[Oisf-users] Not sure why below errro while starting suricata
Blason R
blason16 at gmail.com
Sun Dec 31 14:44:20 UTC 2017
OK - I got it installed using
On Sun, Dec 31, 2017 at 8:07 PM, Blason R <blason16 at gmail.com> wrote:
> Surprising...
>
> I am using EPEL but somehow default installation is fetching 3.2.4.
>
> On Sun, Dec 31, 2017 at 7:59 PM, Jason Ish <lists at ish.cx> wrote:
>
>> Hi Blason,
>>
>> See response below...
>>
>> On 2017-12-31 08:07 AM, Blason R wrote:
>>
>>> Hi Guys,
>>>
>>> I have suricata version 3.2.4 running on CentOS 7 and I am seeing below
>>> errors while starting Suricata. I am just starting suricata and not sure
>>> why this is appearing.
>>>
>>> ################################
>>>
>>> 31/12/2017 -- 19:36:36 - <Info> - Shortening device name to: eno1..7736
>>> 31/12/2017 -- 19:36:36 - <Notice> -- This is Suricata version 3.2.4
>>> RELEASE
>>> 31/12/2017 -- 19:36:36 - <Info> -- CPUs/cores online: 4
>>> 31/12/2017 -- 19:36:36 - <Info> -- HTTP memcap: 67108864
>>> 31/12/2017 -- 19:36:36 - <Notice> -- using flow hash instead of active
>>> packets
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>>> - Variable "SIP_SERVERS" is not defined in configuration file
>>>
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp
>>> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 -
>>> PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE";
>>> fast_pattern:only; sip_method:invite; metadata:ruleset community, service
>>> sip; reference:url,www.ietf.org/rfc/rfc3261.txt <
>>> http://www.ietf.org/rfc/rfc3261.txt>; classtype:protocol-command-decode;
>>> sid:11968; rev:7;)" from file /usr/local/etc/suricata/surica
>>> ta_42988_em0/rules/cleandnsmod.rules at line 2295
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>>> (like dsize, flags, ttl) with stream / state matching by matching on app
>>> layer proto (like using http_* keywords).
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET 1024:65535 (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Trojan.Fakeavlock variant outbound connection";
>>> flow:to_server,established; dsize:267<>276; content:"User-Agent|3A|
>>> Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D
>>> 0A|"; fast_pattern:only; http_header; urilen:159;
>>> pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips
>>> drop, policy security-ips drop, ruleset community, service http;
>>> reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02c
>>> bbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/ <
>>> http://www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00
>>> cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/>;
>>> classtype:trojan-activity; sid:25675; rev:7;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2413
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only;
>>> set. Can't have relative keywords around a fast_pattern only content
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-OTHER
>>> Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware
>>> download"; flow:to_client,established; content:"-2013.zip|0D 0A|";
>>> fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-";
>>> within:1; distance:-14; http_header; file_data; content:"-2013.exe";
>>> content:"-"; within:1; distance:-14; metadata:impact_flag red, policy
>>> balanced-ips drop, policy security-ips drop, ruleset community, service
>>> http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4
>>> ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/ <
>>> http://www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe5
>>> 1974d0708cef666581ef1385c628233614b22c0/analysis/>;
>>> classtype:trojan-activity; sid:26470; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2459
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only;
>>> set. Can't have relative keywords around a fast_pattern only content
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC Bancos
>>> fake JPG encrypted config file download"; flow:to_server,established;
>>> content:".com.br <http://com.br>|0D 0A 0D 0A|"; fast_pattern:only;
>>> content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0;
>>> http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+
>>> \r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/";
>>> metadata:impact_flag red, policy balanced-ips drop, policy security-ips
>>> drop, ruleset community, service http; classtype:trojan-activity;
>>> sid:26722; rev:1;)" from file /usr/local/etc/suricata/surica
>>> ta_42988_em0/rules/cleandnsmod.rules at line 2499
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>>> (like dsize, flags, ttl) with stream / state matching by matching on app
>>> layer proto (like using http_* keywords).
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win32/Autorun.JN variant outbound connection"; flow:to_server,established;
>>> dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri;
>>> content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy
>>> balanced-ips drop, policy security-ips drop, ruleset community, service
>>> http; reference:url,www.microsoft.com/security/portal/threat/encyc
>>> lopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN <
>>> http://www.microsoft.com/security/portal/threat/encyclopedi
>>> a/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN>; reference:url,
>>> www.virustotal.com/en/file/36144738373c665d262
>>> bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/ <
>>> http://www.virustotal.com/en/file/36144738373c665d262bc007f
>>> ceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/>;
>>> classtype:trojan-activity; sid:26966; rev:3;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2558
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>>> - Variable "SIP_SERVERS" is not defined in configuration file
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp
>>> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 -
>>> PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt";
>>> flow:to_server; sip_method:options; content:"SIP/2.0"; fast_pattern:only;
>>> detection_filter:track by_src, count 100, seconds 25; metadata:ruleset
>>> community, service sip; reference:url,blog.sipvicious.
>>> org/2008/02/detecting-sip-attacks-with-snort.html <
>>> http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>;
>>> classtype:attempted-recon; sid:27899; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2626
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>>> - Variable "SIP_SERVERS" is not defined in configuration file
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp
>>> $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 -
>>> PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or
>>> password guessing attempt"; flow:to_client; sip_stat_code:4;
>>> content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count
>>> 100, seconds 25; metadata:ruleset community, service sip; reference:url,
>>> blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html <
>>> http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>;
>>> classtype:attempted-recon; sid:27900; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2627
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>>> - Variable "SIP_SERVERS" is not defined in configuration file
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp
>>> $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 -
>>> PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client;
>>> sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only;
>>> detection_filter:track by_src, count 100, seconds 25; metadata:ruleset
>>> community, service sip; reference:url,blog.sipvicious.
>>> org/2008/02/detecting-sip-attacks-with-snort.html <
>>> http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>;
>>> classtype:attempted-recon; sid:27901; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2628
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>>> - Variable "SIP_SERVERS" is not defined in configuration file
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 -
>>> PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt";
>>> flow:to_server,established; sip_method:options; content:"SIP/2.0";
>>> fast_pattern:only; detection_filter:track by_src, count 100, seconds 25;
>>> metadata:ruleset community, service sip; reference:url,blog.sipvicious.
>>> org/2008/02/detecting-sip-attacks-with-snort.html <
>>> http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>;
>>> classtype:attempted-recon; sid:27902; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2629
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>>> - Variable "SIP_SERVERS" is not defined in configuration file
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 -
>>> PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established;
>>> sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only;
>>> detection_filter:track by_src, count 100, seconds 25; metadata:ruleset
>>> community, service sip; reference:url,blog.sipvicious.
>>> org/2008/02/detecting-sip-attacks-with-snort.html <
>>> http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>;
>>> classtype:attempted-recon; sid:27903; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2630
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>>> - Variable "SIP_SERVERS" is not defined in configuration file
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"CleanDNS_Phase1 -
>>> PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or
>>> password guessing attempt"; flow:to_client,established; sip_stat_code:4;
>>> content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count
>>> 100, seconds 25; metadata:ruleset community, service sip; reference:url,
>>> blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html <
>>> http://blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html>;
>>> classtype:attempted-recon; sid:27904; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2631
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>>> (like dsize, flags, ttl) with stream / state matching by matching on app
>>> layer proto (like using http_* keywords).
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - PUA-ADWARE Linkury
>>> outbound time check"; flow:to_server,established; dsize:72; urilen:8;
>>> content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org <
>>> http://www.timeapi.org>|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|";
>>> fast_pattern:only; metadata:ruleset community, service http; reference:url,
>>> www.virustotal.com/en/file/a2c4e162624ddb16954
>>> 2e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/ <
>>> http://www.virustotal.com/en/file/a2c4e162624ddb169542e12e1
>>> 48a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/>;
>>> classtype:trojan-activity; sid:28156; rev:2;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2678
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only;
>>> set. Can't have relative keywords around a fast_pattern only content
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Trojan.Kazy variant outbound connection"; flow:to_server,established;
>>> content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only;
>>> content:"|3B| MSIE "; http_header; content:!"Accept"; http_header;
>>> content:"|29 0D 0A|Host: "; distance:0; http_header;
>>> pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\
>>> x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a
>>> \x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/";
>>> metadata:impact_flag red, policy security-ips drop, ruleset community,
>>> service http; reference:url,www.virustotal.c
>>> om/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c
>>> 391722c98660763/analysis/ <http://www.virustotal.com/en/
>>> file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722
>>> c98660763/analysis/>; classtype:trojan-activity; sid:28406; rev:1;)"
>>> from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules
>>> at line 2699
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>>> (like dsize, flags, ttl) with stream / state matching by matching on app
>>> layer proto (like using http_* keywords).
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET 80 (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Trojan.Conficker variant outbound connection";
>>> flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D
>>> 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|
>>> Trident/4.0)|0D 0A|Host: checkip.dyndns.org <http://checkip.dyndns.org>|0D
>>> 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only;
>>> metadata:impact_flag red, policy balanced-ips drop, policy security-ips
>>> drop, ruleset community, service http; reference:url,www.sans.org/sec
>>> urity-resources/malwarefaq/conficker-worm.php <
>>> http://www.sans.org/security-resources/malwarefaq/conficker-worm.php>;
>>> classtype:trojan-activity; sid:28542; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2711
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>>> (like dsize, flags, ttl) with stream / state matching by matching on app
>>> layer proto (like using http_* keywords).
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET 80 (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Trojan.Conficker variant outbound connection";
>>> flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D
>>> 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|
>>> Trident/4.0)|0D 0A|Host: www.ask.com <http://www.ask.com>|0D
>>> 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only;
>>> metadata:impact_flag red, policy balanced-ips drop, policy security-ips
>>> drop, ruleset community, service http; reference:url,www.sans.org/sec
>>> urity-resources/malwarefaq/conficker-worm.php <
>>> http://www.sans.org/security-resources/malwarefaq/conficker-worm.php>;
>>> classtype:trojan-activity; sid:28543; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2712
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only;
>>> set. Can't have relative keywords around a fast_pattern only content
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Trojan.Injector variant outbound connection";
>>> flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D
>>> 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|";
>>> http_header; content:")|0D 0A|Host: "; distance:0; http_header;
>>> content:!"Accept"; http_header; metadata:impact_flag red, policy
>>> balanced-ips drop, policy security-ips drop, ruleset community, service
>>> http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24
>>> &type=regexp&start=2013-08-24&end=2013-11-22&max=400 <
>>> http://urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=
>>> regexp&start=2013-08-24&end=2013-11-22&max=400>; reference:url,
>>> www.virustotal.com/en/file/032572ea1f34a060eca
>>> c98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/ <
>>> http://www.virustotal.com/en/file/032572ea1f34a060ecac98a8e
>>> 2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/>;
>>> classtype:trojan-activity; sid:28807; rev:2;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2725
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>>> (like dsize, flags, ttl) with stream / state matching by matching on app
>>> layer proto (like using http_* keywords).
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Trojan.WEC variant outbound connection"; flow:to_server,established;
>>> dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent:
>>> Mozilla/4.0|0D 0A|Host: checkip.dyndns.org <http://checkip.dyndns.org>|0D
>>> 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy
>>> balanced-ips drop, policy security-ips drop, ruleset community, service
>>> http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1d
>>> ce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/ <
>>> http://www.virustotal.com/en/file/164c792247b2822ab1dce8271
>>> a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/>;
>>> classtype:trojan-activity; sid:29882; rev:2;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2830
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only;
>>> set. Can't have relative keywords around a fast_pattern only content
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Trojan.Bancos variant outbound connection ";
>>> flow:to_server,established; content:"Content-Length: 166"; content:".php
>>> HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type:
>>> application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0
>>> (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: ";
>>> fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c=";
>>> within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red,
>>> policy balanced-ips drop, policy security-ips drop, ruleset community,
>>> service http; reference:url,www.virustotal.c
>>> om/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3
>>> 575ba34fe5f008c/analysis <http://www.virustotal.com/en/
>>> file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba3
>>> 4fe5f008c/analysis>; classtype:trojan-activity; sid:29895; rev:1;)"
>>> from file /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules
>>> at line 2834
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>>> buffer still set. Reset sticky buffer with pkt_data before using the
>>> modifier.
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 -
>>> INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip
>>> file"; flow:to_client,established; flowbits:isset,file.zip; file_data;
>>> content:".doc.exe"; fast_pattern:only; content:"Content-Length:";
>>> http_header; metadata:policy security-ips drop, ruleset community, service
>>> http; classtype:trojan-activity; sid:30997; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2907
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>>> buffer still set. Reset sticky buffer with pkt_data before using the
>>> modifier.
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 -
>>> INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip
>>> file"; flow:to_client,established; flowbits:isset,file.zip; file_data;
>>> content:".gif.exe"; fast_pattern:only; content:"Content-Length:";
>>> http_header; metadata:policy security-ips drop, ruleset community, service
>>> http; classtype:trojan-activity; sid:30998; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2908
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>>> buffer still set. Reset sticky buffer with pkt_data before using the
>>> modifier.
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 -
>>> INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip
>>> file"; flow:to_client,established; flowbits:isset,file.zip; file_data;
>>> content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:";
>>> http_header; metadata:policy security-ips drop, ruleset community, service
>>> http; classtype:trojan-activity; sid:30999; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2909
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>>> buffer still set. Reset sticky buffer with pkt_data before using the
>>> modifier.
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 -
>>> INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip
>>> file"; flow:to_client,established; flowbits:isset,file.zip; file_data;
>>> content:".jpg.exe"; fast_pattern:only; content:"Content-Length:";
>>> http_header; metadata:policy security-ips drop, ruleset community, service
>>> http; classtype:trojan-activity; sid:31000; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2910
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>>> buffer still set. Reset sticky buffer with pkt_data before using the
>>> modifier.
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 -
>>> INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip
>>> file"; flow:to_client,established; flowbits:isset,file.zip; file_data;
>>> content:".pdf.exe"; fast_pattern:only; content:"Content-Length:";
>>> http_header; metadata:policy security-ips drop, ruleset community, service
>>> http; classtype:trojan-activity; sid:31001; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 2911
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>>> - Variable "SIP_SERVERS" is not defined in configuration file
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp
>>> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 -
>>> OS-OTHER Bash environment variable injection attempt"; flow:stateless;
>>> sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy
>>> security-ips drop, ruleset community, service sip; reference:cve,2014-6271;
>>> reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169;
>>> classtype:attempted-admin; sid:32041; rev:4;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 3002
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)]
>>> - Variable "SIP_SERVERS" is not defined in configuration file
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"CleanDNS_Phase1 -
>>> OS-OTHER Bash environment variable injection attempt";
>>> flow:to_server,established; sip_header; content:"() {"; metadata:policy
>>> max-detect-ips drop, policy security-ips drop, ruleset community, service
>>> sip; reference:cve,2014-6271; reference:cve,2014-6277;
>>> reference:cve,2014-6278; reference:cve,2014-7169;
>>> classtype:attempted-admin; sid:32042; rev:4;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 3003
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>>> buffer still set. Reset sticky buffer with pkt_data before using the
>>> modifier.
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established;
>>> file_data; dsize:<194; content:"INTERNACIONAL"; depth:13;
>>> content:!"Content-Length"; http_header; content:"Transfer-Encoding:
>>> chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop,
>>> policy security-ips drop, ruleset community, service http; reference:url,
>>> www.virustotal.com/en/file/e0290c3900445dc00ca
>>> 24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/ <
>>> http://www.virustotal.com/en/file/e0290c3900445dc00ca248889
>>> 24e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/>;
>>> classtype:trojan-activity; sid:32607; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 3037
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky
>>> buffer still set. Reset sticky buffer with pkt_data before using the
>>> modifier.
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established;
>>> file_data; dsize:<194; content:"BRASIL"; depth:6;
>>> content:!"Content-Length"; http_header; content:"Transfer-Encoding:
>>> chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop,
>>> policy security-ips drop, ruleset community, service http; reference:url,
>>> www.virustotal.com/en/file/e0290c3900445dc00ca
>>> 24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/ <
>>> http://www.virustotal.com/en/file/e0290c3900445dc00ca248889
>>> 24e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/>;
>>> classtype:trojan-activity; sid:32608; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 3038
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>>> (like dsize, flags, ttl) with stream / state matching by matching on app
>>> layer proto (like using http_* keywords).
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Agent.BHHK variant outbound connection"; flow:to_server,established;
>>> dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0
>>> (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host:
>>> windowsupdate.microsoft.com <http://windowsupdate.microsoft.com>|0D
>>> 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept";
>>> http_header; metadata:impact_flag red, policy balanced-ips drop, policy
>>> security-ips drop, ruleset community, service http; reference:url,
>>> www.virustotal.com/en/file/cab1fffe7a34b5bb7da
>>> b2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/ <
>>> http://www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd
>>> 406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/>;
>>> classtype:trojan-activity; sid:33227; rev:2;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 3113
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches
>>> (like dsize, flags, ttl) with stream / state matching by matching on app
>>> layer proto (like using http_* keywords).
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Trojan.FileEncoder IP geolocation checkin attempt";
>>> flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D
>>> 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B|
>>> SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR
>>> 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es <
>>> http://ip-addr.es>|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|";
>>> fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
>>> policy security-ips drop, ruleset community, service http; reference:url,
>>> www.virustotal.com/en/file/17edf82c40df6c72681
>>> 91def7cbff6e60e78d7388018408800d42581567f78cf/analysis/ <
>>> http://www.virustotal.com/en/file/17edf82c40df6c7268191def7
>>> cbff6e60e78d7388018408800d42581567f78cf/analysis/>;
>>> classtype:trojan-activity; sid:33449; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 3118
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only;
>>> set. Can't have relative keywords around a fast_pattern only content
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any
>>> -> $EXTERNAL_NET $HTTP_PORTS (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Trojan.GateKeylogger initial exfiltration attempt";
>>> flow:to_server,established; content:"/gate.php"; fast_pattern:only;
>>> content:"pc="; nocase; http_client_body; content:"&admin="; distance:0;
>>> nocase; http_client_body; content:"&os="; distance:0; nocase;
>>> http_client_body; content:"&hid="; distance:0; nocase; http_client_body;
>>> content:"&arc="; distance:0; nocase; http_client_body;
>>> content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H";
>>> metadata:impact_flag red, policy balanced-ips drop, policy security-ips
>>> drop, ruleset community, service http; reference:url,www.virustotal.c
>>> om/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497
>>> a69ccb9c2d82c16/analysis/1459520578/ <http://www.virustotal.com/en/
>>> file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb
>>> 9c2d82c16/analysis/1459520578/>; classtype:trojan-activity; sid:38562;
>>> rev:2;)" from file /usr/local/etc/suricata/surica
>>> ta_42988_em0/rules/cleandnsmod.rules at line 3278
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky
>>> buffer still set. Reset sticky buffer with pkt_data before using the
>>> modifier.
>>> 31/12/2017 -- 19:36:36 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> $EXTERNAL_NET $HTTP_PORTS -> any any (msg:"CleanDNS_Phase1 - MALWARE-CNC
>>> Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established;
>>> file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg;
>>> content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was
>>> not found "; metadata:impact_flag red, policy balanced-ips drop, policy
>>> security-ips drop, ruleset community, service http; reference:url,
>>> www.virustotal.com/en/file/77c802db1731fa8dae1
>>> b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/ <
>>> http://www.virustotal.com/en/file/77c802db1731fa8dae1b03d97
>>> 8f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/>;
>>> classtype:trojan-activity; sid:38563; rev:1;)" from file
>>> /usr/local/etc/suricata/suricata_42988_em0/rules/cleandnsmod.rules at
>>> line 3279
>>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address
>>> range is NIL. Probably have a !any or an address range that supplies a NULL
>>> address range
>>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 ->
>>> ![any,$SMTP_SERVERS] any (msg:"CleanDNS_Phase1 - ET POLICY Unusual number
>>> of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1;
>>> threshold: type both , track by_dst, count 50, seconds 300; reference:url,
>>> doc.emergingthreats.net/2003195 <http://doc.emergingthreats.net/2003195>;
>>> classtype:bad-unknown; sid:2003195; rev:5; metadata:created_at 2010_07_30,
>>> updated_at 2010_07_30;)" from file /usr/local/etc/suricata/surica
>>> ta_42988_em0/rules/cleandnsmod.rules at line 4113
>>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address
>>> range is NIL. Probably have a !any or an address range that supplies a NULL
>>> address range
>>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp
>>> ![any,$SMTP_SERVERS] any -> any 53 (msg:"CleanDNS_Phase1 - ET POLICY
>>> Possible Spambot Host DNS MX Query High Count"; content: "|01 00|"; offset:
>>> 2; depth: 4; content: "|00 0f 00 01|"; distance: 8; threshold:type both,
>>> count 30, seconds 10, track by_src; reference:url,doc.emergingthre
>>> ats.net/2003330 <http://doc.emergingthreats.net/2003330>;
>>> classtype:bad-unknown; sid:2003330; rev:6; metadata:created_at 2010_07_30,
>>> updated_at 2010_07_30;)" from file /usr/local/etc/suricata/surica
>>> ta_42988_em0/rules/cleandnsmod.rules at line 4151
>>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address
>>> range is NIL. Probably have a !any or an address range that supplies a NULL
>>> address range
>>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp
>>> !$SMTP_SERVERS any -> !any 25 (msg:"CleanDNS_Phase1 - ET POLICY Outbound
>>> Multiple Non-SMTP Server Emails"; flow:established; content:"mail
>>> from|3a|"; nocase; threshold: type threshold, track by_src, count 10,
>>> seconds 120; reference:url,doc.emergingthreats.net/2000328 <
>>> http://doc.emergingthreats.net/2000328>; classtype:misc-activity;
>>> sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at
>>> 2010_07_30;)" from file /usr/local/etc/suricata/surica
>>> ta_42988_em0/rules/cleandnsmod.rules at line 4154
>>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - Complete IP space negated. Rule address
>>> range is NIL. Probably have a !any or an address range that supplies a NULL
>>> address range
>>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp !any any
>>> -> any 25 (msg:"CleanDNS_Phase1 - ET POLICY Inbound Frequent Emails -
>>> Possible Spambot Inbound"; flow:established; content:"mail from|3a|";
>>> nocase; threshold: type threshold, track by_src, count 10, seconds 60;
>>> reference:url,doc.emergingthreats.net/2002087 <
>>> http://doc.emergingthreats.net/2002087>; classtype:misc-activity;
>>> sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at
>>> 2010_07_30;)" from file /usr/local/etc/suricata/surica
>>> ta_42988_em0/rules/cleandnsmod.rules at line 4155
>>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)]
>>> - Duplicate signature "drop udp any any -> any 53 (msg: "CleanDNS_Phase1:
>>> Malicious domain xxlvbrloxvriy2c5.onion"; content:"|10|xxlvbrloxvriy2c5|05|onion|00|";
>>> nocase; reference:url,app.threatconnect.com/auth/indicators/details/
>>> host.xhtml?host=xxlvbrloxvriy2c5.onion <http://app.threatconnect.com/
>>> auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion>;
>>> sid:5700006; rev:1;)"
>>> 31/12/2017 -- 19:36:37 - <Error> -- [ERRCODE:
>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any
>>> -> any 53 (msg: "CleanDNS_Phase1: Malicious domain xxlvbrloxvriy2c5.onion";
>>> content:"|10|xxlvbrloxvriy2c5|05|onion|00|"; nocase; reference:url,
>>> app.threatconnect.com/auth/indicators/details/
>>> host.xhtml?host=xxlvbrloxvriy2c5.onion <http://app.threatconnect.com/
>>> auth/indicators/details/host.xhtml?host=xxlvbrloxvriy2c5.onion>;
>>> sid:5700006; rev:1;)" from file /usr/local/etc/suricata/surica
>>> ta_42988_em0/rules/dnstunnel.rules at line 9
>>> 31/12/2017 -- 19:36:37 - <Info> -- 7 rule files processed. 9327 rules
>>> successfully loaded, 36 rules failed
>>> 31/12/2017 -- 19:36:37 - <Info> -- 9343 signatures processed. 25 are
>>> IP-only rules, 7491 are inspecting packet payload, 1974 inspect application
>>> layer, 4 are decoder event only
>>> 31/12/2017 -- 19:36:38 - <Info> -- Threshold config parsed: 0 rule(s)
>>> found
>>> 31/12/2017 -- 19:36:38 - <Info> -- fast output device (regular)
>>> initialized: alerts.log
>>> 31/12/2017 -- 19:36:38 - <Info> -- unable to find af-packet config for
>>> interface "eno16777736" or "default", using default values
>>> 31/12/2017 -- 19:36:38 - <Info> -- Going to use 4 ReceiveAFP receive
>>> thread(s)
>>> 31/12/2017 -- 19:36:38 - <Notice> -- all 8 packet processing threads, 2
>>> management threads initialized, engine started.
>>> 31/12/2017 -- 19:36:38 - <Info> -- All AFP capture threads are running.
>>>
>>> ############################################
>>>
>>
>> It looks like you are using some Snort rules. The SIP ones use some
>> variable not defined in the Suricata.yaml, so you will need to add those
>> yourself.
>>
>> If you can, please start with a Suricata specific ruleset, then if you
>> need some rules that are only available for Snort, add those as needed, and
>> fix them up for Suricata as needed.
>>
>> Please note that Suricata 3.2.4 is now end of life. Please upgrade to
>> 4.0.3. If using EPEL, Suricata 4.0.1 is available now. 4.0.3 will be
>> available soon.
>>
>> Jason
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171231/c16f2004/attachment-0002.html>
More information about the Oisf-users
mailing list