<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I installed the most recent SO and did "sudo soup".</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I ran "<span style="font-size: 12pt;">suricata -r /opt/samples/zeus-sample-1.pcap -c /etc/nsm/sans-virtual-machine-eth1/suricata.yaml "</span></p>
<div><br>
</div>
<div>Getting the following errors. I have tried all day to try and figure out the issue but I am having no luck resolving it. </div>
<div><br>
</div>
<div>Checked out the common errors page as well, no luck. </div>
<div><br>
</div>
<div><span>
<div></div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed
 attempt"; flow:to_client,established; content:"|18 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160;
 classtype:attempted-recon; sid:30787; rev:3;)"</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl
 heartbleed attempt"; flow:to_client,established; content:"|18 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160;
 classtype:attempted-recon; sid:30787; rev:3;)" from file /etc/nsm/rules/downloaded.rules at line 31971</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed
 attempt"; flow:to_client,established; content:"|18 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160;
 classtype:attempted-recon; sid:30788; rev:3;)"</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl
 heartbleed attempt"; flow:to_client,established; content:"|18 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160;
 classtype:attempted-recon; sid:30788; rev:3;)" from file /etc/nsm/rules/downloaded.rules at line 31972</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert udp $HOME_NET [500,848,4500,4848] -> $EXTERNAL_NET any (msg:"SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt"; flow:to_client;
 dsize:>2000; content:"|0B 10 05 00|"; depth:8; offset:16; byte_test:4,>,2000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1;
 classtype:attempted-recon; sid:40220; rev:5;)"</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $HOME_NET [500,848,4500,4848] -> $EXTERNAL_NET any (msg:"SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt"; flow:to_client;
 dsize:>2000; content:"|0B 10 05 00|"; depth:8; offset:16; byte_test:4,>,2000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1;
 classtype:attempted-recon; sid:40220; rev:5;)" from file /etc/nsm/rules/downloaded.rules at line 32415</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt"; flow:to_server; dsize:>2000;
 content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 01 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative;
 metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon;
 sid:40221; rev:5;)"</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt"; flow:to_server; dsize:>2000;
 content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 01 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative;
 metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon;
 sid:40221; rev:5;)" from file /etc/nsm/rules/downloaded.rules at line 32416</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt"; flow:to_server; dsize:>2000;
 content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 02 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative;
 metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon;
 sid:40222; rev:5;)"</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt"; flow:to_server; dsize:>2000;
 content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 02 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative;
 metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon;
 sid:40222; rev:5;)" from file /etc/nsm/rules/downloaded.rules at line 32417</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow"; flow:to_server,established; content:"APSCOOKIE";
 fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|"; nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6909; reference:url,fortiguard.com/advisory/FG-IR-16-023;
 classtype:attempted-admin; sid:40241; rev:2;)" from file /etc/nsm/rules/downloaded.rules at line 32418</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt"; flow:to_server,established;
 content:"|00 00 00 01 00 00 00 01 00 00 00 08|"; depth:12; content:"://"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi;
 classtype:attempted-admin; sid:41722; rev:4;)"</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt"; flow:to_server,established;
 content:"|00 00 00 01 00 00 00 01 00 00 00 08|"; depth:12; content:"://"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi;
 classtype:attempted-admin; sid:41722; rev:4;)" from file /etc/nsm/rules/downloaded.rules at line 32512</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt"; flow:to_server,established;
 content:"|00 00 00 01 00 00 00 01 00 00 00 03|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi;
 classtype:attempted-admin; sid:41723; rev:3;)"</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt"; flow:to_server,established;
 content:"|00 00 00 01 00 00 00 01 00 00 00 03|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi;
 classtype:attempted-admin; sid:41723; rev:3;)" from file /etc/nsm/rules/downloaded.rules at line 32513</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt"; flow:to_server,established;
 content:"|00 00 00 01 00 00 00 01 00 00 00 02|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi;
 classtype:attempted-admin; sid:41724; rev:3;)"</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt"; flow:to_server,established;
 content:"|00 00 00 01 00 00 00 01 00 00 00 02|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi;
 classtype:attempted-admin; sid:41724; rev:3;)" from file /etc/nsm/rules/downloaded.rules at line 32514</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol version command attempt"; flow:to_server,established; content:"|00
 00 00 02 00 00 00 01 00 00 00 05|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi;
 classtype:attempted-admin; sid:41725; rev:3;)"</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol version command attempt"; flow:to_server,established;
 content:"|00 00 00 02 00 00 00 01 00 00 00 05|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi;
 classtype:attempted-admin; sid:41725; rev:3;)" from file /etc/nsm/rules/downloaded.rules at line 32515</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc;
 dce_opnum:1; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction;
 classtype:attempted-user; sid:44501; rev:2;)" from file /etc/nsm/rules/downloaded.rules at line 32637</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc;
 dce_opnum:0; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction;
 classtype:attempted-user; sid:44502; rev:2;)" from file /etc/nsm/rules/downloaded.rules at line 32638</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt"; flow:to_client,established; content:"|FE|SMB|40
 00|"; depth:6; offset:4; content:"|03 00|"; within:2; distance:6; content:"|01|"; within:1; distance:2; content:"|10 00|"; within:2; distance:47; byte_test:3, >, 1481, 1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips
 drop, policy security-ips drop, ruleset community; reference:cve,2017-0016; classtype:attempted-dos; sid:41499; rev:5;)"</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt"; flow:to_client,established;
 content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|03 00|"; within:2; distance:6; content:"|01|"; within:1; distance:2; content:"|10 00|"; within:2; distance:47; byte_test:3, >, 1481, 1; metadata:policy balanced-ips drop, policy connectivity-ips drop,
 policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2017-0016; classtype:attempted-dos; sid:41499; rev:5;)" from file /etc/nsm/rules/downloaded.rules at line 32851</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc;
 content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_extract:2,72,len,relative,little; content:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
 service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:4;)"</div>
<div>18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc;
 content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_extract:2,72,len,relative,little; content:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community,
 service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:4;)" from file /etc/nsm/rules/downloaded.rules at line 32852</div>
<div><br>
</div>
<div>Any help would be appreciated. </div>
</span><br>
</div>
<p></p>
</div>
</body>
</html>