[Oisf-users] Can't figure out why throwing errors

kevy luv kevyluv at hotmail.com
Sun Feb 18 07:13:29 UTC 2018


I installed the most recent SO and did "sudo soup".


I ran "suricata -r /opt/samples/zeus-sample-1.pcap -c /etc/nsm/sans-virtual-machine-eth1/suricata.yaml "

Getting the following errors. I have tried all day to try and figure out the issue but I am having no luck resolving it.

Checked out the common errors page as well, no luck.

18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30787; rev:3;)"
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30787; rev:3;)" from file /etc/nsm/rules/downloaded.rules at line 31971
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30788; rev:3;)"
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30788; rev:3;)" from file /etc/nsm/rules/downloaded.rules at line 31972
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert udp $HOME_NET [500,848,4500,4848] -> $EXTERNAL_NET any (msg:"SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt"; flow:to_client; dsize:>2000; content:"|0B 10 05 00|"; depth:8; offset:16; byte_test:4,>,2000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40220; rev:5;)"
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $HOME_NET [500,848,4500,4848] -> $EXTERNAL_NET any (msg:"SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt"; flow:to_client; dsize:>2000; content:"|0B 10 05 00|"; depth:8; offset:16; byte_test:4,>,2000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40220; rev:5;)" from file /etc/nsm/rules/downloaded.rules at line 32415
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 01 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40221; rev:5;)"
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 01 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40221; rev:5;)" from file /etc/nsm/rules/downloaded.rules at line 32416
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 02 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40222; rev:5;)"
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 02 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40222; rev:5;)" from file /etc/nsm/rules/downloaded.rules at line 32417
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow"; flow:to_server,established; content:"APSCOOKIE"; fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|"; nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6909; reference:url,fortiguard.com/advisory/FG-IR-16-023; classtype:attempted-admin; sid:40241; rev:2;)" from file /etc/nsm/rules/downloaded.rules at line 32418
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 08|"; depth:12; content:"://"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41722; rev:4;)"
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 08|"; depth:12; content:"://"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41722; rev:4;)" from file /etc/nsm/rules/downloaded.rules at line 32512
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 03|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41723; rev:3;)"
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 03|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41723; rev:3;)" from file /etc/nsm/rules/downloaded.rules at line 32513
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 02|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41724; rev:3;)"
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 02|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41724; rev:3;)" from file /etc/nsm/rules/downloaded.rules at line 32514
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol version command attempt"; flow:to_server,established; content:"|00 00 00 02 00 00 00 01 00 00 00 05|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41725; rev:3;)"
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol version command attempt"; flow:to_server,established; content:"|00 00 00 02 00 00 00 01 00 00 00 05|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41725; rev:3;)" from file /etc/nsm/rules/downloaded.rules at line 32515
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44501; rev:2;)" from file /etc/nsm/rules/downloaded.rules at line 32637
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44502; rev:2;)" from file /etc/nsm/rules/downloaded.rules at line 32638
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt"; flow:to_client,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|03 00|"; within:2; distance:6; content:"|01|"; within:1; distance:2; content:"|10 00|"; within:2; distance:47; byte_test:3, >, 1481, 1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2017-0016; classtype:attempted-dos; sid:41499; rev:5;)"
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt"; flow:to_client,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|03 00|"; within:2; distance:6; content:"|01|"; within:1; distance:2; content:"|10 00|"; within:2; distance:47; byte_test:3, >, 1481, 1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2017-0016; classtype:attempted-dos; sid:41499; rev:5;)" from file /etc/nsm/rules/downloaded.rules at line 32851
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_extract:2,72,len,relative,little; content:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:4;)"
18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_extract:2,72,len,relative,little; content:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:4;)" from file /etc/nsm/rules/downloaded.rules at line 32852

Any help would be appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180218/f3503936/attachment-0001.html>


More information about the Oisf-users mailing list