12/2017 -- 19:36:36 - <Notice> -- This is Suricata version 3.2.4 RELEASE<br>
31/12/2017 -- 19:36:36 - <Info> -- CPUs/cores online: 4<br>
31/12/2017 -- 19:36:36 - <Info> -- HTTP memcap: 67108864<br>
31/12/2017 -- 19:36:36 - <Notice> -- using flow hash instead of active packets<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file<br>
<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:ruleset community, service sip; reference:url,<a href="http://www.ietf.org/rfc/rfc3261.txt" rel="noreferrer" target="_blank">www.ietf.org/rfc<wbr>/rfc3261.txt</a> <<a href="http://www.ietf.org/rfc/rfc3261.txt" rel="noreferrer" target="_blank">http://www.ietf.org/rfc/rfc32<wbr>61.txt</a>>; classtype:protocol-command-dec<wbr>ode; sid:11968; rev:7;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2295<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET 1024:65535 (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/file/c49f7dbc036ad0a86df02c<wbr>bbde00cb3b3fbd651d82f6c9c5a981<wbr>70644374f64f/analysis/</a> <<a href="http://www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/" rel="noreferrer" target="_blank">http://www.virustotal.com/fil<wbr>e/c49f7dbc036ad0a86df02cbbde00<wbr>cb3b3fbd651d82f6c9c5a981706443<wbr>74f64f/analysis/</a>>; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2413<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/2eff3ee6ac7f5bf85e4<wbr>ebcbe51974d0708cef666581ef1385<wbr>c628233614b22c0/analysis/</a> <<a href="http://www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/2eff3ee6ac7f5bf85e4ebcbe5<wbr>1974d0708cef666581ef1385c62823<wbr>3614b22c0/analysis/</a>>; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2459<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".<a href="http://com.br" rel="noreferrer" target="_blank">com.br</a> <<a href="http://com.br" rel="noreferrer" target="_blank">http://com.br</a>>|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\<wbr>r\nUser\x2dAgent\x3a\x20[a-z]+<wbr>\r\nHost\x3a\x20[a-z0-9\x2d\x2<wbr>e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2499<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN" rel="noreferrer" target="_blank">www.microsoft.co<wbr>m/security/portal/threat/encyc<wbr>lopedia/Entry.aspx?Name=Worm%<wbr>3AWin32%2FAutorun.JN</a> <<a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN" rel="noreferrer" target="_blank">http://www.microsoft.com/secu<wbr>rity/portal/threat/encyclopedi<wbr>a/Entry.aspx?Name=Worm%<wbr>3AWin32%2FAutorun.JN</a>>; reference:url,<a href="http://www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/36144738373c665d262<wbr>bc007fceaeb9613e59ec29ea3d7424<wbr>dd9f400af2c0f06/analysis/</a> <<a href="http://www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/36144738373c665d262bc007f<wbr>ceaeb9613e59ec29ea3d7424dd9f40<wbr>0af2c0f06/analysis/</a>>; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2558<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" rel="noreferrer" target="_blank">blog.sipvicious.<wbr>org/2008/02/detecting-sip-atta<wbr>cks-with-snort.html</a> <<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" rel="noreferrer" target="_blank">http://blog.sipvicious.org/20<wbr>08/02/detecting-sip-attacks-wi<wbr>th-snort.html</a>>; classtype:attempted-recon; sid:27899; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2626<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" rel="noreferrer" target="_blank">blog.sipvicious.<wbr>org/2008/02/detecting-sip-atta<wbr>cks-with-snort.html</a> <<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" rel="noreferrer" target="_blank">http://blog.sipvicious.org/20<wbr>08/02/detecting-sip-attacks-wi<wbr>th-snort.html</a>>; classtype:attempted-recon; sid:27900; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2627<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" rel="noreferrer" target="_blank">blog.sipvicious.<wbr>org/2008/02/detecting-sip-atta<wbr>cks-with-snort.html</a> <<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" rel="noreferrer" target="_blank">http://blog.sipvicious.org/20<wbr>08/02/detecting-sip-attacks-wi<wbr>th-snort.html</a>>; classtype:attempted-recon; sid:27901; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2628<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server,established; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" rel="noreferrer" target="_blank">blog.sipvicious.<wbr>org/2008/02/detecting-sip-atta<wbr>cks-with-snort.html</a> <<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" rel="noreferrer" target="_blank">http://blog.sipvicious.org/20<wbr>08/02/detecting-sip-attacks-wi<wbr>th-snort.html</a>>; classtype:attempted-recon; sid:27902; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2629<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" rel="noreferrer" target="_blank">blog.sipvicious.<wbr>org/2008/02/detecting-sip-atta<wbr>cks-with-snort.html</a> <<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" rel="noreferrer" target="_blank">http://blog.sipvicious.org/20<wbr>08/02/detecting-sip-attacks-wi<wbr>th-snort.html</a>>; classtype:attempted-recon; sid:27903; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2630<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client,established; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:ruleset community, service sip; reference:url,<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" rel="noreferrer" target="_blank">blog.sipvicious.<wbr>org/2008/02/detecting-sip-atta<wbr>cks-with-snort.html</a> <<a href="http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html" rel="noreferrer" target="_blank">http://blog.sipvicious.org/20<wbr>08/02/detecting-sip-attacks-wi<wbr>th-snort.html</a>>; classtype:attempted-recon; sid:27904; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2631<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - PUA-ADWARE Linkury outbound time check"; flow:to_server,established; dsize:72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: <a href="http://www.timeapi.org" rel="noreferrer" target="_blank">www.timeapi.org</a> <<a href="http://www.timeapi.org" rel="noreferrer" target="_blank">http://www.timeapi.org</a>>|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/a2c4e162624ddb16954<wbr>2e12e148a3be6bfe79a1fed4adfb28<wbr>ad1a308a0d1bade/analysis/<wbr>1380219003/</a> <<a href="http://www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/a2c4e162624ddb169542e12e1<wbr>48a3be6bfe79a1fed4adfb28ad1a30<wbr>8a0d1bade/analysis/1380219003/</a><wbr>>; classtype:trojan-activity; sid:28156; rev:2;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2678<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}<wbr>\.exe\x20HTTP\x2f1\.1\r\nUser\<wbr>x2dAgent\x3a\x20Mozilla\x2f[\x<wbr>20-\x7e]{10,100}\)\r\nHost\x3a<wbr>\x20[a-z0-9\x2e\x2d]{6,32}\r\<wbr>nConnection\x3a\x20Keep\x2dAli<wbr>ve\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/a064a1d3d8b9d8ab649<wbr>686b7fb01e0631e569412388084f5c<wbr>391722c98660763/analysis/</a> <<a href="http://www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/a064a1d3d8b9d8ab649686b7f<wbr>b01e0631e569412388084f5c391722<wbr>c98660763/analysis/</a>>; classtype:trojan-activity; sid:28406; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2699<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET 80 (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: <a href="http://checkip.dyndns.org" rel="noreferrer" target="_blank">checkip.dyndns.org</a> <<a href="http://checkip.dyndns.org" rel="noreferrer" target="_blank">http://checkip.dyndns.org</a>>|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.sans.org/security-resources/malwarefaq/conficker-worm.php" rel="noreferrer" target="_blank">www.sans.org/sec<wbr>urity-resources/malwarefaq/con<wbr>ficker-worm.php</a> <<a href="http://www.sans.org/security-resources/malwarefaq/conficker-worm.php" rel="noreferrer" target="_blank">http://www.sans.org/security-<wbr>resources/malwarefaq/conficker<wbr>-worm.php</a>>; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2711<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET 80 (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: <a href="http://www.ask.com" rel="noreferrer" target="_blank">www.ask.com</a> <<a href="http://www.ask.com" rel="noreferrer" target="_blank">http://www.ask.com</a>>|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.sans.org/security-resources/malwarefaq/conficker-worm.php" rel="noreferrer" target="_blank">www.sans.org/sec<wbr>urity-resources/malwarefaq/con<wbr>ficker-worm.php</a> <<a href="http://www.sans.org/security-resources/malwarefaq/conficker-worm.php" rel="noreferrer" target="_blank">http://www.sans.org/security-<wbr>resources/malwarefaq/conficker<wbr>-worm.php</a>>; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2712<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400" rel="noreferrer" target="_blank">urlquery.net/sea<wbr>rch.php?q=%5C%2Fload%5C.exe%<wbr>24&type=regexp&start=2013-08-<wbr>24&end=2013-11-22&max=400</a> <<a href="http://urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400" rel="noreferrer" target="_blank">http://urlquery.net/search.ph<wbr>p?q=%5C%2Fload%5C.exe%24&type=<wbr>regexp&start=2013-08-24&end=<wbr>2013-11-22&max=400</a>>; reference:url,<a href="http://www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/032572ea1f34a060eca<wbr>c98a8e2899dc0f2a41dff199e87905<wbr>0481ddd3818b4d0/analysis/</a> <<a href="http://www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/032572ea1f34a060ecac98a8e<wbr>2899dc0f2a41dff199e879050481dd<wbr>d3818b4d0/analysis/</a>>; classtype:trojan-activity; sid:28807; rev:2;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2725<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: <a href="http://checkip.dyndns.org" rel="noreferrer" target="_blank">checkip.dyndns.org</a> <<a href="http://checkip.dyndns.org" rel="noreferrer" target="_blank">http://checkip.dyndns.org</a>>|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/164c792247b2822ab1d<wbr>ce8271a9498d3c9172ff21d36feccf<wbr>83265ded1be8d0b/analysis/</a> <<a href="http://www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/164c792247b2822ab1dce8271<wbr>a9498d3c9172ff21d36feccf83265d<wbr>ed1be8d0b/analysis/</a>>; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2830<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlenco<wbr>ded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/51540d7c9a4bc2a430b<wbr>c50c85cf9cec5c6f2bb755e800a3f3<wbr>575ba34fe5f008c/analysis</a> <<a href="http://www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/51540d7c9a4bc2a430bc50c85<wbr>cf9cec5c6f2bb755e800a3f3575ba3<wbr>4fe5f008c/analysis</a>>; classtype:trojan-activity; sid:29895; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2834<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2907<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2908<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2909<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2910<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 2911<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 3002<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_SERVERS" is not defined in configuration file<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 3003<br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/e0290c3900445dc00ca<wbr>24888924e37fa6ac17ecaddc60591e<wbr>32b81536b9f5ef7/analysis/</a> <<a href="http://www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/e0290c3900445dc00ca248889<wbr>24e37fa6ac17ecaddc60591e32b815<wbr>36b9f5ef7/analysis/</a>>; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 3037<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/e0290c3900445dc00ca<wbr>24888924e37fa6ac17ecaddc60591e<wbr>32b81536b9f5ef7/analysis/</a> <<a href="http://www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/e0290c3900445dc00ca248889<wbr>24e37fa6ac17ecaddc60591e32b815<wbr>36b9f5ef7/analysis/</a>>; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 3038<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: <a href="http://windowsupdate.microsoft.com" rel="noreferrer" target="_blank">windowsupdate.microsoft.com</a> <<a href="http://windowsupdate.microsoft.com" rel="noreferrer" target="_blank">http://windowsupdate.microsof<wbr>t.com</a>>|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/cab1fffe7a34b5bb7da<wbr>b2cacd406cf15628d835ab63502d28<wbr>df78c2faeaad366/analysis/<wbr>1421677054/</a> <<a href="http://www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/cab1fffe7a34b5bb7dab2cacd<wbr>406cf15628d835ab63502d28df78c2<wbr>faeaad366/analysis/1421677054/</a><wbr>>; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 3113<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: <a href="http://ip-addr.es" rel="noreferrer" target="_blank">ip-addr.es</a> <<a href="http://ip-addr.es" rel="noreferrer" target="_blank">http://ip-addr.es</a>>|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/17edf82c40df6c72681<wbr>91def7cbff6e60e78d738801840880<wbr>0d42581567f78cf/analysis/</a> <<a href="http://www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/17edf82c40df6c7268191def7<wbr>cbff6e60e78d7388018408800d4258<wbr>1567f78cf/analysis/</a>>; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 3118<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0<wbr>-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/77c802db1731fa8dae1<wbr>b03d978f89b046309adfa1237b1497<wbr>a69ccb9c2d82c16/analysis/<wbr>1459520578/</a> <<a href="http://www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/77c802db1731fa8dae1b03d97<wbr>8f89b046309adfa1237b1497a69ccb<wbr>9c2d82c16/analysis/1459520578/</a><wbr>>; classtype:trojan-activity; sid:38562; rev:2;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 3278<span class="gmail-"><br>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.<br></span>
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,<a href="http://www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/" rel="noreferrer" target="_blank">www.virustotal.c<wbr>om/en/file/77c802db1731fa8dae1<wbr>b03d978f89b046309adfa1237b1497<wbr>a69ccb9c2d82c16/analysis/<wbr>1459520578/</a> <<a href="http://www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/" rel="noreferrer" target="_blank">http://www.virustotal.com/en/<wbr>file/77c802db1731fa8dae1b03d97<wbr>8f89b046309adfa1237b1497a69ccb<wbr>9c2d82c16/analysis/1459520578/</a><wbr>>; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 3279<span class="gmail-"><br>
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range<br></span>
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> ![any,$SMTP_SERVERS] any (msg:"CleanDNS_Phase1 - ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,<a href="http://doc.emergingthreats.net/2003195" rel="noreferrer" target="_blank">doc.emergingthre<wbr>ats.net/2003195</a> <<a href="http://doc.emergingthreats.net/2003195" rel="noreferrer" target="_blank">http://doc.emergingthreats.ne<wbr>t/2003195</a>>; classtype:bad-unknown; sid:2003195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 4113<span class="gmail-"><br>
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range<br></span>
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp ![any,$SMTP_SERVERS] any -> any 53 (msg:"CleanDNS_Phase1 - ET POLICY Possible Spambot Host DNS MX Query High Count"; content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8; threshold:type both, count 30, seconds 10, track by_src; reference:url,<a href="http://doc.emergingthreats.net/2003330" rel="noreferrer" target="_blank">doc.emergingthre<wbr>ats.net/2003330</a> <<a href="http://doc.emergingthreats.net/2003330" rel="noreferrer" target="_blank">http://doc.emergingthreats.ne<wbr>t/2003330</a>>; classtype:bad-unknown; sid:2003330; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 4151<span class="gmail-"><br>
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range<br></span>
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp !$SMTP_SERVERS any -> !any 25 (msg:"CleanDNS_Phase1 - ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,<a href="http://doc.emergingthreats.net/2000328" rel="noreferrer" target="_blank">doc.emergingthre<wbr>ats.net/2000328</a> <<a href="http://doc.emergingthreats.net/2000328" rel="noreferrer" target="_blank">http://doc.emergingthreats.ne<wbr>t/2000328</a>>; classtype:misc-activity; sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 4154<span class="gmail-"><br>
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range<br></span>
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp !any any -> any 25 (msg:"CleanDNS_Phase1 - ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,<a href="http://doc.emergingthreats.net/2002087" rel="noreferrer" target="_blank">doc.emergingthre<wbr>ats.net/2002087</a> <<a href="http://doc.emergingthreats.net/2002087" rel="noreferrer" target="_blank">http://doc.emergingthreats.ne<wbr>t/2002087</a>>; classtype:misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/cleandnsmod<wbr>.rules at line 4155<br>
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "drop udp any any -> any 53 (msg: "CleanDNS_Phase1: Malicious domain xxlvbrloxvriy2c5.onion"; content:"|10|xxlvbrloxvriy2c5|<wbr>05|onion|00|"; nocase; reference:url,<a href="http://app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion" rel="noreferrer" target="_blank">app.threatconnec<wbr>t.com/auth/indicators/details/<wbr>host.xhtml?host=<wbr>xxlvbrloxvriy2c5.onion</a> <<a href="http://app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion" rel="noreferrer" target="_blank">http://app.threatconnect.com/<wbr>auth/indicators/details/host.x<wbr>html?host=xxlvbrloxvriy2c5.oni<wbr>on</a>>; sid:5700006; rev:1;)"<br>
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any -> any 53 (msg: "CleanDNS_Phase1: Malicious domain xxlvbrloxvriy2c5.onion"; content:"|10|xxlvbrloxvriy2c5|<wbr>05|onion|00|"; nocase; reference:url,<a href="http://app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion" rel="noreferrer" target="_blank">app.threatconnec<wbr>t.com/auth/indicators/details/<wbr>host.xhtml?host=<wbr>xxlvbrloxvriy2c5.onion</a> <<a href="http://app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion" rel="noreferrer" target="_blank">http://app.threatconnect.com/<wbr>auth/indicators/details/host.x<wbr>html?host=xxlvbrloxvriy2c5.oni<wbr>on</a>>; sid:5700006; rev:1;)" from file /usr/local/etc/suricata/surica<wbr>ta_42988_em0/rules/dnstunnel.<wbr>rules at line 9<span class="gmail-"><br>
31/12/2017 -- 19:36:37 - <Info> -- 7 rule files processed. 9327 rules successfully loaded, 36 rules failed<br>
31/12/2017 -- 19:36:37 - <Info> -- 9343 signatures processed. 25 are IP-only rules, 7491 are inspecting packet payload, 1974 inspect application layer, 4 are decoder event only<br>
31/12/2017 -- 19:36:38 - <Info> -- Threshold config parsed: 0 rule(s) found<br>
31/12/2017 -- 19:36:38 - <Info> -- fast output device (regular) initialized: alerts.log<br>
31/12/2017 -- 19:36:38 - <Info> -- unable to find af-packet config for interface "eno16777736" or "default", using default values<br>
31/12/2017 -- 19:36:38 - <Info> -- Going to use 4 ReceiveAFP receive thread(s)<br>
31/12/2017 -- 19:36:38 - <Notice> -- all 8 packet processing threads, 2 management threads initialized, engine started.<br>
31/12/2017 -- 19:36:38 - <Info> -- All AFP capture threads are running.<br>
<br>
##############################<wbr>##############<br>
</span></blockquote>
<br>
It looks like you are using some Snort rules. The SIP ones use some variable not defined in the Suricata.yaml, so you will need to add those yourself.<br>
<br>
If you can, please start with a Suricata specific ruleset, then if you need some rules that are only available for Snort, add those as needed, and fix them up for Suricata as needed.<br>
<br>
Please note that Suricata 3.2.4 is now end of life. Please upgrade to 4.0.3. If using EPEL, Suricata 4.0.1 is available now. 4.0.3 will be available soon.<br>
<br>
Jason<br>
<br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundati<wbr>on.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/train<wbr>ing/</a></blockquote></div><br></div></div>