Show Posts
1
Intrusion Detection and Prevention / Suricata rule load errors: abuse.ch/URLhaus
« on: July 28, 2020, 05:26:54 am »
I'm seeing these errors lateley:
Oct 18 00:01:57 haanjdj suricata[20436]: [100108] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/gmi97ucro9sv7to01wm6gb|/"; http_uri; depth:36; isdataat:!1,relative; content:"artopinvest.ro"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_10_11; reference:url, urlhaus.abuse.ch/url/243894/; classtype:trojan-activity;sid:81106994; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 1783
They always involve the abuse.ch.urlhaus.rules file. I have compared the faulty entries, and I believe the problem to be the pipe symbol ('|') in for example the entry 'content:"/wp-content/gmi97ucro9sv7to01wm6gb|/"'; it shouldn't be there.
Is this an upstream problem that should be reported there, or is this something that should be dealt with within Opnsense?
Oct 18 00:01:57 haanjdj suricata[20436]: [100108] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/gmi97ucro9sv7to01wm6gb|/"; http_uri; depth:36; isdataat:!1,relative; content:"artopinvest.ro"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_10_11; reference:url, urlhaus.abuse.ch/url/243894/; classtype:trojan-activity;sid:81106994; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 1783
They always involve the abuse.ch.urlhaus.rules file. I have compared the faulty entries, and I believe the problem to be the pipe symbol ('|') in for example the entry 'content:"/wp-content/gmi97ucro9sv7to01wm6gb|/"'; it shouldn't be there.
Is this an upstream problem that should be reported there, or is this something that should be dealt with within Opnsense?