Problem starting IPS because of bad rules from urlhaus

[bitzap]

Hi all,

I just want to inform, in the actual (21.9.2020 15:00 CEST) abuse.ch/URLhaus rules is a bug wich prevents the IPS from starting  :o

[100151] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"URLhaus Known malware download URL detected (510560)"; flow:established,from_client; content:"GET"; http_method; conte" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 73508

OPNsense 20.7.2-amd64
FreeBSD 12.1-RELEASE-p8-HBSD
OpenSSL 1.1.1g 21 Apr 2020
CPU Type   AMD G-T40N Processor (2 cores)

[mimugmail]

Just ping them via twitter or support contact, they can fix it really fast

[bitzap]

I found the problem in my setup.
In the past 10 days there was a huge amount of new submissions to urlhaus, which results in a big increase of rules (from 30000 to 160000) :o https://urlhaus.abuse.ch/statistics/
My hardware (APU 2G RAM) was probably to poor in performance to load all rules in a reasonable time.

[Helle]

I have an APU2D4 with 4Gigs of ram and can not start Suricata unless i disable abuse.ch/URLhaus

Have reloaded that rule several times over a couple of days and when launching Suricata, my memory load goes up around 95% and after a long time Suricata i down. Have tried both Aho and Hyperscan but it is no longer possible to load URLhaus. Maybe if I disable some or all other rulses but they are not optional.

This used to work in the past and I do not know if it is only a matter of the list has grown or if new Suricata 5 is playing a role..

maybe it is possible to stop some services during the 25 minutes suricata takes to load the rules and when suricata is launched and the memory load goes down a bit, the stopped services could be started ??

That is not a good work around since reloading rules should be non interactive and scheduled.