Suricata rule load errors: abuse.ch/URLhaus

Started by opleiki, July 28, 2020, 05:26:54 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 28, 2020, 05:26:54 AM
I'm seeing these errors lateley:

Oct 18 00:01:57 haanjdj suricata[20436]: [100108] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected"; flow:established,from_client; content:"GET"; http_method; content:"/wp-content/gmi97ucro9sv7to01wm6gb|/"; http_uri; depth:36; isdataat:!1,relative; content:"artopinvest.ro"; http_host; depth:14; isdataat:!1,relative; metadata:created_at 2019_10_11; reference:url, urlhaus.abuse.ch/url/243894/; classtype:trojan-activity;sid:81106994; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 1783

They always involve the abuse.ch.urlhaus.rules file. I have compared the faulty entries, and I believe the problem to be the pipe symbol ('|') in for example the entry 'content:"/wp-content/gmi97ucro9sv7to01wm6gb|/"'; it shouldn't be there.

Is this an upstream problem that should be reported there, or is this something that should be dealt with within Opnsense?
July 28, 2020, 06:58:57 AM #1
You can tweet this link to urlhaus abuse.ch Twitter account so they can have a look
Print
Go Up Pages1
User actions