[Oisf-users] Can't figure out why throwing errors
Eric Urban
eurban at umn.edu
Mon Feb 19 16:03:44 UTC 2018
It looks like there are at least a few rules that have duplicate SIDs in
the file /etc/nsm/rules/downloaded.rules. Have you checked that file for
whether or not that is the case? If you were running Suricata with
the --init-errors-fatal command line option, it would fail to start where
rules have the same SID, but I believe since you are not using that option
it should still run. I haven't used the -r offline/pcap mode so I don't
know whether or not it would be affected differently.
I recommend enabling the HTTP log file (configured in suricata.yaml) as
that will pick up requests that cross Suricata's path whether or not they
trigger alerts. That way you could see if the traffic from your capture is
getting picked up and not triggering the rule of if instead it is not
registering at all.
On Sun, Feb 18, 2018 at 1:13 AM, kevy luv <kevyluv at hotmail.com> wrote:
>
> I installed the most recent SO and did "sudo soup".
>
>
> I ran "suricata -r /opt/samples/zeus-sample-1.pcap -c
> /etc/nsm/sans-virtual-machine-eth1/suricata.yaml "
>
> Getting the following errors. I have tried all day to try and figure out
> the issue but I am having no luck resolving it.
>
> Checked out the common errors page as well, no luck.
>
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] -
> Duplicate signature "alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484]
> -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat
> response - possible ssl heartbleed attempt"; flow:to_client,established;
> content:"|18 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|";
> within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop,
> policy security-ips drop, ruleset community, service ssl;
> reference:cve,2014-0160; classtype:attempted-recon; sid:30787; rev:3;)"
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert tcp $HOME_NET
> [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
> (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl
> heartbleed attempt"; flow:to_client,established; content:"|18 03 02|";
> byte_jump:2,0,relative; content:"|18 03 02|"; within:3;
> byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy
> security-ips drop, ruleset community, service ssl; reference:cve,2014-0160;
> classtype:attempted-recon; sid:30787; rev:3;)" from file
> /etc/nsm/rules/downloaded.rules at line 31971
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] -
> Duplicate signature "alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484]
> -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat
> response - possible ssl heartbleed attempt"; flow:to_client,established;
> content:"|18 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|";
> within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop,
> policy security-ips drop, ruleset community, service ssl;
> reference:cve,2014-0160; classtype:attempted-recon; sid:30788; rev:3;)"
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert tcp $HOME_NET
> [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any
> (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl
> heartbleed attempt"; flow:to_client,established; content:"|18 03 03|";
> byte_jump:2,0,relative; content:"|18 03 03|"; within:3;
> byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy
> security-ips drop, ruleset community, service ssl; reference:cve,2014-0160;
> classtype:attempted-recon; sid:30788; rev:3;)" from file
> /etc/nsm/rules/downloaded.rules at line 31972
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] -
> Duplicate signature "alert udp $HOME_NET [500,848,4500,4848] ->
> $EXTERNAL_NET any (msg:"SERVER-OTHER Cisco IOS Group-Prime memory
> disclosure exfiltration attempt"; flow:to_client; dsize:>2000; content:"|0B
> 10 05 00|"; depth:8; offset:16; byte_test:4,>,2000,4,relative;
> metadata:policy balanced-ips drop, policy max-detect-ips drop, policy
> security-ips drop, ruleset community; reference:cve,2016-6415;
> reference:url,tools.cisco.com/security/center/content/CiscoS
> ecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon;
> sid:40220; rev:5;)"
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert udp $HOME_NET [500,848,4500,4848] ->
> $EXTERNAL_NET any (msg:"SERVER-OTHER Cisco IOS Group-Prime memory
> disclosure exfiltration attempt"; flow:to_client; dsize:>2000; content:"|0B
> 10 05 00|"; depth:8; offset:16; byte_test:4,>,2000,4,relative;
> metadata:policy balanced-ips drop, policy max-detect-ips drop, policy
> security-ips drop, ruleset community; reference:cve,2016-6415;
> reference:url,tools.cisco.com/security/center/content/CiscoS
> ecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon;
> sid:40220; rev:5;)" from file /etc/nsm/rules/downloaded.rules at line
> 32415
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] -
> Duplicate signature "alert udp $EXTERNAL_NET any -> $HOME_NET
> [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime MD5 memory
> disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00
> 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|";
> depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4;
> content:"|80 02 00 01 80 04 00 01 00 06|"; distance:0; fast_pattern;
> byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy
> max-detect-ips drop, policy security-ips drop, ruleset community;
> reference:cve,2016-6415; reference:url,tools.cisco.com/
> security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1;
> classtype:attempted-recon; sid:40221; rev:5;)"
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert udp $EXTERNAL_NET any -> $HOME_NET
> [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime MD5 memory
> disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00
> 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|";
> depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4;
> content:"|80 02 00 01 80 04 00 01 00 06|"; distance:0; fast_pattern;
> byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy
> max-detect-ips drop, policy security-ips drop, ruleset community;
> reference:cve,2016-6415; reference:url,tools.cisco.com/
> security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1;
> classtype:attempted-recon; sid:40221; rev:5;)" from file
> /etc/nsm/rules/downloaded.rules at line 32416
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] -
> Duplicate signature "alert udp $EXTERNAL_NET any -> $HOME_NET
> [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime SHA memory
> disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00
> 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|";
> depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4;
> content:"|80 02 00 02 80 04 00 01 00 06|"; distance:0; fast_pattern;
> byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy
> max-detect-ips drop, policy security-ips drop, ruleset community;
> reference:cve,2016-6415; reference:url,tools.cisco.com/
> security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1;
> classtype:attempted-recon; sid:40222; rev:5;)"
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert udp $EXTERNAL_NET any -> $HOME_NET
> [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime SHA memory
> disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00
> 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|";
> depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4;
> content:"|80 02 00 02 80 04 00 01 00 06|"; distance:0; fast_pattern;
> byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy
> max-detect-ips drop, policy security-ips drop, ruleset community;
> reference:cve,2016-6415; reference:url,tools.cisco.com/
> security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1;
> classtype:attempted-recon; sid:40222; rev:5;)" from file
> /etc/nsm/rules/downloaded.rules at line 32417
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - previous keyword has a fast_pattern:only; set. Can't have relative
> keywords around a fast_pattern only content
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET
> $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer
> overflow"; flow:to_server,established; content:"APSCOOKIE";
> fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|";
> nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header;
> metadata:policy max-detect-ips drop, policy security-ips drop, service
> http; reference:cve,2016-6909; reference:url,fortiguard.com/a
> dvisory/FG-IR-16-023; classtype:attempted-admin; sid:40241; rev:2;)" from
> file /etc/nsm/rules/downloaded.rules at line 32418
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] -
> Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786
> (msg:"SERVER-OTHER Cisco IOS Smart Install protocol backup config command
> attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00
> 00 00 08|"; depth:12; content:"://"; metadata:policy balanced-ips drop,
> policy connectivity-ips drop, policy max-detect-ips drop, policy
> security-ips drop, ruleset community; reference:url,tools.cisco.com/
> security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi;
> classtype:attempted-admin; sid:41722; rev:4;)"
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786
> (msg:"SERVER-OTHER Cisco IOS Smart Install protocol backup config command
> attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00
> 00 00 08|"; depth:12; content:"://"; metadata:policy balanced-ips drop,
> policy connectivity-ips drop, policy max-detect-ips drop, policy
> security-ips drop, ruleset community; reference:url,tools.cisco.com/
> security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi;
> classtype:attempted-admin; sid:41722; rev:4;)" from file
> /etc/nsm/rules/downloaded.rules at line 32512
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] -
> Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786
> (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download config command
> attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00
> 00 00 03|"; depth:12; content:"tftp://"; nocase; metadata:policy
> balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips
> drop, policy security-ips drop, ruleset community; reference:url,
> tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-
> 20170214-smi; classtype:attempted-admin; sid:41723; rev:3;)"
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786
> (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download config command
> attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00
> 00 00 03|"; depth:12; content:"tftp://"; nocase; metadata:policy
> balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips
> drop, policy security-ips drop, ruleset community; reference:url,
> tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-
> 20170214-smi; classtype:attempted-admin; sid:41723; rev:3;)" from file
> /etc/nsm/rules/downloaded.rules at line 32513
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] -
> Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786
> (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download image command
> attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00
> 00 00 02|"; depth:12; content:"tftp://"; nocase; metadata:policy
> balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips
> drop, policy security-ips drop, ruleset community; reference:url,
> tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-
> 20170214-smi; classtype:attempted-admin; sid:41724; rev:3;)"
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786
> (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download image command
> attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00
> 00 00 02|"; depth:12; content:"tftp://"; nocase; metadata:policy
> balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips
> drop, policy security-ips drop, ruleset community; reference:url,
> tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-
> 20170214-smi; classtype:attempted-admin; sid:41724; rev:3;)" from file
> /etc/nsm/rules/downloaded.rules at line 32514
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] -
> Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786
> (msg:"SERVER-OTHER Cisco IOS Smart Install protocol version command
> attempt"; flow:to_server,established; content:"|00 00 00 02 00 00 00 01 00
> 00 00 05|"; depth:12; content:"tftp://"; nocase; metadata:policy
> balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips
> drop, policy security-ips drop, ruleset community; reference:url,
> tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-
> 20170214-smi; classtype:attempted-admin; sid:41725; rev:3;)"
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786
> (msg:"SERVER-OTHER Cisco IOS Smart Install protocol version command
> attempt"; flow:to_server,established; content:"|00 00 00 02 00 00 00 01 00
> 00 00 05|"; depth:12; content:"tftp://"; nocase; metadata:policy
> balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips
> drop, policy security-ips drop, ruleset community; reference:url,
> tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-
> 20170214-smi; classtype:attempted-admin; sid:41725; rev:3;)" from file
> /etc/nsm/rules/downloaded.rules at line 32515
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)]
> - rule contains conflicting keywords.
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4592
> (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt";
> flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc;
> dce_opnum:1; file_data; content:"|81 38 01 00|"; content:!"|00|";
> within:12; distance:8; metadata:policy max-detect-ips drop, policy
> security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,
> www.advantech.com/industrial-automation/webaccess/introduction;
> classtype:attempted-user; sid:44501; rev:2;)" from file
> /etc/nsm/rules/downloaded.rules at line 32637
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)]
> - rule contains conflicting keywords.
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4592
> (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt";
> flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc;
> dce_opnum:0; file_data; content:"|81 38 01 00|"; content:!"|00|";
> within:12; distance:8; metadata:policy max-detect-ips drop, policy
> security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,
> www.advantech.com/industrial-automation/webaccess/introduction;
> classtype:attempted-user; sid:44502; rev:2;)" from file
> /etc/nsm/rules/downloaded.rules at line 32638
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] -
> Duplicate signature "alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any
> (msg:"SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt";
> flow:to_client,established; content:"|FE|SMB|40 00|"; depth:6; offset:4;
> content:"|03 00|"; within:2; distance:6; content:"|01|"; within:1;
> distance:2; content:"|10 00|"; within:2; distance:47; byte_test:3, >, 1481,
> 1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy
> max-detect-ips drop, policy security-ips drop, ruleset community;
> reference:cve,2017-0016; classtype:attempted-dos; sid:41499; rev:5;)"
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET
> any (msg:"SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow
> attempt"; flow:to_client,established; content:"|FE|SMB|40 00|"; depth:6;
> offset:4; content:"|03 00|"; within:2; distance:6; content:"|01|";
> within:1; distance:2; content:"|10 00|"; within:2; distance:47;
> byte_test:3, >, 1481, 1; metadata:policy balanced-ips drop, policy
> connectivity-ips drop, policy max-detect-ips drop, policy security-ips
> drop, ruleset community; reference:cve,2017-0016; classtype:attempted-dos;
> sid:41499; rev:5;)" from file /etc/nsm/rules/downloaded.rules at line
> 32851
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] -
> Duplicate signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA
> Samba is_known_pipe arbitrary module load code execution attempt";
> flow:to_server,established; flowbits:isset,smb.tree.connect.ipc;
> content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4;
> byte_extract:2,72,len,relative,little; content:"/"; within:1;
> content:"/"; within:len; distance:1; metadata:policy balanced-ips drop,
> policy max-detect-ips drop, policy security-ips drop, ruleset community,
> service netbios-ssn; reference:cve,2017-7494; reference:url,
> www.samba.org/samba/security/CVE-2017-7494.html;
> classtype:attempted-user; sid:43004; rev:4;)"
> 18/2/2018 -- 07:10:31 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
> - error parsing signature "alert tcp any any -> $HOME_NET 445
> (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution
> attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc;
> content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4;
> byte_extract:2,72,len,relative,little; content:"/"; within:1;
> content:"/"; within:len; distance:1; metadata:policy balanced-ips drop,
> policy max-detect-ips drop, policy security-ips drop, ruleset community,
> service netbios-ssn; reference:cve,2017-7494; reference:url,
> www.samba.org/samba/security/CVE-2017-7494.html;
> classtype:attempted-user; sid:43004; rev:4;)" from file
> /etc/nsm/rules/downloaded.rules at line 32852
>
> Any help would be appreciated.
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180219/4d305cd2/attachment-0002.html>
More information about the Oisf-users
mailing list