[Oisf-users] Not sure why below errro while starting suricata
Blason R
blason16 at gmail.com
Sun Dec 31 14:37:56 UTC 2017
Surprising...
I am using EPEL but somehow default installation is fetching 3.2.4.
On Sun, Dec 31, 2017 at 7:59 PM, Jason Ish <lists at ish.cx> wrote:
> Hi Blason,
>
> See response below...
>
> On 2017-12-31 08:07 AM, Blason R wrote:
>
>> Hi Guys,
>>
>> I have suricata version 3.2.4 running on CentOS 7 and I am seeing below
>> errors while starting Suricata. I am just starting suricata and not sure
>> why this is appearing.
>>
>> ################################
>>
>> 31/12/2017 -- 19:36:36 - <Info> - Shortening device name to: eno1..7736
>> 31/12/2017 -- 19:36:36 - <Notice> -- This is Suricata version 3.2.4
>> RELEASE
>> 31/12/2017 -- 19:36:36 - <Info> -- CPUs/cores online: 4
>> 31/12/2017 -- 19:36:36 - <Info> -- HTTP memcap: 67108864
>> 31/12/2017 -- 19:36:36 - <Notice> -- using flow hash instead of active
>> packets
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>> - Variable "SIP_SERVERS" is not defined in configuration file
>>
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp
>> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 -
>> PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE";
>> fast_pattern:only; sip_method:invite; metadata:ruleset community, service
>> sip; reference:url,www.ietf.org/rfc/rfc3261.txt <
>> http://www.ietf.org/rfc/rfc3261.txt>; classtype:protocol-command-decode;
>> sid:11968; rev:7;)" from file /usr/local/etc/suricata/surica
>> ta_42988_em0/rules/cleandnsmod.rules at line 2295
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>> (like dsize, flags, ttl) with stream / state matching by matching on app
>> layer proto (like using http_* keywords).
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET 1024:65535 (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Trojan.Fakeavlock variant outbound connection";
>> flow:to_server,established; dsize:267<>276; content:"User-Agent|3A|
>> Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D
>> 0A|"; fast_pattern:only; http_header; urilen:159;
>> pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips
>> drop, policy security-ips drop, ruleset community, service http;
>> reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02c
>> bbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/ <
>> http://www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00
>> cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/>;
>> classtype:trojan-activity; sid:25675; rev:7;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2413
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only;
>> set. Can't have relative keywords around a fast_pattern only content
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-OTHER
>> Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware
>> download"; flow:to_client,established; content:"-2013.zip|0D 0A|";
>> fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-";
>> within:1; distance:-14; http_header; file_data; content:"-2013.exe";
>> content:"-"; within:1; distance:-14; metadata:impact_flag red, policy
>> balanced-ips drop, policy security-ips drop, ruleset community, service
>> http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4
>> ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/ <
>> http://www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe5
>> 1974d0708cef666581ef1385c628233614b22c0/analysis/>;
>> classtype:trojan-activity; sid:26470; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2459
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only;
>> set. Can't have relative keywords around a fast_pattern only content
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Bancos
>> fake JPG encrypted config file download"; flow:to_server,established;
>> content:".com.br <http://com.br>|0D 0A 0D 0A|"; fast_pattern:only;
>> content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0;
>> http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+
>> \r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/";
>> metadata:impact_flag red, policy balanced-ips drop, policy security-ips
>> drop, ruleset community, service http; classtype:trojan-activity;
>> sid:26722; rev:1;)" from file /usr/local/etc/suricata/surica
>> ta_42988_em0/rules/cleandnsmod.rules at line 2499
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>> (like dsize, flags, ttl) with stream / state matching by matching on app
>> layer proto (like using http_* keywords).
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win32/Autorun.JN variant outbound connection"; flow:to_server,established;
>> dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri;
>> content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy
>> balanced-ips drop, policy security-ips drop, ruleset community, service
>> http; reference:url,www.microsoft.com/security/portal/threat/encyc
>> lopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN <
>> http://www.microsoft.com/security/portal/threat/encyclopedi
>> a/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN>; reference:url,
>> www.virustotal.com/en/file/36144738373c665d262
>> bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/ <
>> http://www.virustotal.com/en/file/36144738373c665d262bc007f
>> ceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/>;
>> classtype:trojan-activity; sid:26966; rev:3;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2558
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>> - Variable "SIP_SERVERS" is not defined in configuration file
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp
>> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 -
>> PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt";
>> flow:to_server; sip_method:options; content:"SIP/2.0"; fast_pattern:only;
>> detection_filter:track by_src, count 100, seconds 25; metadata:ruleset
>> community, service sip; reference:url,blog.sipvicious.
>> org/2008/02/detecting-sip-attacks-with-snort.html <
>> http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>;
>> classtype:attempted-recon; sid:27899; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2626
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>> - Variable "SIP_SERVERS" is not defined in configuration file
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp
>> $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 -
>> PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or
>> password guessing attempt"; flow:to_client; sip_stat_code:4;
>> content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count
>> 100, seconds 25; metadata:ruleset community, service sip; reference:url,
>> blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html <
>> http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>;
>> classtype:attempted-recon; sid:27900; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2627
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>> - Variable "SIP_SERVERS" is not defined in configuration file
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp
>> $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 -
>> PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client;
>> sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only;
>> detection_filter:track by_src, count 100, seconds 25; metadata:ruleset
>> community, service sip; reference:url,blog.sipvicious.
>> org/2008/02/detecting-sip-attacks-with-snort.html <
>> http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>;
>> classtype:attempted-recon; sid:27901; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2628
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>> - Variable "SIP_SERVERS" is not defined in configuration file
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 -
>> PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt";
>> flow:to_server,established; sip_method:options; content:"SIP/2.0";
>> fast_pattern:only; detection_filter:track by_src, count 100, seconds 25;
>> metadata:ruleset community, service sip; reference:url,blog.sipvicious.
>> org/2008/02/detecting-sip-attacks-with-snort.html <
>> http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>;
>> classtype:attempted-recon; sid:27902; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2629
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>> - Variable "SIP_SERVERS" is not defined in configuration file
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 -
>> PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established;
>> sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only;
>> detection_filter:track by_src, count 100, seconds 25; metadata:ruleset
>> community, service sip; reference:url,blog.sipvicious.
>> org/2008/02/detecting-sip-attacks-with-snort.html <
>> http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>;
>> classtype:attempted-recon; sid:27903; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2630
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>> - Variable "SIP_SERVERS" is not defined in configuration file
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 -
>> PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or
>> password guessing attempt"; flow:to_client,established; sip_stat_code:4;
>> content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count
>> 100, seconds 25; metadata:ruleset community, service sip; reference:url,
>> blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html <
>> http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>;
>> classtype:attempted-recon; sid:27904; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2631
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>> (like dsize, flags, ttl) with stream / state matching by matching on app
>> layer proto (like using http_* keywords).
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - PUA-ADWARE Linkury
>> outbound time check"; flow:to_server,established; dsize:72; urilen:8;
>> content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org <
>> http://www.timeapi.org>|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|";
>> fast_pattern:only; metadata:ruleset community, service http; reference:url,
>> www.virustotal.com/en/file/a2c4e162624ddb16954
>> 2e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/ <
>> http://www.virustotal.com/en/file/a2c4e162624ddb169542e12e1
>> 48a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/>;
>> classtype:trojan-activity; sid:28156; rev:2;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2678
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only;
>> set. Can't have relative keywords around a fast_pattern only content
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Trojan.Kazy variant outbound connection"; flow:to_server,established;
>> content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only;
>> content:"|3B| MSIE "; http_header; content:!"Accept"; http_header;
>> content:"|29 0D 0A|Host: "; distance:0; http_header;
>> pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\
>> x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a
>> \x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/";
>> metadata:impact_flag red, policy security-ips drop, ruleset community,
>> service http; reference:url,www.virustotal.c
>> om/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c
>> 391722c98660763/analysis/ <http://www.virustotal.com/en/
>> file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722
>> c98660763/analysis/>; classtype:trojan-activity; sid:28406; rev:1;)"
>> from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules
>> at line 2699
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>> (like dsize, flags, ttl) with stream / state matching by matching on app
>> layer proto (like using http_* keywords).
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET 80 (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Trojan.Conficker variant outbound connection";
>> flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D
>> 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|
>> Trident/4.0)|0D 0A|Host: checkip.dyndns.org <http://checkip.dyndns.org>|0D
>> 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only;
>> metadata:impact_flag red, policy balanced-ips drop, policy security-ips
>> drop, ruleset community, service http; reference:url,www.sans.org/sec
>> urity-resources/malwarefaq/conficker-worm.php <
>> http://www.sans.org/security-resources/malwarefaq/conficker-worm.php>;
>> classtype:trojan-activity; sid:28542; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2711
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>> (like dsize, flags, ttl) with stream / state matching by matching on app
>> layer proto (like using http_* keywords).
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET 80 (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Trojan.Conficker variant outbound connection";
>> flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D
>> 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|
>> Trident/4.0)|0D 0A|Host: www.ask.com <http://www.ask.com>|0D
>> 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only;
>> metadata:impact_flag red, policy balanced-ips drop, policy security-ips
>> drop, ruleset community, service http; reference:url,www.sans.org/sec
>> urity-resources/malwarefaq/conficker-worm.php <
>> http://www.sans.org/security-resources/malwarefaq/conficker-worm.php>;
>> classtype:trojan-activity; sid:28543; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2712
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only;
>> set. Can't have relative keywords around a fast_pattern only content
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Trojan.Injector variant outbound connection";
>> flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D
>> 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|";
>> http_header; content:")|0D 0A|Host: "; distance:0; http_header;
>> content:!"Accept"; http_header; metadata:impact_flag red, policy
>> balanced-ips drop, policy security-ips drop, ruleset community, service
>> http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%
>> 24&type=regexp&start=2013-08-24&end=2013-11-22&max=400 <
>> http://urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=
>> regexp&start=2013-08-24&end=2013-11-22&max=400>; reference:url,
>> www.virustotal.com/en/file/032572ea1f34a060eca
>> c98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/ <
>> http://www.virustotal.com/en/file/032572ea1f34a060ecac98a8e
>> 2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/>;
>> classtype:trojan-activity; sid:28807; rev:2;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2725
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>> (like dsize, flags, ttl) with stream / state matching by matching on app
>> layer proto (like using http_* keywords).
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Trojan.WEC variant outbound connection"; flow:to_server,established;
>> dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent:
>> Mozilla/4.0|0D 0A|Host: checkip.dyndns.org <http://checkip.dyndns.org>|0D
>> 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy
>> balanced-ips drop, policy security-ips drop, ruleset community, service
>> http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1d
>> ce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/ <
>> http://www.virustotal.com/en/file/164c792247b2822ab1dce8271
>> a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/>;
>> classtype:trojan-activity; sid:29882; rev:2;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2830
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only;
>> set. Can't have relative keywords around a fast_pattern only content
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Trojan.Bancos variant outbound connection ";
>> flow:to_server,established; content:"Content-Length: 166"; content:".php
>> HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type:
>> application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows
>> NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: ";
>> fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c=";
>> within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red,
>> policy balanced-ips drop, policy security-ips drop, ruleset community,
>> service http; reference:url,www.virustotal.c
>> om/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3
>> 575ba34fe5f008c/analysis <http://www.virustotal.com/en/
>> file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba3
>> 4fe5f008c/analysis>; classtype:trojan-activity; sid:29895; rev:1;)" from
>> file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules
>> at line 2834
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>> buffer still set. Reset sticky buffer with pkt_data before using the
>> modifier.
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 -
>> INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip
>> file"; flow:to_client,established; flowbits:isset,file.zip; file_data;
>> content:".doc.exe"; fast_pattern:only; content:"Content-Length:";
>> http_header; metadata:policy security-ips drop, ruleset community, service
>> http; classtype:trojan-activity; sid:30997; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2907
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>> buffer still set. Reset sticky buffer with pkt_data before using the
>> modifier.
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 -
>> INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip
>> file"; flow:to_client,established; flowbits:isset,file.zip; file_data;
>> content:".gif.exe"; fast_pattern:only; content:"Content-Length:";
>> http_header; metadata:policy security-ips drop, ruleset community, service
>> http; classtype:trojan-activity; sid:30998; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2908
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>> buffer still set. Reset sticky buffer with pkt_data before using the
>> modifier.
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 -
>> INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip
>> file"; flow:to_client,established; flowbits:isset,file.zip; file_data;
>> content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:";
>> http_header; metadata:policy security-ips drop, ruleset community, service
>> http; classtype:trojan-activity; sid:30999; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2909
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>> buffer still set. Reset sticky buffer with pkt_data before using the
>> modifier.
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 -
>> INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip
>> file"; flow:to_client,established; flowbits:isset,file.zip; file_data;
>> content:".jpg.exe"; fast_pattern:only; content:"Content-Length:";
>> http_header; metadata:policy security-ips drop, ruleset community, service
>> http; classtype:trojan-activity; sid:31000; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2910
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>> buffer still set. Reset sticky buffer with pkt_data before using the
>> modifier.
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 -
>> INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip
>> file"; flow:to_client,established; flowbits:isset,file.zip; file_data;
>> content:".pdf.exe"; fast_pattern:only; content:"Content-Length:";
>> http_header; metadata:policy security-ips drop, ruleset community, service
>> http; classtype:trojan-activity; sid:31001; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 2911
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>> - Variable "SIP_SERVERS" is not defined in configuration file
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp
>> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 -
>> OS-OTHER Bash environment variable injection attempt"; flow:stateless;
>> sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy
>> security-ips drop, ruleset community, service sip; reference:cve,2014-6271;
>> reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169;
>> classtype:attempted-admin; sid:32041; rev:4;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 3002
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>> - Variable "SIP_SERVERS" is not defined in configuration file
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 -
>> OS-OTHER Bash environment variable injection attempt";
>> flow:to_server,established; sip_header; content:"() {"; metadata:policy
>> max-detect-ips drop, policy security-ips drop, ruleset community, service
>> sip; reference:cve,2014-6271; reference:cve,2014-6277;
>> reference:cve,2014-6278; reference:cve,2014-7169;
>> classtype:attempted-admin; sid:32042; rev:4;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 3003
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>> buffer still set. Reset sticky buffer with pkt_data before using the
>> modifier.
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established;
>> file_data; dsize:<194; content:"INTERNACIONAL"; depth:13;
>> content:!"Content-Length"; http_header; content:"Transfer-Encoding:
>> chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop,
>> policy security-ips drop, ruleset community, service http; reference:url,
>> www.virustotal.com/en/file/e0290c3900445dc00ca
>> 24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/ <
>> http://www.virustotal.com/en/file/e0290c3900445dc00ca248889
>> 24e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/>;
>> classtype:trojan-activity; sid:32607; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 3037
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>> buffer still set. Reset sticky buffer with pkt_data before using the
>> modifier.
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established;
>> file_data; dsize:<194; content:"BRASIL"; depth:6;
>> content:!"Content-Length"; http_header; content:"Transfer-Encoding:
>> chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop,
>> policy security-ips drop, ruleset community, service http; reference:url,
>> www.virustotal.com/en/file/e0290c3900445dc00ca
>> 24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/ <
>> http://www.virustotal.com/en/file/e0290c3900445dc00ca248889
>> 24e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/>;
>> classtype:trojan-activity; sid:32608; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 3038
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>> (like dsize, flags, ttl) with stream / state matching by matching on app
>> layer proto (like using http_* keywords).
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Agent.BHHK variant outbound connection"; flow:to_server,established;
>> dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0
>> (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host:
>> windowsupdate.microsoft.com <http://windowsupdate.microsoft.com>|0D
>> 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept";
>> http_header; metadata:impact_flag red, policy balanced-ips drop, policy
>> security-ips drop, ruleset community, service http; reference:url,
>> www.virustotal.com/en/file/cab1fffe7a34b5bb7da
>> b2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/ <
>> http://www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd
>> 406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/>;
>> classtype:trojan-activity; sid:33227; rev:2;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 3113
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>> (like dsize, flags, ttl) with stream / state matching by matching on app
>> layer proto (like using http_* keywords).
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Trojan.FileEncoder IP geolocation checkin attempt";
>> flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D
>> 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B|
>> SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR
>> 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es <
>> http://ip-addr.es>|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|";
>> fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
>> policy security-ips drop, ruleset community, service http; reference:url,
>> www.virustotal.com/en/file/17edf82c40df6c72681
>> 91def7cbff6e60e78d7388018408800d42581567f78cf/analysis/ <
>> http://www.virustotal.com/en/file/17edf82c40df6c7268191def7
>> cbff6e60e78d7388018408800d42581567f78cf/analysis/>;
>> classtype:trojan-activity; sid:33449; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 3118
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only;
>> set. Can't have relative keywords around a fast_pattern only content
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Trojan.GateKeylogger initial exfiltration attempt";
>> flow:to_server,established; content:"/gate.php"; fast_pattern:only;
>> content:"pc="; nocase; http_client_body; content:"&admin="; distance:0;
>> nocase; http_client_body; content:"&os="; distance:0; nocase;
>> http_client_body; content:"&hid="; distance:0; nocase; http_client_body;
>> content:"&arc="; distance:0; nocase; http_client_body;
>> content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H";
>> metadata:impact_flag red, policy balanced-ips drop, policy security-ips
>> drop, ruleset community, service http; reference:url,www.virustotal.c
>> om/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497
>> a69ccb9c2d82c16/analysis/1459520578/ <http://www.virustotal.com/en/
>> file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb
>> 9c2d82c16/analysis/1459520578/>; classtype:trojan-activity; sid:38562;
>> rev:2;)" from file /usr/local/etc/suricata/surica
>> ta_42988_em0/rules/cleandnsmod.rules at line 3278
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky
>> buffer still set. Reset sticky buffer with pkt_data before using the
>> modifier.
>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC
>> Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established;
>> file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg;
>> content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was
>> not found "; metadata:impact_flag red, policy balanced-ips drop, policy
>> security-ips drop, ruleset community, service http; reference:url,
>> www.virustotal.com/en/file/77c802db1731fa8dae1
>> b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/ <
>> http://www.virustotal.com/en/file/77c802db1731fa8dae1b03d97
>> 8f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/>;
>> classtype:trojan-activity; sid:38563; rev:1;)" from file
>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>> line 3279
>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address
>> range is NIL. Probably have a !any or an address range that supplies a NULL
>> address range
>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 ->
>> ![any,$SMTP_SERVERS] any (msg:"CleanDNS_Phase1 - ET POLICY Unusual number
>> of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1;
>> threshold: type both , track by_dst, count 50, seconds 300; reference:url,
>> doc.emergingthreats.net/2003195 <http://doc.emergingthreats.net/2003195>;
>> classtype:bad-unknown; sid:2003195; rev:5; metadata:created_at 2010_07_30,
>> updated_at 2010_07_30;)" from file /usr/local/etc/suricata/surica
>> ta_42988_em0/rules/cleandnsmod.rules at line 4113
>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address
>> range is NIL. Probably have a !any or an address range that supplies a NULL
>> address range
>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp
>> ![any,$SMTP_SERVERS] any -> any 53 (msg:"CleanDNS_Phase1 - ET POLICY
>> Possible Spambot Host DNS MX Query High Count"; content: "|01 00|"; offset:
>> 2; depth: 4; content: "|00 0f 00 01|"; distance: 8; threshold:type both,
>> count 30, seconds 10, track by_src; reference:url,doc.emergingthre
>> ats.net/2003330 <http://doc.emergingthreats.net/2003330>;
>> classtype:bad-unknown; sid:2003330; rev:6; metadata:created_at 2010_07_30,
>> updated_at 2010_07_30;)" from file /usr/local/etc/suricata/surica
>> ta_42988_em0/rules/cleandnsmod.rules at line 4151
>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address
>> range is NIL. Probably have a !any or an address range that supplies a NULL
>> address range
>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>> !$SMTP_SERVERS any -> !any 25 (msg:"CleanDNS_Phase1 - ET POLICY Outbound
>> Multiple Non-SMTP Server Emails"; flow:established; content:"mail
>> from|3a|"; nocase; threshold: type threshold, track by_src, count 10,
>> seconds 120; reference:url,doc.emergingthreats.net/2000328 <
>> http://doc.emergingthreats.net/2000328>; classtype:misc-activity;
>> sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at
>> 2010_07_30;)" from file /usr/local/etc/suricata/surica
>> ta_42988_em0/rules/cleandnsmod.rules at line 4154
>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address
>> range is NIL. Probably have a !any or an address range that supplies a NULL
>> address range
>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp !any any
>> -> any 25 (msg:"CleanDNS_Phase1 - ET POLICY Inbound Frequent Emails -
>> Possible Spambot Inbound"; flow:established; content:"mail from|3a|";
>> nocase; threshold: type threshold, track by_src, count 10, seconds 60;
>> reference:url,doc.emergingthreats.net/2002087 <
>> http://doc.emergingthreats.net/2002087>; classtype:misc-activity;
>> sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at
>> 2010_07_30;)" from file /usr/local/etc/suricata/surica
>> ta_42988_em0/rules/cleandnsmod.rules at line 4155
>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)]
>> - Duplicate signature "drop udp any any -> any 53 (msg: "CleanDNS_Phase1:
>> Malicious domain xxlvbrloxvriy2c5.onion"; content:"|10|xxlvbrloxvriy2c5|05|onion|00|";
>> nocase; reference:url,app.threatconnect.com/auth/indicators/details/
>> host.xhtml?host=xxlvbrloxvriy2c5.onion <http://app.threatconnect.com/
>> auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion>;
>> sid:5700006; rev:1;)"
>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any
>> -> any 53 (msg: "CleanDNS_Phase1: Malicious domain xxlvbrloxvriy2c5.onion";
>> content:"|10|xxlvbrloxvriy2c5|05|onion|00|"; nocase; reference:url,
>> app.threatconnect.com/auth/indicators/details/host.xhtml?host=
>> xxlvbrloxvriy2c5.onion <http://app.threatconnect.com/
>> auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion>;
>> sid:5700006; rev:1;)" from file /usr/local/etc/suricata/surica
>> ta_42988_em0/rules/dnstunnel.rules at line 9
>> 31/12/2017 -- 19:36:37 - <Info> -- 7 rule files processed. 9327 rules
>> successfully loaded, 36 rules failed
>> 31/12/2017 -- 19:36:37 - <Info> -- 9343 signatures processed. 25 are
>> IP-only rules, 7491 are inspecting packet payload, 1974 inspect application
>> layer, 4 are decoder event only
>> 31/12/2017 -- 19:36:38 - <Info> -- Threshold config parsed: 0 rule(s)
>> found
>> 31/12/2017 -- 19:36:38 - <Info> -- fast output device (regular)
>> initialized: alerts.log
>> 31/12/2017 -- 19:36:38 - <Info> -- unable to find af-packet config for
>> interface "eno16777736" or "default", using default values
>> 31/12/2017 -- 19:36:38 - <Info> -- Going to use 4 ReceiveAFP receive
>> thread(s)
>> 31/12/2017 -- 19:36:38 - <Notice> -- all 8 packet processing threads, 2
>> management threads initialized, engine started.
>> 31/12/2017 -- 19:36:38 - <Info> -- All AFP capture threads are running.
>>
>> ############################################
>>
>
> It looks like you are using some Snort rules. The SIP ones use some
> variable not defined in the Suricata.yaml, so you will need to add those
> yourself.
>
> If you can, please start with a Suricata specific ruleset, then if you
> need some rules that are only available for Snort, add those as needed, and
> fix them up for Suricata as needed.
>
> Please note that Suricata 3.2.4 is now end of life. Please upgrade to
> 4.0.3. If using EPEL, Suricata 4.0.1 is available now. 4.0.3 will be
> available soon.
>
> Jason
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171231/1c15ef9e/attachment-0002.html>
More information about the Oisf-users
mailing list