OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • error in Suricata
« previous next »
  • Print
Pages: [1]

Author Topic: error in Suricata  (Read 3556 times)

kapara

  • Jr. Member
  • **
  • Posts: 97
  • Karma: 3
    • View Profile
error in Suricata
« on: November 24, 2018, 04:56:59 am »
Saw this error message in Suricata.  Is this something I can just ignore or is this pointing to a problem?  Currently have 8.8.8.8 and 8.8.4.4 as my primary dns entries in the firewall.

OPNsense suricata: [100208] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/url=http://sietepuntocero.com.ar/en_us/messages/112018|26|data=02|01|kbesic@pella.com|17810e138c1d413ab8a108d64a6df3be|a66b0f6bd9534f0995b75213bd230c18|0|0|636778233436312957|26|sdata=bdjpihczaitno2gt/kt/9owjxappq2frvcm5id4tppe=|26|reserved=0"; http_uri; depth:243; isdataat:!1,relative; content:"na01.safelinks.protection.outlook.com"; http_host; depth:37; isdataat:!1,relative; metadata:created_at 2018_11_14; reference:url, urlhaus.abuse.ch/url/80452/; classtype:trojan-activity;sid:80943552; rev:1;)^M" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 4007

Logged

dalybrian

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: error in Suricata
« Reply #1 on: May 18, 2019, 06:27:15 pm »
I'm seeing a similar issue. Is there is a fix/patch for this error?

I have IPS Mode and Promiscuous Mode enabled with Pattern Matcher = Hyperscan only on WAN Interface.

OPNsense Versions :
OPNsense 19.1.7-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2r 26 Feb 2019

Suricata Log :
May 18 12:16:00   
OPNsense suricata: [100725] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ETPRO WEB_SPECIFIC_APPS Apache Tomcat CVE-2016-6816 Security Bypass Attempt"; flow:established,to_server; content:"GET"; http_method; content:"|7b 7b 25 7d 7d|"; http_uri; fast_pattern; content:"|5c|="; http_uri; distance:0; pcre:"/^\/[^\x7b]+\x7b{2}[^\x7d]+\x7d{2}[^\x5c]+\x5c=/U"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,vuldb.com/?id.93797; classtype:web-application-attack; sid:2828954; rev:2; metadata:affected_product Apache_Tomcat, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2017_12_15, performance_impact Low, updated_at 2017_12_15;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-web_specific_apps.rules at line 45
Logged

hbc

  • Hero Member
  • *****
  • Posts: 501
  • Karma: 47
    • View Profile
Re: error in Suricata
« Reply #2 on: May 19, 2019, 12:22:19 am »
It is an error in the rules file. Has to be fixed by the provider of the rule set. Maybe the rules are not compatible with your suricata version.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • error in Suricata
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2