Messages

1

Intrusion Detection and Prevention / Rules Format: Malformed dns_query Hostname

« on: October 05, 2023, 02:34:37 pm »

Within the Suricata abuse.ch.threatfox.rules, there is a malformed hostname entry at line 8624.

There error is as follows:

Code: [Select]

Error suricata [100376] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anakhaled20.noظ€ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1172062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_09_27; classtype:trojan-activity; sid:91172062; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 8624
This is the only query to the host (there are others) that appears to be impacted. Thus, I was easily able to manually adjust the hostname from anakhaled20.noظ€ip.biz to anakhaled20.no-ip.biz. Unfortunately, this change will be overwritten following the next rule update.

Is anyone able to confirm? And, what is the next step toward remediation?

Thanks