Suricata rule load errors: abuse.ch/URLhaus

[dinguz]

I'm seeing these errors lateley:

Oct 18 00:01:57 haanjdj suricata[20436]: [100108] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/gmi97ucro9sv7to01wm6gb|/"; http_uri; depth:36; isdataat:!1,relative; content:"artopinvest.ro"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_10_11; reference:url, urlhaus.abuse.ch/url/243894/; classtype:trojan-activity;sid:81106994; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 1783

They always involve the abuse.ch.urlhaus.rules file. I have compared the faulty entries, and I believe the problem to be the pipe symbol ('|') in for example the entry 'content:"/wp-content/gmi97ucro9sv7to01wm6gb|/"'; it shouldn't be there.

Is this an upstream problem that should be reported there, or is this something that should be dealt with within Opnsense?

[ruggerio]

Hi,

This should be reported upstream, i think.

[spetrillo]

Hi,

This should be reported upstream, i think.

Yup...I am getting the same thing!

[franco]

5.0.1 should be due this November, we try to pick it up and release Suricata 5 to the production track at the same time. So whatever gets reported upstream will be in the update sooner. :)


Cheers,
Franco

[ruggerio]

I haven't found a possibliy to file a bug. I contacted them by mail. Hopefully it gets fixed.

[ruggerio]

wow, those guys are quick. Got a short response, should be solved. Can anyone test?