OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: ruggerio on November 03, 2019, 08:51:13 am
-
After having Suricata 5 now on dev, i switched over for more testing (and not kidnapping the old thread). After the 1st night, i saw the following error in the logs:
suricata[18490]: [100221] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/clients/doc/yxnwvvy5wrni8vr0ofa4_9xshl2gx-804312145|/"; http_uri; depth:54; isdataat:!1,relative; content:"tapclicktalk.com"; http_host; depth:16; isdataat:!1,relative; metadata:created_at 2019_10_10; reference:url, urlhaus.abuse.ch/url/243231/; classtype:trojan-activity;sid:81106331; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 7246
and following:
suricata[18490]: [100221] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Invalid hex code in content - /clients/doc/yxnwvvy5wrni8vr0ofa4_9xshl2gx-804312145|/, hex /. Invalidating signature.
Wow, so suricata 5 recognized it, but will not do anything with it. Is this an error in the ruleset of urlhaus.ch?
btw. i disabled proxy, also for comparison of downloads on my apuc4. With the usual performance fiddling, i got a downloadrate of 270mb/s, using aho-corasick. Never got that before, neither only on proxy, nor only mit ips (yes, ips enabled) - also a big wow!
-
Did these rules work with Suricata 4 on this system?
-
yes, they did. But i haven't used suricata 4 for quite a while, might be, that within an update of the rules also the error came in.
I just got the errors from abuse.ch/urlhaus. I think, it's related to https://forum.opnsense.org/index.php?topic=14715.0, so if its just this one, i would leave it, as i haven't seen further errors til now.