Suricata rules failed #10076
Suricata rules failed
#10076
Replies: 1 comment
-
|
Are those |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Currently I am running securityonion 2.3.130 in that suricata version is 6.0.5. One week before everything was working fine but two days back I saw my alerts page in securityonion dashboard was not showing any alerts.
After checking suricata logs I found some errors.
Errors:
31/3/2023 -- 04:08:36 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
31/3/2023 -- 04:08:36 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected" ; flow:to_server,established; file_data; content:"POST"; http_method; content:"|00 09 00 00|"; depth:5; offset: 1; fast_pattern; content:!"|00|"; depth:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadat a:policy max-detect-ips alert, service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:43364; rev:5;)" from file /etc/suricata/rules/all.rules at line 9544
31/3/2023 -- 04:08:36 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - depth or urilen 11 smaller than content len 17
31/3/2023 -- 04:08:36 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection";
flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /etc/suricata/rules/all.rules at line 19846
31/3/2023 -- 04:08:36 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
31/3/2023 -- 10:32:59 - - 1 rule files processed. 10351 rules successfully loaded, 465 rules failed.
Please help me resolve this issue. Thank You
Beta Was this translation helpful? Give feedback.
All reactions