OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: kombiluva on June 15, 2018, 06:47:21 am
-
Hi,
As an FYI - I am running OPNsense 18.1.9-amd64, FreeBSD 11.1-RELEASE-p10, LibreSSL 2.6.4.
The following error is being encounted:
When entering in my oink code and the url for the snort_vrt.rulesfile, the data entered into the input field for the URL is not being retained / saved after pressing save / download & update.
The impact this then has is the SNORT VRT rules are not being updated and the input field is not retaining the URL for the rules file.
The following errors are logged:
Jun 16 10:23:06
suricata[60613]: [100202] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/irs-letters-062018-956/""; http_uri; depth:25; isdataat:!1,relative; content:"www.estepona.dpsoft.es"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2018_06_14; reference:url, urlhaus.abuse.ch/url/19286/; classtype:trojan-activity;sid:80882386; rev:1;)^M" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 934
Jun 16 10:16:19
suricata[60613]: [100202] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp !$DC_SERVERS any -> $DC_SERVERS 389 (msg: "[PT OPEN] DCShadow: Fake DC Creation"; flow: established, to_server; content: "|68 84 00|"; content: "CN="; distance: 5; within: 3; content: "CN=Servers,CN="; distance: 0; content: ",CN=Sites,CN=Configuration,DC="; distance: 0; content: "objectClass"; distance: 0; content: "server"; distance: 0; reference: url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype: attempted-admin; sid: 10002559; rev: 2; )^M" from file /usr/local/etc/suricata/opnsense.rules/pt.research.rules at line 203
Jun 16 10:16:19
suricata[60613]: [100202] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "DC_SERVERS" is not defined in configuration file
Jun 16 10:16:19
suricata[60613]: [100202] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg: "[PT OPEN] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC"; flow: established, to_server, no_stream; content: "|05 00 00 03|"; depth: 4; content: "|05 00|"; distance: 18; within: 2; flowbits: isset, RPC.Bind.DRSUAPI; reference: url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype: attempted-admin; sid: 10002558; rev: 1; )^M" from file /usr/local/etc/suricata/opnsense.rules/pt.research.rules at line 201
Jun 16 10:16:19
suricata[60613]: [100202] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "DC_SERVERS" is not defined in configuration file
Jun 16 10:16:19
suricata[60613]: [100202] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp !$DC_SERVERS any -> $DC_SERVERS [1024:] (msg: "[PT OPEN] DCShadow Replication Attempt"; flow: established, to_server; content: "|05 00 0B|"; depth: 3; content: "|35 42 51 E3 06 4B D1 11 AB 04 00 C0 4F C2 DC D2|"; distance: 0; flowbits: set, RPC.Bind.DRSUAPI; flowbits: noalert; reference: url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype: attempted-admin; sid: 10002557; rev: 2; )^M" from file /usr/local/etc/suricata/opnsense.rules/pt.research.rules at line 199
Jun 16 10:16:19
suricata[60613]: [100202] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "DC_SERVERS" is not defined in configuration file
Jun 16 10:16:19
suricata[60613]: [100202] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $DC_SERVERS 88 (msg: "[PT OPEN] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5"; flow: no_stream, established, to_server; content: "|A1 03 02 01 05 A2 03 02 01 0A|"; offset: 12; depth: 10; content: "|A1 03 02 01 02|"; distance: 5; within: 6; content: "|A0 03 02 01 17|"; distance: 6; within: 6; content: "krbtgt"; distance: 0; xbits: set, Krb5.AsReq, track ip_src, expire: 10; classtype: attempted-user; sid: 10002228; rev: 1; )^M" from file /usr/local/etc/suricata/opnsense.rules/pt.research.rules at line 161
-
Hey,
I had nearly the same following error in my logs:
Jun 16 10:23:06
suricata[60613]: [100202] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/irs-letters-062018-956/""; http_uri; depth:25; isdataat:!1,relative; content:"www.estepona.dpsoft.es"; http_host; depth:22; isdataat:!1,relative; metadata:created_at 2018_06_14; reference:url, urlhaus.abuse.ch/url/19286/; classtype:trojan-activity;sid:80882386; rev:1;)^M" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 934
The main issue seems to be a failure with the signature of the named rule list.
I've disabled the list "abuse.ch/URLhaus" and IDS/IPS comes up again.
According to your logs you have to disable the list "PT/Research" too to become IDS/IPS running.
Jas