Suricata Error Parsing Signature in OPNsense

Started by MrHappyHippo, October 25, 2025, 01:54:37 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 25, 2025, 01:54:37 PM Last Edit: October 25, 2025, 02:02:15 PM by MrHappyHippo
Type: opnsense-business    
Version: 25.10_2    
Architecture: amd64    
Commit: 89445f333    
Repositories: OPNsense (Priority: 11)    
Updated on: Thu Oct 23 18:59:03 CEST 2025


Hi,

I'm encountering an error in OPNsense related to Suricata, and I'm unsure where to report it or how to resolve it.
The error message I'm seeing is as follows:

 [109203] <Error> -- error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ETPRO MALWARE TA399/Sidewinder StealerBot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/MoFA/"; startswith; fast_pattern; pcre:"/^[a-f0-9]{8}(?:\x3fe\x3d.*p\x3d.*\xw\x3d)?/R"; http.header_names; content:!"|0d 0a|user-agent|0d 0a|"; nocase; reference:md5,b55f692ccc11496e2772705060f3d9d2; classtype:trojan-activity; sid:2864929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_and_Server, tls_state TLSDecrypt, created_at 2025_10_17, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag TA399, updated_at 2025_10_17, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name exfiltration_over_C2_channel;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-malware.rules at line 6545


also this error was logged too:

suricata
[109203] <Error> -- pcre2 compile of "/^[a-f0-9]{8}(?:\x3fe\x3d.*p\x3d.*\xw\x3d)?/R" failed at offset 35: digits missing after \x or in \x{} or \o{} or \N{U+}

This seems to be related to an issue with the parsing of a signature in the "emerging-malware.rules" file, specifically around the "Sidewinder StealerBot" CnC checkin detection.

Could anyone suggest where I should report this issue or if there's a specific fix I should apply? Is this a known problem with Suricata's signature parsing or OPNsense's Suricata implementation?

Thanks in advance for any help!
October 27, 2025, 04:41:40 PM #1
Hi,

From https://shop.opnsense.com/etpro-faq/

> You can submit a support request to support@emergingthreats.net or submit feedback to https://feedback.emergingthreats.net


Cheers,
Franco
Print
Go Up Pages1
User actions