[Oisf-users] Not sure why below errro while starting suricata

Jason Ish lists at ish.cx
Sun Dec 31 14:29:52 UTC 2017


Hi Blason,

See response below...

On 2017-12-31 08:07 AM, Blason R wrote:
> Hi Guys,
> 
> I have suricata version 3.2.4 running on CentOS 7 and I am seeing below 
> errors while starting Suricata. I am just starting suricata and not sure 
> why this is appearing.
> 
> ################################
> 
> 31/12/2017 -- 19:36:36 - <Info> - Shortening device name to: eno1..7736
> 31/12/2017 -- 19:36:36 - <Notice> -- This is Suricata version 3.2.4 RELEASE
> 31/12/2017 -- 19:36:36 - <Info> -- CPUs/cores online: 4
> 31/12/2017 -- 19:36:36 - <Info> -- HTTP memcap: 67108864
> 31/12/2017 -- 19:36:36 - <Notice> -- using flow hash instead of active 
> packets
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] 
> - Variable "SIP_SERVERS" is not defined in configuration file
> 
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp 
> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - 
> PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE"; 
> fast_pattern:only; sip_method:invite; metadata:ruleset community, 
> service sip; reference:url,www.ietf.org/rfc/rfc3261.txt 
> <http://www.ietf.org/rfc/rfc3261.txt>; 
> classtype:protocol-command-decode; sid:11968; rev:7;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2295
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific 
> matches (like dsize, flags, ttl) with stream / state matching by 
> matching on app layer proto (like using http_* keywords).
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET 1024:65535 (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Trojan.Fakeavlock variant outbound connection"; 
> flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| 
> Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 
> 0A|"; fast_pattern:only; http_header; urilen:159; 
> pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy 
> balanced-ips drop, policy security-ips drop, ruleset community, service 
> http; 
> reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/ 
> <http://www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/>; 
> classtype:trojan-activity; sid:25675; rev:7;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2413
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a 
> fast_pattern:only; set. Can't have relative keywords around a 
> fast_pattern only content
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - 
> MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - 
> potential malware download"; flow:to_client,established; 
> content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 
> 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; 
> file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; 
> metadata:impact_flag red, policy balanced-ips drop, policy security-ips 
> drop, ruleset community, service http; 
> reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/ 
> <http://www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/>; 
> classtype:trojan-activity; sid:26470; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2459
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a 
> fast_pattern:only; set. Can't have relative keywords around a 
> fast_pattern only content
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Bancos fake JPG encrypted config file download"; 
> flow:to_server,established; content:".com.br <http://com.br>|0D 0A 0D 
> 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; 
> content:".jpg"; distance:0; http_uri; 
> pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; 
> metadata:impact_flag red, policy balanced-ips drop, policy security-ips 
> drop, ruleset community, service http; classtype:trojan-activity; 
> sid:26722; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2499
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific 
> matches (like dsize, flags, ttl) with stream / state matching by 
> matching on app layer proto (like using http_* keywords).
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win32/Autorun.JN variant outbound connection"; 
> flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; 
> fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; 
> metadata:impact_flag red, policy balanced-ips drop, policy security-ips 
> drop, ruleset community, service http; 
> reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN 
> <http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN>; 
> reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/ 
> <http://www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/>; 
> classtype:trojan-activity; sid:26966; rev:3;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2558
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] 
> - Variable "SIP_SERVERS" is not defined in configuration file
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp 
> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - 
> PROTOCOL-VOIP Possible SIP OPTIONS service information gathering 
> attempt"; flow:to_server; sip_method:options; content:"SIP/2.0"; 
> fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; 
> metadata:ruleset community, service sip; 
> reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html 
> <http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>; 
> classtype:attempted-recon; sid:27899; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2626
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] 
> - Variable "SIP_SERVERS" is not defined in configuration file
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp 
> $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 - 
> PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or 
> password guessing attempt"; flow:to_client; sip_stat_code:4; 
> content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, 
> count 100, seconds 25; metadata:ruleset community, service sip; 
> reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html 
> <http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>; 
> classtype:attempted-recon; sid:27900; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2627
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] 
> - Variable "SIP_SERVERS" is not defined in configuration file
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp 
> $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 - 
> PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client; 
> sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; 
> detection_filter:track by_src, count 100, seconds 25; metadata:ruleset 
> community, service sip; 
> reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html 
> <http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>; 
> classtype:attempted-recon; sid:27901; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2628
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] 
> - Variable "SIP_SERVERS" is not defined in configuration file
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - 
> PROTOCOL-VOIP Possible SIP OPTIONS service information gathering 
> attempt"; flow:to_server,established; sip_method:options; 
> content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, 
> count 100, seconds 25; metadata:ruleset community, service sip; 
> reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html 
> <http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>; 
> classtype:attempted-recon; sid:27902; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2629
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] 
> - Variable "SIP_SERVERS" is not defined in configuration file
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 - 
> PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established; 
> sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; 
> detection_filter:track by_src, count 100, seconds 25; metadata:ruleset 
> community, service sip; 
> reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html 
> <http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>; 
> classtype:attempted-recon; sid:27903; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2630
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] 
> - Variable "SIP_SERVERS" is not defined in configuration file
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 - 
> PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or 
> password guessing attempt"; flow:to_client,established; sip_stat_code:4; 
> content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, 
> count 100, seconds 25; metadata:ruleset community, service sip; 
> reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html 
> <http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>; 
> classtype:attempted-recon; sid:27904; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2631
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific 
> matches (like dsize, flags, ttl) with stream / state matching by 
> matching on app layer proto (like using http_* keywords).
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - PUA-ADWARE 
> Linkury outbound time check"; flow:to_server,established; dsize:72; 
> urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org 
> <http://www.timeapi.org>|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; 
> fast_pattern:only; metadata:ruleset community, service http; 
> reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/ 
> <http://www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/>; 
> classtype:trojan-activity; sid:28156; rev:2;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2678
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a 
> fast_pattern:only; set. Can't have relative keywords around a 
> fast_pattern only content
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Trojan.Kazy variant outbound connection"; 
> flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: 
> Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; 
> content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; 
> http_header; 
> pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; 
> metadata:impact_flag red, policy security-ips drop, ruleset community, 
> service http; 
> reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/ 
> <http://www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/>; 
> classtype:trojan-activity; sid:28406; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2699
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific 
> matches (like dsize, flags, ttl) with stream / state matching by 
> matching on app layer proto (like using http_* keywords).
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET 80 (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Trojan.Conficker variant outbound connection"; 
> flow:to_server,established; dsize:146; urilen:1; content:"GET / 
> HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| 
> Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org 
> <http://checkip.dyndns.org>|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; 
> fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, 
> policy security-ips drop, ruleset community, service http; 
> reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php 
> <http://www.sans.org/security-resources/malwarefaq/conficker-worm.php>; 
> classtype:trojan-activity; sid:28542; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2711
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific 
> matches (like dsize, flags, ttl) with stream / state matching by 
> matching on app layer proto (like using http_* keywords).
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET 80 (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Trojan.Conficker variant outbound connection"; 
> flow:to_server,established; dsize:139; urilen:1; content:"GET / 
> HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| 
> Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com 
> <http://www.ask.com>|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; 
> fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, 
> policy security-ips drop, ruleset community, service http; 
> reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php 
> <http://www.sans.org/security-resources/malwarefaq/conficker-worm.php>; 
> classtype:trojan-activity; sid:28543; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2712
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a 
> fast_pattern:only; set. Can't have relative keywords around a 
> fast_pattern only content
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Trojan.Injector variant outbound connection"; 
> flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 
> 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; 
> http_header; content:")|0D 0A|Host: "; distance:0; http_header; 
> content:!"Accept"; http_header; metadata:impact_flag red, policy 
> balanced-ips drop, policy security-ips drop, ruleset community, service 
> http; 
> reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400 
> <http://urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400>; 
> reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/ 
> <http://www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/>; 
> classtype:trojan-activity; sid:28807; rev:2;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2725
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific 
> matches (like dsize, flags, ttl) with stream / state matching by 
> matching on app layer proto (like using http_* keywords).
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Trojan.WEC variant outbound connection"; flow:to_server,established; 
> dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: 
> Mozilla/4.0|0D 0A|Host: checkip.dyndns.org 
> <http://checkip.dyndns.org>|0D 0A 0D 0A|"; fast_pattern:only; 
> metadata:impact_flag red, policy balanced-ips drop, policy security-ips 
> drop, ruleset community, service http; 
> reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/ 
> <http://www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/>; 
> classtype:trojan-activity; sid:29882; rev:2;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2830
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a 
> fast_pattern:only; set. Can't have relative keywords around a 
> fast_pattern only content
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Trojan.Bancos variant outbound connection "; 
> flow:to_server,established; content:"Content-Length: 166"; content:".php 
> HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: 
> application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows 
> NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; 
> fast_pattern:only; content:"v="; depth:2; http_client_body; 
> content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; 
> metadata:impact_flag red, policy balanced-ips drop, policy security-ips 
> drop, ruleset community, service http; 
> reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis 
> <http://www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis>; 
> classtype:trojan-activity; sid:29895; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2834
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky 
> buffer still set.  Reset sticky buffer with pkt_data before using the 
> modifier.
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - 
> INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip 
> file"; flow:to_client,established; flowbits:isset,file.zip; file_data; 
> content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; 
> http_header; metadata:policy security-ips drop, ruleset community, 
> service http; classtype:trojan-activity; sid:30997; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2907
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky 
> buffer still set.  Reset sticky buffer with pkt_data before using the 
> modifier.
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - 
> INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip 
> file"; flow:to_client,established; flowbits:isset,file.zip; file_data; 
> content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; 
> http_header; metadata:policy security-ips drop, ruleset community, 
> service http; classtype:trojan-activity; sid:30998; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2908
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky 
> buffer still set.  Reset sticky buffer with pkt_data before using the 
> modifier.
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - 
> INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip 
> file"; flow:to_client,established; flowbits:isset,file.zip; file_data; 
> content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; 
> http_header; metadata:policy security-ips drop, ruleset community, 
> service http; classtype:trojan-activity; sid:30999; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2909
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky 
> buffer still set.  Reset sticky buffer with pkt_data before using the 
> modifier.
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - 
> INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip 
> file"; flow:to_client,established; flowbits:isset,file.zip; file_data; 
> content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; 
> http_header; metadata:policy security-ips drop, ruleset community, 
> service http; classtype:trojan-activity; sid:31000; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2910
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky 
> buffer still set.  Reset sticky buffer with pkt_data before using the 
> modifier.
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - 
> INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip 
> file"; flow:to_client,established; flowbits:isset,file.zip; file_data; 
> content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; 
> http_header; metadata:policy security-ips drop, ruleset community, 
> service http; classtype:trojan-activity; sid:31001; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 2911
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] 
> - Variable "SIP_SERVERS" is not defined in configuration file
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp 
> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - 
> OS-OTHER Bash environment variable injection attempt"; flow:stateless; 
> sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy 
> security-ips drop, ruleset community, service sip; 
> reference:cve,2014-6271; reference:cve,2014-6277; 
> reference:cve,2014-6278; reference:cve,2014-7169; 
> classtype:attempted-admin; sid:32041; rev:4;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 3002
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] 
> - Variable "SIP_SERVERS" is not defined in configuration file
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 - 
> OS-OTHER Bash environment variable injection attempt"; 
> flow:to_server,established; sip_header; content:"() {"; metadata:policy 
> max-detect-ips drop, policy security-ips drop, ruleset community, 
> service sip; reference:cve,2014-6271; reference:cve,2014-6277; 
> reference:cve,2014-6278; reference:cve,2014-7169; 
> classtype:attempted-admin; sid:32042; rev:4;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 3003
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky 
> buffer still set.  Reset sticky buffer with pkt_data before using the 
> modifier.
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; 
> file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; 
> content:!"Content-Length"; http_header; content:"Transfer-Encoding: 
> chunked"; http_header; metadata:impact_flag red, policy balanced-ips 
> drop, policy security-ips drop, ruleset community, service http; 
> reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/ 
> <http://www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/>; 
> classtype:trojan-activity; sid:32607; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 3037
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky 
> buffer still set.  Reset sticky buffer with pkt_data before using the 
> modifier.
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; 
> file_data; dsize:<194; content:"BRASIL"; depth:6; 
> content:!"Content-Length"; http_header; content:"Transfer-Encoding: 
> chunked"; http_header; metadata:impact_flag red, policy balanced-ips 
> drop, policy security-ips drop, ruleset community, service http; 
> reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/ 
> <http://www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/>; 
> classtype:trojan-activity; sid:32608; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 3038
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific 
> matches (like dsize, flags, ttl) with stream / state matching by 
> matching on app layer proto (like using http_* keywords).
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Agent.BHHK variant outbound connection"; flow:to_server,established; 
> dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: 
> Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: 
> windowsupdate.microsoft.com <http://windowsupdate.microsoft.com>|0D 
> 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; 
> content:!"Accept"; http_header; metadata:impact_flag red, policy 
> balanced-ips drop, policy security-ips drop, ruleset community, service 
> http; 
> reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/ 
> <http://www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/>; 
> classtype:trojan-activity; sid:33227; rev:2;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 3113
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific 
> matches (like dsize, flags, ttl) with stream / state matching by 
> matching on app layer proto (like using http_* keywords).
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Trojan.FileEncoder IP geolocation checkin attempt"; 
> flow:to_server,established; dsize:214; urilen:1; content:"GET / 
> HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| 
> Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 
> 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: 
> ip-addr.es <http://ip-addr.es>|0D 0A|Cache-Control: no-cache|0D 0A 0D 
> 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips 
> drop, policy security-ips drop, ruleset community, service http; 
> reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/ 
> <http://www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/>; 
> classtype:trojan-activity; sid:33449; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 3118
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a 
> fast_pattern:only; set. Can't have relative keywords around a 
> fast_pattern only content
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any 
> any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Trojan.GateKeylogger initial exfiltration attempt"; 
> flow:to_server,established; content:"/gate.php"; fast_pattern:only; 
> content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; 
> nocase; http_client_body; content:"&os="; distance:0; nocase; 
> http_client_body; content:"&hid="; distance:0; nocase; http_client_body; 
> content:"&arc="; distance:0; nocase; http_client_body; 
> content:"User-Agent|3A 20|"; http_header; 
> pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag 
> red, policy balanced-ips drop, policy security-ips drop, ruleset 
> community, service http; 
> reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/ 
> <http://www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/>; 
> classtype:trojan-activity; sid:38562; rev:2;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 3278
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a 
> sticky buffer still set.  Reset sticky buffer with pkt_data before using 
> the modifier.
> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC 
> Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; 
> file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; 
> content:">404 Not Found<"; fast_pattern:only; content:" requested URL / 
> was not found "; metadata:impact_flag red, policy balanced-ips drop, 
> policy security-ips drop, ruleset community, service http; 
> reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/ 
> <http://www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/>; 
> classtype:trojan-activity; sid:38563; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 3279
> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address 
> range is NIL. Probably have a !any or an address range that supplies a 
> NULL address range
> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 
> -> ![any,$SMTP_SERVERS] any (msg:"CleanDNS_Phase1 - ET POLICY Unusual 
> number of DNS No Such Name Responses"; content:"|83|"; offset:3; 
> depth:1; threshold: type both , track by_dst, count 50, seconds 300; 
> reference:url,doc.emergingthreats.net/2003195 
> <http://doc.emergingthreats.net/2003195>; classtype:bad-unknown; 
> sid:2003195; rev:5; metadata:created_at 2010_07_30, updated_at 
> 2010_07_30;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 4113
> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address 
> range is NIL. Probably have a !any or an address range that supplies a 
> NULL address range
> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp 
> ![any,$SMTP_SERVERS] any -> any 53 (msg:"CleanDNS_Phase1 - ET POLICY 
> Possible Spambot Host DNS MX Query High Count"; content: "|01 00|"; 
> offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8; 
> threshold:type both, count 30, seconds 10, track by_src; 
> reference:url,doc.emergingthreats.net/2003330 
> <http://doc.emergingthreats.net/2003330>; classtype:bad-unknown; 
> sid:2003330; rev:6; metadata:created_at 2010_07_30, updated_at 
> 2010_07_30;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 4151
> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address 
> range is NIL. Probably have a !any or an address range that supplies a 
> NULL address range
> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp 
> !$SMTP_SERVERS any -> !any 25 (msg:"CleanDNS_Phase1 - ET POLICY Outbound 
> Multiple Non-SMTP Server Emails"; flow:established; content:"mail 
> from|3a|"; nocase; threshold: type threshold, track by_src, count 10, 
> seconds 120; reference:url,doc.emergingthreats.net/2000328 
> <http://doc.emergingthreats.net/2000328>; classtype:misc-activity; 
> sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at 
> 2010_07_30;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 4154
> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address 
> range is NIL. Probably have a !any or an address range that supplies a 
> NULL address range
> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp !any 
> any -> any 25 (msg:"CleanDNS_Phase1 - ET POLICY Inbound Frequent Emails 
> - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; 
> nocase; threshold: type threshold, track by_src, count 10, seconds 60; 
> reference:url,doc.emergingthreats.net/2002087 
> <http://doc.emergingthreats.net/2002087>; classtype:misc-activity; 
> sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 
> 2010_07_30;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at 
> line 4155
> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] 
> - Duplicate signature "drop udp any any -> any 53 (msg: 
> "CleanDNS_Phase1: Malicious domain xxlvbrloxvriy2c5.onion"; 
> content:"|10|xxlvbrloxvriy2c5|05|onion|00|"; nocase; 
> reference:url,app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion 
> <http://app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion>; 
> sid:5700006; rev:1;)"
> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: 
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 
> any -> any 53 (msg: "CleanDNS_Phase1: Malicious domain 
> xxlvbrloxvriy2c5.onion"; content:"|10|xxlvbrloxvriy2c5|05|onion|00|"; 
> nocase; 
> reference:url,app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion 
> <http://app.threatconnect.com/auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion>; 
> sid:5700006; rev:1;)" from file 
> /usr/local/etc/suricata/suricata_42988_em0/rules/dnstunnel.rules at line 9
> 31/12/2017 -- 19:36:37 - <Info> -- 7 rule files processed. 9327 rules 
> successfully loaded, 36 rules failed
> 31/12/2017 -- 19:36:37 - <Info> -- 9343 signatures processed. 25 are 
> IP-only rules, 7491 are inspecting packet payload, 1974 inspect 
> application layer, 4 are decoder event only
> 31/12/2017 -- 19:36:38 - <Info> -- Threshold config parsed: 0 rule(s) found
> 31/12/2017 -- 19:36:38 - <Info> -- fast output device (regular) 
> initialized: alerts.log
> 31/12/2017 -- 19:36:38 - <Info> -- unable to find af-packet config for 
> interface "eno16777736" or "default", using default values
> 31/12/2017 -- 19:36:38 - <Info> -- Going to use 4 ReceiveAFP receive 
> thread(s)
> 31/12/2017 -- 19:36:38 - <Notice> -- all 8 packet processing threads, 2 
> management threads initialized, engine started.
> 31/12/2017 -- 19:36:38 - <Info> -- All AFP capture threads are running.
> 
> ############################################

It looks like you are using some Snort rules. The SIP ones use some 
variable not defined in the Suricata.yaml, so you will need to add those 
yourself.

If you can, please start with a Suricata specific ruleset, then if you 
need some rules that are only available for Snort, add those as needed, 
and fix them up for Suricata as needed.

Please note that Suricata 3.2.4 is now end of life. Please upgrade to 
4.0.3. If using EPEL, Suricata 4.0.1 is available now. 4.0.3 will be 
available soon.

Jason




More information about the Oisf-users mailing list