16
Development and Code Review / Re: Wazuh Agent integration - call for tests
« on: August 08, 2023, 08:55:23 am »
How to install?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
level=fatal msg="Starting outputs error: authenticated watcher (4c4c4458) Post " http://127.0..0.1:7171/v1/watchers/login\ " Could not get jwt token. Post "http:127.0.0.1:7171/v1/watchers/login" read tcp 127.0.0.1:24555 -> "http://127.0.0.1:7171/ read: connection reset by peer.
2023-05-05T16:05:44 Error suricata [101034] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:igb1/R failed: Invalid argument
2023-05-05T16:04:23 Error suricata [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-other.rules at line 2943
2023-05-05T16:04:23 Error suricata [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
2023-05-05T16:03:52 Error suricata [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HannabiGrabber info stealer outbound communication"; flow:to_server,established; file_data; content:"Hannabi Grabber"; fast_pattern:only; http_client_body; content:"```fix|5C|nPCName:"; http_client_body; content:"GB|5C|nAntivirus:"; within:1000; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/082e50f61aa3e649889defae5bccb1249fc1c1281b2b9f02e10cb1ede8a1d16f; classtype:trojan-activity; sid:60728; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 5713
2023-05-05T16:03:52 Error suricata [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
2023-05-05T16:03:52 Error suricata [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.TreeTrunk outbound connection"; flow:to_server,established; urilen:10; content:"/index.jsp"; fast_pattern:only; http_uri; pcre:"/^([0-9A-F]{2}-){5}[0-9A-F]{2}$/K"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/sha256/8d9444ac349502314f97d25f000dbabb33e3b9737ac8e77e5e8452b719211edd; classtype:trojan-activity; sid:60270; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 5645
2023-05-05T16:03:52 Error suricata [100652] <Error> -- [ERRCODE: SC_ERR_UNKNOWN_REGEX_MOD(131)] - unknown regex modifier 'K'
2023-05-05T16:03:52 Error suricata [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 5567
2023-05-05T16:03:52 Error suricata [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
2023-05-05T16:03:52 Error suricata [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 3769
2023-05-05T16:03:52 Error suricata [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
2023-05-05T16:03:52 Error suricata [100652] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/snort_vrt.malware-cnc.rules at line 674