Show Posts
1
24.1 Legacy Series / Suricata Not starting?? Should I be concerned.
« on: June 28, 2024, 03:57:40 pm »
Hello All:
I am concerned about recently upgrading to version 24.1.9.
Exact version:
OPNsense 24.1.9_4-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.14
My Suricata is not starting, I get this in my log, Should I be concerned?
2024-06-28T09:37:07-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_method in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-10-11"; flow:established,to_server; http.method; content:"POST"; http.method; content:"POST"; http.uri; content:"//pages/"; fast_pattern; http.request_body; content:" capture_time="; distance:0; content:" &useragent="; distance:0; content:" &new_data="; distance:0; content:" &status="; distance:0; content:" &uniqueid="; distance:0; content:" &username="; distance:0; content:" &password="; distance:0; reference:md5,129f88633583fdcf290c88e658a438ec; classtype:credential-theft; sid:2039165; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_10_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_10_11;)'
2024-06-28T09:37:07-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_uri in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-06-21"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fmicode/"; startswith; fast_pattern; http.uri; content:".php"; reference:md5,6e58fc761e676b4bbf1d23eb73a43d2a; classtype:credential-theft; sid:2037048; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_21;)'
2024-06-28T09:37:07-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_header in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-PSW.Win32.Stealer.sb CnC"; flow:established,to_server; http.method; content:"GET"; http.request_line; content:"GET /AH/ HTTP/1.0"; fast_pattern; http.header; pcre:"/^Referer\x3a\x20[a-zA-Z0-9_\-.]+\x28[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]\x29\w+\x0d\x0a/"; http.header; content:"Referer"; http.connection; content:"Keep-Alive"; reference:md5,b6796c1e9e454517c14da454c23c0ef5; classtype:command-and-control; sid:2036962; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_10;)'
2024-06-28T09:37:06-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_uri in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BazaBackdoor Variant CnC Activity M4"; flow:established,to_server; urilen:36; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"="; content:!"&"; http.cookie; content:"group="; depth:6; isdataat:!2,relative; fast_pattern; pcre:"/^\d$/R"; http.uri; pcre:"/^\/[a-z0-9]{32}\/\d\/$/i"; reference:url,twitter.com/lazyactivist192/status/1364668631460827142; reference:md5,8488d9be18308a7f4e83b7c39fc79d17; classtype:command-and-control; sid:2031673; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_25;)'
2024-06-28T09:37:06-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_start in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alfa/Alpha Ransomware Checkin"; flow:established,to_server; urilen:33; http.method; content:"GET"; http.start; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection"; content:!"Cache-Control"; content:!"Pragma"; content:!"Referer"; content:!"User-Agent"; http.start; pcre:"/^GET\x20\/[A-F0-9]{32}\x20HTTP\/1\.1\r\nHost\x3a\x20[^\r\n]+\r\n\r\n$/"; reference:md5,0601d824d188a42bc530f349926f1f95; reference:md5,900cacbd18f1e21cf6b5a9f842c23b72; reference:url,www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/; classtype:command-and-control; sid:2023083; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)'
2024-06-28T09:37:05-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_header in 'alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible Fake 404 Credential Phish Landing Page"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-Powered-By: PHP"; http.header; content:"PHPSESSID="; startswith; file.data; content:"<title>404 Not Found</title><p>The requested URL was not found on this server.</p>"; fast_pattern; reference:url,github.com/phish-report/IOK; classtype:credential-theft; sid:2038494; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_11, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_08_11;)'
2024-06-28T09:37:04-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_uri in 'alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - Administrator Password Reset Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; http.uri; content:"/changeDefaultAmazonPassword?"; fast_pattern; content:"loginName="; distance:0; content:"newUserPassword="; http.cookie; content:"STATE_COOKIE="; reference:url,srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html; reference:cve,2021-44515; classtype:attempted-admin; sid:2034958; rev:1; metadata:attack_target Server, created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_24;)'
Thanks in advanced!
Mike K
I am concerned about recently upgrading to version 24.1.9.
Exact version:
OPNsense 24.1.9_4-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.14
My Suricata is not starting, I get this in my log, Should I be concerned?
2024-06-28T09:37:07-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_method in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-10-11"; flow:established,to_server; http.method; content:"POST"; http.method; content:"POST"; http.uri; content:"//pages/"; fast_pattern; http.request_body; content:" capture_time="; distance:0; content:" &useragent="; distance:0; content:" &new_data="; distance:0; content:" &status="; distance:0; content:" &uniqueid="; distance:0; content:" &username="; distance:0; content:" &password="; distance:0; reference:md5,129f88633583fdcf290c88e658a438ec; classtype:credential-theft; sid:2039165; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_10_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_10_11;)'
2024-06-28T09:37:07-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_uri in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-06-21"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fmicode/"; startswith; fast_pattern; http.uri; content:".php"; reference:md5,6e58fc761e676b4bbf1d23eb73a43d2a; classtype:credential-theft; sid:2037048; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_21;)'
2024-06-28T09:37:07-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_header in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-PSW.Win32.Stealer.sb CnC"; flow:established,to_server; http.method; content:"GET"; http.request_line; content:"GET /AH/ HTTP/1.0"; fast_pattern; http.header; pcre:"/^Referer\x3a\x20[a-zA-Z0-9_\-.]+\x28[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]\x29\w+\x0d\x0a/"; http.header; content:"Referer"; http.connection; content:"Keep-Alive"; reference:md5,b6796c1e9e454517c14da454c23c0ef5; classtype:command-and-control; sid:2036962; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_10;)'
2024-06-28T09:37:06-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_uri in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BazaBackdoor Variant CnC Activity M4"; flow:established,to_server; urilen:36; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"="; content:!"&"; http.cookie; content:"group="; depth:6; isdataat:!2,relative; fast_pattern; pcre:"/^\d$/R"; http.uri; pcre:"/^\/[a-z0-9]{32}\/\d\/$/i"; reference:url,twitter.com/lazyactivist192/status/1364668631460827142; reference:md5,8488d9be18308a7f4e83b7c39fc79d17; classtype:command-and-control; sid:2031673; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_25;)'
2024-06-28T09:37:06-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_start in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alfa/Alpha Ransomware Checkin"; flow:established,to_server; urilen:33; http.method; content:"GET"; http.start; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection"; content:!"Cache-Control"; content:!"Pragma"; content:!"Referer"; content:!"User-Agent"; http.start; pcre:"/^GET\x20\/[A-F0-9]{32}\x20HTTP\/1\.1\r\nHost\x3a\x20[^\r\n]+\r\n\r\n$/"; reference:md5,0601d824d188a42bc530f349926f1f95; reference:md5,900cacbd18f1e21cf6b5a9f842c23b72; reference:url,www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/; classtype:command-and-control; sid:2023083; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)'
2024-06-28T09:37:05-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_header in 'alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible Fake 404 Credential Phish Landing Page"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-Powered-By: PHP"; http.header; content:"PHPSESSID="; startswith; file.data; content:"<title>404 Not Found</title><p>The requested URL was not found on this server.</p>"; fast_pattern; reference:url,github.com/phish-report/IOK; classtype:credential-theft; sid:2038494; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_11, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_08_11;)'
2024-06-28T09:37:04-04:00 Warning suricata [100190] <Warning> -- duplicate instance for http_uri in 'alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - Administrator Password Reset Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; http.uri; content:"/changeDefaultAmazonPassword?"; fast_pattern; content:"loginName="; distance:0; content:"newUserPassword="; http.cookie; content:"STATE_COOKIE="; reference:url,srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html; reference:cve,2021-44515; classtype:attempted-admin; sid:2034958; rev:1; metadata:attack_target Server, created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_24;)'
Thanks in advanced!
Mike K