Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
error in Suricata
« previous
next »
Print
Pages: [
1
]
Author
Topic: error in Suricata (Read 3562 times)
kapara
Jr. Member
Posts: 97
Karma: 3
error in Suricata
«
on:
November 24, 2018, 04:56:59 am »
Saw this error message in Suricata. Is this something I can just ignore or is this pointing to a problem? Currently have 8.8.8.8 and 8.8.4.4 as my primary dns entries in the firewall.
OPNsense suricata: [100208] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/url=http://sietepuntocero.com.ar/en_us/messages/112018|26|data=02|01|kbesic@pella.com|17810e138c1d413ab8a108d64a6df3be|a66b0f6bd9534f0995b75213bd230c18|0|0|636778233436312957|26|sdata=bdjpihczaitno2gt/kt/9owjxappq2frvcm5id4tppe=|26|reserved=0"; http_uri; depth:243; isdataat:!1,relative; content:"na01.safelinks.protection.outlook.com"; http_host; depth:37; isdataat:!1,relative; metadata:created_at 2018_11_14; reference:url, urlhaus.abuse.ch/url/80452/; classtype:trojan-activity;sid:80943552; rev:1;)^M" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 4007
Logged
dalybrian
Newbie
Posts: 1
Karma: 0
Re: error in Suricata
«
Reply #1 on:
May 18, 2019, 06:27:15 pm »
I'm seeing a similar issue. Is there is a fix/patch for this error?
I have IPS Mode and Promiscuous Mode enabled with Pattern Matcher = Hyperscan only on WAN Interface.
OPNsense Versions :
OPNsense 19.1.7-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2r 26 Feb 2019
Suricata Log :
May 18 12:16:00
OPNsense suricata: [100725] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ETPRO WEB_SPECIFIC_APPS Apache Tomcat CVE-2016-6816 Security Bypass Attempt"; flow:established,to_server; content:"GET"; http_method; content:"|7b 7b 25 7d 7d|"; http_uri; fast_pattern; content:"|5c|="; http_uri; distance:0; pcre:"/^\/[^\x7b]+\x7b{2}[^\x7d]+\x7d{2}[^\x5c]+\x5c=/U"; metadata: former_category WEB_SPECIFIC_APPS; reference:url,vuldb.com/?id.93797; classtype:web-application-attack; sid:2828954; rev:2; metadata:affected_product Apache_Tomcat, attack_target Web_Server, deployment Perimeter, signature_severity Major, created_at 2017_12_15, performance_impact Low, updated_at 2017_12_15;)" from file /usr/local/etc/suricata/opnsense.rules/emerging-web_specific_apps.rules at line 45
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: error in Suricata
«
Reply #2 on:
May 19, 2019, 12:22:19 am »
It is an error in the rules file. Has to be fixed by the provider of the rule set. Maybe the rules are not compatible with your suricata version.
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
error in Suricata