OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: kapara on November 24, 2018, 04:56:59 am

Title: error in Suricata
Post by: kapara on November 24, 2018, 04:56:59 am
Saw this error message in Suricata.  Is this something I can just ignore or is this pointing to a problem?  Currently have and as my primary dns entries in the firewall.

OPNsense suricata: [100208] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/url=http://sietepuntocero.com.ar/en_us/messages/112018|26|data=02|01|kbesic@pella.com|17810e138c1d413ab8a108d64a6df3be|a66b0f6bd9534f0995b75213bd230c18|0|0|636778233436312957|26|sdata=bdjpihczaitno2gt/kt/9owjxappq2frvcm5id4tppe=|26|reserved=0"; http_uri; depth:243; isdataat:!1,relative; content:"na01.safelinks.protection.outlook.com"; http_host; depth:37; isdataat:!1,relative; metadata:created_at 2018_11_14; reference:url, urlhaus.abuse.ch/url/80452/; classtype:trojan-activity;sid:80943552; rev:1;)^M" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 4007

Title: Re: error in Suricata
Post by: dalybrian on May 18, 2019, 06:27:15 pm
I'm seeing a similar issue. Is there is a fix/patch for this error?

I have IPS Mode and Promiscuous Mode enabled with Pattern Matcher = Hyperscan only on WAN Interface.

OPNsense Versions :
OPNsense 19.1.7-amd64
OpenSSL 1.0.2r 26 Feb 2019

Suricata Log :
May 18 12:16:00   
OPNsense suricata: [100725] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ETPRO WEB_SPECIFIC_APPS Apache Tomcat CVE-2016-6816 Security Bypass Attempt"; flow:established,to_server; content:"GET"; http_method; content:"|7b 7b 25 7d 7d|"; http_uri; fast_pattern; content:"|5c|="; http_uri; distance:0; pcre:"/^\/[^\x7b]+\x7b{2}[^\x7d]+\x7d{2}[^\x5c]+\x5c=/U"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,vuldb.com/?id.93797; classtype:web-application-attack; sid:2828954; rev:2; metadata:affected_product Apache_Tomcat, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2017_12_15, performance_impact Low, updated_at 2017_12_15;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-web_specific_apps.rules at line 45
Title: Re: error in Suricata
Post by: hbc on May 19, 2019, 12:22:19 am
It is an error in the rules file. Has to be fixed by the provider of the rule set. Maybe the rules are not compatible with your suricata version.