[Oisf-users] Not sure why below errro while starting suricata
Blason R
blason16 at gmail.com
Sun Dec 31 14:07:58 UTC 2017
Hi Guys,
I have suricata version 3.2.4 running on CentOS 7 and I am seeing below
errors while starting Suricata. I am just starting suricata and not sure
why this is appearing.
################################
31/12/2017 -- 19:36:36 - <Info> - Shortening device name to: eno1..7736
31/12/2017 -- 19:36:36 - <Notice> -- This is Suricata version 3.2.4 RELEASE
31/12/2017 -- 19:36:36 - <Info> -- CPUs/cores online: 4
31/12/2017 -- 19:36:36 - <Info> -- HTTP memcap: 67108864
31/12/2017 -- 19:36:36 - <Notice> -- using flow hash instead of active
packets
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] -
Variable "SIP_SERVERS" is not defined in configuration file
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS
$SIP_PORTS (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP inbound INVITE message";
flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite;
metadata:ruleset community, service sip; reference:url,
www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11968;
rev:7;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2295
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- Signature combines packet specific matches (like dsize, flags, ttl) with
stream / state matching by matching on app layer proto (like using http_*
keywords).
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET 1024:65535
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Fakeavlock variant outbound
connection"; flow:to_server,established; dsize:267<>276;
content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows
NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159;
pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,
www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/;
classtype:trojan-activity; sid:25675; rev:7;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2413
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- previous keyword has a fast_pattern:only; set. Can't have relative
keywords around a fast_pattern only content
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any
(msg:"CleanDNS_Phase1 - MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated
zip/exe HTTP Response - potential malware download";
flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only;
content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1;
distance:-14; http_header; file_data; content:"-2013.exe"; content:"-";
within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http; reference:url,
www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/;
classtype:trojan-activity; sid:26470; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2459
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- previous keyword has a fast_pattern:only; set. Can't have relative
keywords around a fast_pattern only content
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"CleanDNS_Phase1 - MALWARE-CNC Bancos fake JPG encrypted config file
download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|";
fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg";
distance:0; http_uri;
pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; classtype:trojan-activity;
sid:26722; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2499
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- Signature combines packet specific matches (like dsize, flags, ttl) with
stream / state matching by matching on app layer proto (like using http_*
keywords).
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win32/Autorun.JN variant outbound
connection"; flow:to_server,established; dsize:142; urilen:8;
content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm";
http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; reference:url,
www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN;
reference:url,
www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/;
classtype:trojan-activity; sid:26966; rev:3;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2558
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] -
Variable "SIP_SERVERS" is not defined in configuration file
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS
$SIP_PORTS (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Possible SIP OPTIONS
service information gathering attempt"; flow:to_server; sip_method:options;
content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count
100, seconds 25; metadata:ruleset community, service sip; reference:url,
blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html;
classtype:attempted-recon; sid:27899; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2626
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] -
Variable "SIP_SERVERS" is not defined in configuration file
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop udp $SIP_SERVERS $SIP_PORTS ->
$EXTERNAL_NET any (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Excessive number of
SIP 4xx responses potential user or password guessing attempt";
flow:to_client; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only;
detection_filter:track by_src, count 100, seconds 25; metadata:ruleset
community, service sip; reference:url,
blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html;
classtype:attempted-recon; sid:27900; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2627
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] -
Variable "SIP_SERVERS" is not defined in configuration file
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop udp $SIP_SERVERS $SIP_PORTS ->
$EXTERNAL_NET any (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Ghost call attack
attempt"; flow:to_client; sip_stat_code:180; content:"SIP/2.0";
fast_pattern:only; detection_filter:track by_src, count 100, seconds 25;
metadata:ruleset community, service sip; reference:url,
blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html;
classtype:attempted-recon; sid:27901; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2628
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] -
Variable "SIP_SERVERS" is not defined in configuration file
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS
$SIP_PORTS (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Possible SIP OPTIONS
service information gathering attempt"; flow:to_server,established;
sip_method:options; content:"SIP/2.0"; fast_pattern:only;
detection_filter:track by_src, count 100, seconds 25; metadata:ruleset
community, service sip; reference:url,
blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html;
classtype:attempted-recon; sid:27902; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2629
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] -
Variable "SIP_SERVERS" is not defined in configuration file
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $SIP_SERVERS $SIP_PORTS ->
$EXTERNAL_NET any (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Ghost call attack
attempt"; flow:to_client,established; sip_stat_code:180; content:"SIP/2.0";
fast_pattern:only; detection_filter:track by_src, count 100, seconds 25;
metadata:ruleset community, service sip; reference:url,
blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html;
classtype:attempted-recon; sid:27903; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2630
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] -
Variable "SIP_SERVERS" is not defined in configuration file
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $SIP_SERVERS $SIP_PORTS ->
$EXTERNAL_NET any (msg:"CleanDNS_Phase1 - PROTOCOL-VOIP Excessive number of
SIP 4xx responses potential user or password guessing attempt";
flow:to_client,established; sip_stat_code:4; content:"SIP/2.0";
fast_pattern:only; detection_filter:track by_src, count 100, seconds 25;
metadata:ruleset community, service sip; reference:url,
blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html;
classtype:attempted-recon; sid:27904; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2631
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- Signature combines packet specific matches (like dsize, flags, ttl) with
stream / state matching by matching on app layer proto (like using http_*
keywords).
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"CleanDNS_Phase1 - PUA-ADWARE Linkury outbound time check";
flow:to_server,established; dsize:72; urilen:8; content:"/utc/now
HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D
0A|"; fast_pattern:only; metadata:ruleset community, service http;
reference:url,
www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/;
classtype:trojan-activity; sid:28156; rev:2;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2678
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- previous keyword has a fast_pattern:only; set. Can't have relative
keywords around a fast_pattern only content
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Kazy variant outbound
connection"; flow:to_server,established; content:".exe HTTP/1.1|0D
0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE ";
http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: ";
distance:0; http_header;
pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/";
metadata:impact_flag red, policy security-ips drop, ruleset community,
service http; reference:url,
www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/;
classtype:trojan-activity; sid:28406; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2699
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- Signature combines packet specific matches (like dsize, flags, ttl) with
stream / state matching by matching on app layer proto (like using http_*
keywords).
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET 80
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Conficker variant outbound
connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET
/ HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B|
Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D
0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; reference:url,
www.sans.org/security-resources/malwarefaq/conficker-worm.php;
classtype:trojan-activity; sid:28542; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2711
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- Signature combines packet specific matches (like dsize, flags, ttl) with
stream / state matching by matching on app layer proto (like using http_*
keywords).
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET 80
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Conficker variant outbound
connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET
/ HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B|
Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D
0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; reference:url,
www.sans.org/security-resources/malwarefaq/conficker-worm.php;
classtype:trojan-activity; sid:28543; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2712
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- previous keyword has a fast_pattern:only; set. Can't have relative
keywords around a fast_pattern only content
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Injector variant outbound
connection"; flow:to_server,established; urilen:9; content:"/load.exe
HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B
20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0;
http_header; content:!"Accept"; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,
urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400;
reference:url,
www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/;
classtype:trojan-activity; sid:28807; rev:2;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2725
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- Signature combines packet specific matches (like dsize, flags, ttl) with
stream / state matching by matching on app layer proto (like using http_*
keywords).
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.WEC variant outbound
connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET /
HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A
0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,
www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/;
classtype:trojan-activity; sid:29882; rev:2;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2830
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- previous keyword has a fast_pattern:only; set. Can't have relative
keywords around a fast_pattern only content
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Bancos variant outbound
connection "; flow:to_server,established; content:"Content-Length: 166";
content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type:
application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT
6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: ";
fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c=";
within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,
www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis;
classtype:trojan-activity; sid:29895; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2834
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- "http_header" keyword seen with a sticky buffer still set. Reset sticky
buffer with pkt_data before using the modifier.
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any
(msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download -
.doc.exe within .zip file"; flow:to_client,established;
flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only;
content:"Content-Length:"; http_header; metadata:policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:30997;
rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2907
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- "http_header" keyword seen with a sticky buffer still set. Reset sticky
buffer with pkt_data before using the modifier.
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any
(msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download -
.gif.exe within .zip file"; flow:to_client,established;
flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only;
content:"Content-Length:"; http_header; metadata:policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:30998;
rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2908
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- "http_header" keyword seen with a sticky buffer still set. Reset sticky
buffer with pkt_data before using the modifier.
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any
(msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download -
.jpeg.exe within .zip file"; flow:to_client,established;
flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only;
content:"Content-Length:"; http_header; metadata:policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:30999;
rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2909
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- "http_header" keyword seen with a sticky buffer still set. Reset sticky
buffer with pkt_data before using the modifier.
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any
(msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download -
.jpg.exe within .zip file"; flow:to_client,established;
flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only;
content:"Content-Length:"; http_header; metadata:policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:31000;
rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2910
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- "http_header" keyword seen with a sticky buffer still set. Reset sticky
buffer with pkt_data before using the modifier.
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any
(msg:"CleanDNS_Phase1 - INDICATOR-COMPROMISE Potential malware download -
.pdf.exe within .zip file"; flow:to_client,established;
flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only;
content:"Content-Length:"; http_header; metadata:policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:31001;
rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
2911
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] -
Variable "SIP_SERVERS" is not defined in configuration file
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS
$SIP_PORTS (msg:"CleanDNS_Phase1 - OS-OTHER Bash environment variable
injection attempt"; flow:stateless; sip_header; content:"() {";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset
community, service sip; reference:cve,2014-6271; reference:cve,2014-6277;
reference:cve,2014-6278; reference:cve,2014-7169;
classtype:attempted-admin; sid:32041; rev:4;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
3002
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] -
Variable "SIP_SERVERS" is not defined in configuration file
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS
$SIP_PORTS (msg:"CleanDNS_Phase1 - OS-OTHER Bash environment variable
injection attempt"; flow:to_server,established; sip_header; content:"() {";
metadata:policy max-detect-ips drop, policy security-ips drop, ruleset
community, service sip; reference:cve,2014-6271; reference:cve,2014-6277;
reference:cve,2014-6278; reference:cve,2014-7169;
classtype:attempted-admin; sid:32042; rev:4;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
3003
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- "http_header" keyword seen with a sticky buffer still set. Reset sticky
buffer with pkt_data before using the modifier.
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Sodebral HTTP Response
attempt"; flow:to_client,established; file_data; dsize:<194;
content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header;
content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,
www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/;
classtype:trojan-activity; sid:32607; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
3037
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- "http_header" keyword seen with a sticky buffer still set. Reset sticky
buffer with pkt_data before using the modifier.
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.Sodebral HTTP Response
attempt"; flow:to_client,established; file_data; dsize:<194;
content:"BRASIL"; depth:6; content:!"Content-Length"; http_header;
content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,
www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/;
classtype:trojan-activity; sid:32608; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
3038
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- Signature combines packet specific matches (like dsize, flags, ttl) with
stream / state matching by matching on app layer proto (like using http_*
keywords).
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Agent.BHHK variant outbound
connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET
/ HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B|
Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection:
Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; reference:url,
www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/;
classtype:trojan-activity; sid:33227; rev:2;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
3113
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- Signature combines packet specific matches (like dsize, flags, ttl) with
stream / state matching by matching on app layer proto (like using http_*
keywords).
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.FileEncoder IP geolocation
checkin attempt"; flow:to_server,established; dsize:214; urilen:1;
content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE
6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR
2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host:
ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; reference:url,
www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/;
classtype:trojan-activity; sid:33449; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
3118
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- previous keyword has a fast_pattern:only; set. Can't have relative
keywords around a fast_pattern only content
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp any any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.GateKeylogger initial
exfiltration attempt"; flow:to_server,established; content:"/gate.php";
fast_pattern:only; content:"pc="; nocase; http_client_body;
content:"&admin="; distance:0; nocase; http_client_body; content:"&os=";
distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase;
http_client_body; content:"&arc="; distance:0; nocase; http_client_body;
content:"User-Agent|3A 20|"; http_header;
pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,
www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/;
classtype:trojan-activity; sid:38562; rev:2;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
3278
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- "http_stat_code" keyword seen with a sticky buffer still set. Reset
sticky buffer with pkt_data before using the modifier.
31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> any any
(msg:"CleanDNS_Phase1 - MALWARE-CNC Win.Trojan.GateKeylogger fake 404
response"; flow:to_client,established; file_data; content:"200";
http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<";
fast_pattern:only; content:" requested URL / was not found ";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; reference:url,
www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/;
classtype:trojan-activity; sid:38563; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
3279
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- Complete IP space negated. Rule address range is NIL. Probably have a
!any or an address range that supplies a NULL address range
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop udp any 53 -> ![any,$SMTP_SERVERS] any
(msg:"CleanDNS_Phase1 - ET POLICY Unusual number of DNS No Such Name
Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track
by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195;
classtype:bad-unknown; sid:2003195; rev:5; metadata:created_at 2010_07_30,
updated_at 2010_07_30;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
4113
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- Complete IP space negated. Rule address range is NIL. Probably have a
!any or an address range that supplies a NULL address range
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop udp ![any,$SMTP_SERVERS] any -> any 53
(msg:"CleanDNS_Phase1 - ET POLICY Possible Spambot Host DNS MX Query High
Count"; content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|";
distance: 8; threshold:type both, count 30, seconds 10, track by_src;
reference:url,doc.emergingthreats.net/2003330; classtype:bad-unknown;
sid:2003330; rev:6; metadata:created_at 2010_07_30, updated_at
2010_07_30;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
4151
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- Complete IP space negated. Rule address range is NIL. Probably have a
!any or an address range that supplies a NULL address range
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp !$SMTP_SERVERS any -> !any 25
(msg:"CleanDNS_Phase1 - ET POLICY Outbound Multiple Non-SMTP Server
Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type
threshold, track by_src, count 10, seconds 120; reference:url,
doc.emergingthreats.net/2000328; classtype:misc-activity; sid:2000328;
rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
4154
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- Complete IP space negated. Rule address range is NIL. Probably have a
!any or an address range that supplies a NULL address range
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop tcp !any any -> any 25
(msg:"CleanDNS_Phase1 - ET POLICY Inbound Frequent Emails - Possible
Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase;
threshold: type threshold, track by_src, count 10, seconds 60;
reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity;
sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at
2010_07_30;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at line
4155
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] -
Duplicate signature "drop udp any any -> any 53 (msg: "CleanDNS_Phase1:
Malicious domain xxlvbrloxvriy2c5.onion";
content:"|10|xxlvbrloxvriy2c5|05|onion|00|"; nocase; reference:url,
app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion;
sid:5700006; rev:1;)"
31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "drop udp any any -> any 53 (msg:
"CleanDNS_Phase1: Malicious domain xxlvbrloxvriy2c5.onion";
content:"|10|xxlvbrloxvriy2c5|05|onion|00|"; nocase; reference:url,
app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion;
sid:5700006; rev:1;)" from file
/usr/local/etc/suricata/suricata_42988_em0/rules/dnstunnel.rules at line 9
31/12/2017 -- 19:36:37 - <Info> -- 7 rule files processed. 9327 rules
successfully loaded, 36 rules failed
31/12/2017 -- 19:36:37 - <Info> -- 9343 signatures processed. 25 are
IP-only rules, 7491 are inspecting packet payload, 1974 inspect application
layer, 4 are decoder event only
31/12/2017 -- 19:36:38 - <Info> -- Threshold config parsed: 0 rule(s) found
31/12/2017 -- 19:36:38 - <Info> -- fast output device (regular)
initialized: alerts.log
31/12/2017 -- 19:36:38 - <Info> -- unable to find af-packet config for
interface "eno16777736" or "default", using default values
31/12/2017 -- 19:36:38 - <Info> -- Going to use 4 ReceiveAFP receive
thread(s)
31/12/2017 -- 19:36:38 - <Notice> -- all 8 packet processing threads, 2
management threads initialized, engine started.
31/12/2017 -- 19:36:38 - <Info> -- All AFP capture threads are running.
############################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171231/14b5f50c/attachment-0001.html>
More information about the Oisf-users
mailing list