Project

General

Profile

Bug #9195 » system.log

P L, 12/13/2018 12:46 AM

 
1
tance:0; content:"form-data|3b 20|name=|22|cccount|22|"; http_client_body; nocase; distance:0; metadata: former_category TROJAN; reference:md5,72bcbfd1020d002d2e20e0707b8ef700; classtype:trojan-activity; sid:2025431; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment P
2
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
3
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 11"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; urilen:1; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; content:"63"; fast_pattern; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Referer|0d 0a|User-Agent"; metadata: former_category TROJAN; reference:md5,d110be58537aa8420a9c25f4879ca77b; classtype:trojan-activity; sid:2025993; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_15, malware_family Sharik, malware_family Smoke_Loader, malware_family SmokeLoader, updated_at 2
4
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
5
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Tinba (Banking Trojan) Check-in"; flow:established,to_server; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; http_user_agent; depth:64; fast_pattern; content:"|0d 0a 0d 0a|"; depth:2000; byte_extract:2,0,byte0,relative; byte_extract:2,0,byte1,relative; byte_test:2,=,byte1,6,relative; byte_test:2,!=,byte1,7,relative; byte_test:2,=,byte1,10,relative; byte_test:2,!=,byte1,11,relative; byte_test:2,!=,byte1,23,relative; byte_test:2,!=,byte0,25,relative; byte_test:2,!=,byte1,27,relative; byte_test:2,=,byte0,40,relative; byte_test:2,=,byte1,42,relative; byte_test:2,=,byte0,44,relative; byte_test:2,=,byte1,46,relative; byte_test:2,=,byte0,48,relative; byte_test:2,=,byte1,50,relative; content:!"|00 00|"; depth:30; http_client_body; content:"|00 00|"; offset:34; depth:2; http_clie
6
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
7
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 26"; flow:established,to_server; stream_size:server,=,1; content:"|5a 95 2a 22 4d 37 9e 51 83 55 8f|"; depth: 11; metadata: former_category TROJAN; reference:md5,8f8d778bea33bc542b58c0631cf9d7e0; classtype:trojan-activity; sid:2026004; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Remcos, signature_severity Major, created_at 2018_08_21, updated_at 2018_08_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12104
8
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
9
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26618
10
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
11
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)"; flow:established,from_server; content:"|55 04 0a|"; content:"|27|Agency Protocols Management of Internet"; distance:1; within:40; content:"|55 04 03|"; distance:0; content:"|0d|bestylish.com"; distance:1; within:14; fast_pattern; metadata: former_category TROJAN; reference:md5,ecda8c6613fb458102fcb6f70b1cd594; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022209; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Banking_Trojan, signature_severity Major, created_at 2015_12_02, malware_family Bancos, malware_family DarkTequila, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12106
12
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
13
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26624
14
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
15
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 26"; flow:established,to_server; dsize:<500; content:"|24 8a 91 18 92 bb 4b 55 39 bc ed|"; depth:11; fast_pattern; content:"|c5 de|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,81cecc440bd57a736ef6e473e77d5a1b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:trojan-activity; sid:2026016; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12108
16
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
17
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 27"; flow:established,to_server; dsize:<500; content:"|bf 9b b2 d8 b7 a9 86 78 26 d6 10|"; depth:11; fast_pattern; content:"|0e 24|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,5c52234cf35ab8d08b10fcc3c2a9d32b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:trojan-activity; sid:2026017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12109
18
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
19
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 28"; flow:established,to_server; dsize:<500; content:"|ea 7f 70 7a 80 7c 4a a9 1b 68 8e|"; depth:11; fast_pattern; content:"|81 9c|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,29a0d1bc5abfbbf0bdf15ffa762cac27; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.htm; classtype:trojan-activity; sid:2026018; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12110
20
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
21
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 29"; flow:established,to_server; dsize:<500; content:"|5e 0d 10 db 92 bf 73 6c 7d 6f 5d|"; depth:11; fast_pattern; content:"|67 04|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,5cb07299cedd69f096b09358754831e0; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:trojan-activity; sid:2026019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12111
22
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
23
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 30"; flow:established,to_server; dsize:<500; content:"|81 29 6b 48 7f c7 22 ec 9b 9e b6|"; depth:11; fast_pattern; content:"|d8 95|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,63d36de591491d04071b4dc0a39d5fab; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:trojan-activity; sid:2026020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12112
24
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
25
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN MSIL/BISKVIT DNS Lookup (bigboss .x24hr .com)"; dns_query; content:"bigboss.x24hr.com"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026021; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_23, malware_family BISKVIT, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12113
26
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
27
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN MSIL/BISKVIT DNS Lookup (secured-links .org)"; dns_query; content:"secured-links.org"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026022; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_23, malware_family BISKVIT, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12114
28
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
29
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET !139 (msg:"ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2"; flow:to_server,established; content:"|12 12|"; offset:2; depth:2; content:!"|12 12|"; within:2; content:"|12 12|"; distance:2; within:2; content:!"|12 12|"; within:2; content:"|12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12|"; pcre:"/[^\x12][^\x4e\x38\x39\x2f\x6e\x28\x29\x30\x2d\x2e\x2c\x3e\x31\x18][\x40-\x48\x4a-\x4d\x31-\x34\x3a-\x3c\x3f\x50-\x5f\x60-\x6c\x6f\x73-\x7f\x70\x71\x20-\x27\x2a\x2b]{1,14}\x12/R"; reference:md5,00ccc1f7741bb31b6022c6f319c921ee; classtype:trojan-activity; sid:2019202; rev:4; metadata:created_at 2014_09_22, updated_at 2014_09_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12116
30
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
31
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32.FakeEzQ.kr Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"MyAgent"; isdataat:!1,relative; http_user_agent; fast_pattern; http_header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,7afebc844a3313eb2a89b3028fbba7a6; reference:url,otx.alienvault.com/pulse/5b8844d6db17df1779153624; classtype:trojan-activity; sid:2026071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_31, updated_at 2018_08_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12118
32
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
33
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:100<>325; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"/index.php"; http_uri; pcre:"/^\/[a-z]{3,10}\.php\?[a-z]{3,10}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; content:!"desktopad.com"; http_header; content:!"DriverUpdate"; http_header; content:!"act=bkw9"; http_uri; nocase; content:!"mydlink.com"; http_header; content:!"remocam.com"; http_host; metadata: former_category TROJAN; reference:md5,cd2d9c7bd5de6d12718785f495ce1bb4; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019378; rev:13; metadata:created_at 2014_10_09, updated_at 2018_09_03;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/su
34
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
35
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ANDR.Trojan.FakeApp outbound connection"; flow:established, to_server; content:"/cp/server.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B| boundary=Aab03x"; http_header; content:"User-Agent: Dalvik"; http_header; file_data; content:"AaB03x"; content:"name=|22|phone"; distance:0; content:"name=|22|type"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,securityaffairs.co/wordpress/22465/cyber-crime/banking-trojan-hit-islamic-mobile.html; reference:url,www.virustotal.com/file/66911EE32FC4777BB9272F9BE9EB8970B39440768B612FBAB4AC01D8E23F9AA1/analysis/; classtype:trojan-activity; sid:29978; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26650
36
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
37
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/BanloadDownloader.XZY Retrieving Payload"; flow:to_server,established; content:"GET"; http_method; content:"/sosdoudou_V3/"; http_uri; fast_pattern; content:"WinHttp.WinHttpRequest"; http_user_agent; content:!"Accept-"; http_header; content:!"Referer|3a 20|"; http_header; metadata: former_category TROJAN; reference:md5,98376de10118892f0773617da137c2be; reference:md5,599ea45f5420f948e0836239eb3ce772; classtype:trojan-activity; sid:2024499; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_26, malware_family Banload, performance_impact Moderate, updated_at 2018_09_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12127
38
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
39
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Suspected Monero Miner CnC Channel TXT Lookup"; dns_query; content:".c2kgw8jt5869nspr4.com"; fast_pattern; threshold:type limit, track by_src, count 1, seconds 300; metadata: former_category TROJAN; reference:md5,2a2219f1dbb6039f52a5792a87cf760a; classtype:trojan-activity; sid:2026097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_05, malware_family CoinMiner, performance_impact Moderate, updated_at 2018_09_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12128
40
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
41
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Suspected Monero Miner CnC Channel Secondary Domain Lookup"; dns_query; content:"mylog.icu"; threshold:type limit, track by_src, count 1, seconds 300; metadata: former_category TROJAN; reference:md5,2a2219f1dbb6039f52a5792a87cf760a; classtype:trojan-activity; sid:2026098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_05, malware_family CoinMiner, performance_impact Moderate, updated_at 2018_09_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12129
42
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
43
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Aura Ransomware CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:"{KIARA}"; http_user_agent; fast_pattern; content:"id="; http_client_body; depth:3; content:"&guid="; http_client_body; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:trojan-activity; sid:2026099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_06, malware_family Aura, performance_impact Moderate, updated_at 2018_09_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12130
44
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
45
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Eredel Stealer CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?hwid="; http_uri; content:"&os="; http_uri; content:"&cookie="; http_uri; content:"&pswd="; http_uri; fast_pattern; content:"&telegram="; http_uri; content:"&version=v"; http_uri; http_header_names; content:!"Referer"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,4b5e27e843e1b26aedec66f9e87c9960; classtype:trojan-activity; sid:2025982; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_17, malware_family Eredel, performance_impact Moderate, updated_at 2018_08_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12131
46
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
47
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Win32/Ramnit Stage 0 Communicating with CnC"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"WAIT|20|"; depth:15; content:"CERT|20|"; fast_pattern; distance:0; within:20; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/RQi"; metadata: former_category TROJAN; reference:md5,20148e48668cb5e0b22d437ee0443cfe; reference:url,research.checkpoint.com/ramnits-network-proxy-servers/; classtype:trojan-activity; sid:2026113; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_14, malware_family Ramnit, performance_impact Low, updated_at 2018_09_14;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12133
48
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
49
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|5c|x57|5c|x53|5c|x63|5c|x72|5c|x69|5c|x70|5c|x74|5c|x2E|5c|x53|5c|x68|5c|x65|5c|x6C|5c|x6C"; fast_pattern; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026332; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, signature_severity Major, created_at 2018_09_20, malware_family Xbash, performance_impact Low, updated_at 2018_09_20;)" from file /usr/local/etc
50
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
51
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTML/Xbash Hex Encoded PowerShell Args Inbound - Stage 1"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|5c|x70|5c|x6F|5c|x77|5c|x65|5c|x72|5c|x73|5c|x68|5c|x65|5c|x6C|5c|x6C|5c|x2E|5c|x65|5c|x78|5c|x65"; content:"|5c|x2D|5c|x65|5c|x78|5c|x65|5c|x63|5c|x75|5c|x74|5c|x69|5c|x6F|5c|x6E|5c|x70|5c|x6F|5c|x6C|5c|x69|5c|x63|5c|x79|5c|x20|5c|x62|5c|x79|5c|x70|5c|x61|5c|x73|5c|x73"; distance:0; fast_pattern; content:"|5c|x2D|5c|x77|5c|x69|5c|x6E|5c|x64|5c|x6F|5c|x77|5c|x73|5c|x74|5c|x79|5c|x6C|5c|x65|5c|x20|5c|x68|5c|x69|5c|x64|5c|x64|5c|x65|5c|x6E"; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:20
52
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
53
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTML/Xbash Hex Encoded PS WebClient Object Inbound - Stage 1"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|5c|x73|5c|x79|5c|x73|5c|x74|5c|x65|5c|x6D|5c|x2E|5c|x6E|5c|x65|5c|x74|5c|x2E|5c|x77|5c|x65|5c|x62|5c|x63|5c|x6C|5c|x69|5c|x65|5c|x6E|5c|x74|5c|x29|5c|x2E|5c|x64|5c|x6F|5c|x77|5c|x6E|5c|x6C|5c|x6F|5c|x61|5c|x64|5c|x66|5c|x69|5c|x6C|5c|x65|5c|x28"; fast_pattern; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026333; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Coinminer, tag Worm, tag Destructive, 
54
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
55
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Scarsi Variant CnC Activity"; flow:to_server,established; content:"/WP"; http_uri; content:".php"; distance:0; within:50; http_uri; isdataat:!1,relative; content:"Content-Length|3a 20|"; http_header; byte_test:1,>,0x30,0,relative; content:!"Referer|3a 20|"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|3b| Charset=UTF-8|0d 0a|"; http_header; fast_pattern:44,20; pcre:"/\/WP(?:Security|CoreLog)\/(?:data\/)?\w+\.php$/Ui"; pcre:"/^[\x20-\x25\x27-\x3c\x3e-\x7e]{25,}$/Psi"; metadata: former_category TROJAN; reference:md5,52c193a7994a6bb55ec85addc8987c10; classtype:trojan-activity; sid:2024758; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, performance_impact Low, updated
56
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
57
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MS_D0wnl0ad3r Screenshot Upload"; flow:to_server,established; content:"POST"; http_method; content:"boundary=MS_D0wnl0ad3r"; http_header; metadata: former_category TROJAN; reference:md5,f40248a592ed711d95eb8b48b31a1ed8; classtype:trojan-activity; sid:2026361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_24, malware_family Downloader, updated_at 2018_09_24;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12150
58
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
59
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Reaper (APT37) DNS Lookup (kmbr1 .nitesbr1 .org)"; dns_query; content:"kmbr1.nitesbr1.org"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:trojan-activity; sid:2026432; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT37, tag Reaper, signature_severity Major, created_at 2018_10_01, malware_family Final1stspy, malware_family DOGCALL, performance_impact Low, updated_at 2018_10_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12156
60
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
61
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Final1stspy CnC Checkin (Reaper/APT37 Stage 1 Payload)"; flow:established,to_server; content:"GET"; http_method; content:".php?MachineId="; http_uri; content:"&InfoSo="; http_uri; distance:0; content:"&Index="; http_uri; distance:0; content:"&Account="; http_uri; distance:0; content:"&List="; http_uri; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/RUi"; content:"Host|20|Process|20|Update"; http_user_agent; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:trojan-activit
62
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
63
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Win32/Remcos RAT Checkin 51"; flow:established,to_server;stream_size:server,=,1; content:"|4139 2f55 647c c126 8775 8f|"; depth:11; metadata: former_category TROJAN; reference:md5,4f3cc55c79b37a52d8f087dbf7093dcd; classtype:trojan-activity; sid:2026433; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_02, malware_family Remcos, updated_at 2018_10_02;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12158
64
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
65
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.YordanyanActiveAgent CnC Reporting"; flow:established,to_server; content:"GET"; http_method; content:"client?mac_address="; http_uri; content:"&agent_id="; http_uri; distance:0; content:"agent_file_version"; content:"cpprestsdk/"; http_user_agent; fast_pattern; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:trojan-activity; sid:2026435; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_04, malware_family ActiveAgent, updated_at 2018_10_04;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12159
66
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
67
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.YordanyanActiveAgent Generic CnC Pattern"; flow:established,to_server; content:"/rest/v"; http_uri; content:"/clients/client?"; http_uri; distance:0; content:"&agent_id="; http_uri; distance:0; fast_pattern; content:!"Mozilla"; http_user_agent; content:!"Referer"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:trojan-activity; sid:2026436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_04, malware_family ActiveAgent, updated_at 2018_10_04;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12160
68
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
69
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=www.windowsdriversupd.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:trojan-activity; sid:2026467; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_10, malware_family Gadwats, performance_impact Low, updated_at 2018_10_10;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12168
70
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
71
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=www.windowswsusonline.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:trojan-activity; sid:2026468; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_10, malware_family Gadwats, performance_impact Low, updated_at 2018_10_10;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12169
72
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
73
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 1024: -> $HOME_NET any  (msg:"ET TROJAN [eSentire] Win32/Spy.Banker CnC Command (DOWNLOAD)"; flow:from_server,established; dsize:11; content:"DOWNLOAD1|0d 0a|"; depth:11; metadata: former_category TROJAN; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:trojan-activity; sid:2025651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_11, malware_family Banking_Trojan, updated_at 2018_10_10;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12172
74
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
75
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kraken Ransomware Start Activity 1"; flow:established,to_server; content:!"."; http_uri; content:!"&"; http_uri; content:!"?"; http_uri; content:"-"; offset:2; depth:1; http_user_agent; content:"|3a|Begin"; distance:0; http_user_agent; isdataat:!1,relative; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aBegin$/V"; http_header_names; content:!"Accept"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_11, malware_family Kraken_Ransomware, performance_impact Moderate, updated_at 2018_10_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at li
76
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
77
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kraken Ransomware End Activity"; flow:established,to_server; content:!"."; http_uri; content:!"&"; http_uri; content:!"?"; http_uri; content:"-"; offset:2; depth:1; http_user_agent; content:"|3a|End"; distance:0; http_user_agent; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aEnd(?:\x3a[0-9]{1,5})?$/V"; http_header_names; content:!"Accept"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026473; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_11, malware_family Kraken_Ransomware, performance_impact Moderate, updated_at 2018_10_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12175
78
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
79
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 69"; flow:established,to_server; content:"|e3 34 a1 ef b4 32 58 d0 f0 3d 66|"; depth:11; metadata: former_category TROJAN; reference:md5,f9dbf2c028d3ad58328c190a6adb3301; classtype:trojan-activity; sid:2026509; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12191
80
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
81
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 70"; flow:established,to_server; content:"|35 cd 13 07 49 3a 45 81 02 35 bb|"; depth:11; metadata: former_category TROJAN; reference:md5,8e99866b89e9349c21b34e6575f2412f; classtype:trojan-activity; sid:2026510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12192
82
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
83
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 71"; flow:established,to_server; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; metadata: former_category TROJAN; reference:md5,24bf188785e18db8fcb7dfa50363b3f5; classtype:trojan-activity; sid:2026511; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12193
84
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
85
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 72"; flow:established,to_server; content:"|eb e7 a2 ec 6e 3e cc a8 34 b5 91|"; depth:11; metadata: former_category TROJAN; reference:md5,98a010ad867f4c36730cc6a87c94528c; classtype:trojan-activity; sid:2026512; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12194
86
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
87
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 73"; flow:established,to_server; content:"|2e 11 6e fe 1c 00 92 21 3c ce 31|"; depth:11; metadata: former_category TROJAN; reference:md5,9e31ee4bb378d3cf6f80f9f30e9f810f; classtype:trojan-activity; sid:2026513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12195
88
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
89
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN XLS.Unk DDE rar Drop Attempt (.online)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:".online"; http_host; isdataat:!1,relative; fast_pattern; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; flowbits:set,ET.xls.dde.drop; metadata: former_category TROJAN; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_16, malware_family MalDocGeneric, malware_family Maldoc, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12196
90
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
91
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN XLS.Unk DDE rar Drop Attempt (.club)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:".club"; http_host; fast_pattern; isdataat:!1,relative; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; flowbits:set,ET.xls.dde.drop; metadata: former_category TROJAN; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_16, malware_family MalDocGeneric, malware_family Maldoc, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12197
92
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
93
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN XLS.Unk DDE rar Drop Fake 404 Response"; flow:established,to_client; content:"200"; http_stat_code; flowbits:isset,ET.xls.dde.drop; file_data; content:"<h1>404 Not Found</h1><span>The resource requested could not be found on this server!</span>"; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_16, malware_family MalDocGeneric, malware_family Maldoc, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12198
94
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
95
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN XLS.Unk DDE rar Drop Attempt (.live)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:".live|0d 0a|Conne"; http_header; fast_pattern; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; flowbits:set,ET.xls.dde.drop; metadata: former_category TROJAN; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026514; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_17, malware_family MalDocGeneric, malware_family Maldoc, updated_at 2018_10_17;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12199
96
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
97
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Locky CnC Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/imageload.cgi"; fast_pattern; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http_header; content:"www-form-urlencoded|0d 0a|"; http_header; pcre:"/^[A-Za-z]{1,10}=[^&]+(?:&[A-Za-z]{1,10}=[^&]+){10,}$/Ps"; metadata: former_category TROJAN; reference:md5,40ebefdec6870263827ce6425702e785; classtype:trojan-activity; sid:2026517; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Locky, signature_severity Major, created_at 2018_10_17, updated_at 2018_10_17;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12201
98
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
99
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/BlackCarat Response from CnC"; flow:established,from_server; dsize:13; content:"|72 50 bf 9e|"; offset:9; depth:4; fast_pattern; metadata: former_category TROJAN; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:trojan-activity; sid:2026524; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_18, malware_family CaratRAT, performance_impact Low, updated_at 2018_10_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12203
100
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
101
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zebrocy Backdoor CnC Activity"; flow:to_server,established; content:"POST"; http_method; content:".php?"; http_uri; content:"Mozilla v5.1 (Windows NT 6.1|3b 20|rv|3a|6.0.1) Gecko/20100101 Firefox/6.0.1"; http_user_agent; fast_pattern; content:"%0D%0AHost%20Name|3a|"; http_client_body; pcre:"/^(?:\d{1,3}\.)\d{1,3}$/W"; metadata: former_category TROJAN; reference:md5,961e79a33f432ea96d2c8bf9eb010006; classtype:trojan-activity; sid:2026527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Zebrocy, signature_severity Major, created_at 2018_10_19, updated_at 2018_10_19;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12204
102
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
103
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sidewinder Stage 2 VBS Downloader Reporting Successful Infection"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/"; http_uri; depth:9; content:"/true/true/done"; http_uri; distance:0; fast_pattern; isdataat:!1,relative; content:"WinHttp.WinHttpRequest."; http_user_agent; http_header_names; content:"Referer"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,dfad7d4a7ecb2eed6d69abfbfb5f94c9; reference:url,medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739; classtype:trojan-activity; sid:2026545; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag VBS, signature_severity Major, created_at 2018_10_24, malware_family Sidewinder, performance_impact Low, updated_at 20
104
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
105
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MICROPSIA CnC Domain Observed in SNI (samwinchester .club)"; flow:established,to_server; tls_sni; content:"samwinchester.club"; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026546; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12206
106
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
107
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MICROPSIA HTTP Failover CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/api/hazard/"; http_uri; depth:12; fast_pattern; content:"compatible|3b 20|Googlebot|2f|"; http_user_agent; http_content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; http_accept_enc; content:"UTF8"; depth:4; isdataat:!1,relative; threshold:type limit, count 1, seconds 30, track by_dst; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026547; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performa
108
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
109
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MICROPSIA HTTP Failover Response M1"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"common|20|soon"; depth:11; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026548; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12208
110
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
111
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MICROPSIA HTTP Failover Response M2"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"loub"; depth:4; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026549; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12209
112
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
113
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MICROPSIA Sending JPG Screenshot to CnC with .his Extension"; flow:established,to_server; content:"POST"; http_method; content:"compatible|3b 20|Googlebot|2f|"; http_user_agent; content:"name=|22|kerna|22 3b 20|filename"; http_client_body; fast_pattern; content:".his|22 0d 0a|"; http_client_body; distance:0; within:20; content:"|0d 0a 0d 0a ff d8 ff|"; http_client_body; distance:0; content:"JFIF"; http_client_body; distance:0; within:15; http_content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; http_accept_enc; content:"UTF8"; depth:4; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026550; rev:1; metadata:affected_product Windo
114
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
115
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MICROPSIA HTTP Failover Reporting Infected System Information and RAT Version"; flow:established,to_server; content:"POST"; http_method; content:"compatible|3b 20|Googlebot|2f|"; http_user_agent; content:"|3a|1.0.2|0d 0a 2d 2d 2d 2d 2d|"; http_client_body; fast_pattern; http_content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; http_accept_enc; content:"UTF8"; depth:4; isdataat:!1,relative; threshold:type limit, count 1, seconds 30, track by_dst; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026551; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major
116
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
117
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible APT28 DOC Uploader SSL/TLS Certificate Observed"; flow:established,to_client; tls_cert_serial; content:"03:04:FF:5D:C9:BB:AC:50:C1:7B:3E:4C:1C:68:26:15:F0:3E"; tls_cert_subject; content:"CN=mvtband.net"; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; metadata: former_category TROJAN; reference:md5,9b10685b774a783eabfecdb6119a8aa3; classtype:trojan-activity; sid:2026539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT28, signature_severity Major, created_at 2018_10_24, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12212
118
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
119
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible DarkTequila SSL/TLS Certificate Observed"; flow:established,to_client; tls_cert_serial; content:"00:ED"; tls_cert_subject; content:"C=US, ST=OH, O=International Security Depart, CN=the-ebooks-store.com/emailAddress=contact@infws.com"; tls_cert_issuer; content:"O=International Security Depart, emailAddress=contact@infws.com, L=Greater Cleveland, ST=OH, C=US, CN=International Security Depart Ca"; metadata: former_category TROJAN; reference:md5,9fbdc5eca123e81571e8966b9b4e4a1e; classtype:trojan-activity; sid:2026540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DarkTequila, signature_severity Major, created_at 2018_10_24, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12213
120
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
121
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Octopus Malware Initial Connectivity Check"; flow:established,to_server; content:"GET"; http_method; content:".php?check"; http_uri; fast_pattern; isdataat:!1,relative; pcre:"/^\/d[0-9]?\.php\?check$/Ui"; http_accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http_header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Octopus, signature_seve
122
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
123
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Octopus Malware CnC Server Request"; flow:established,to_server; content:"GET"; http_method; content:".php?servers"; http_uri; fast_pattern; isdataat:!1,relative; pcre:"/^\/d[0-9]?\.php\?servers$/Ui"; http_accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http_header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Octopus, signature_severity
124
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
125
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Octopus Malware CnC Server Connectivity Check"; flow:established,to_server; content:"GET"; http_method; content:".php?check="; http_uri; fast_pattern; pcre:"/^\/[a-z]\.php\?check=[a-f0-9]{32}$/Ui"; http_accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http_header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026543; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Octopus, signature_severity Ma
126
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
127
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Octopus Malware CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:".php?query="; http_uri; fast_pattern; content:"eyJpZCI6"; http_client_body; pcre:"/^\/[a-z]\.php\?query=[a-f0-9]{32}$/Ui"; http_accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http_content_type; content:"multipart/form-data|3b|"; http_protocol; content:"HTTP/1.0"; metadata: former_category TROJAN; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Octopus, signature_severity Major, created_at 2018_10_24, 
128
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
129
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Sharik/Smoke Fake 404 Response with Payload Location"; flow:established,from_server; content:"404"; http_stat_code; file_data; content:"|00 00|Location|3a 20|"; depth:12; fast_pattern; metadata: former_category TROJAN; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:trojan-activity; sid:2026556; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Fake_404, signature_severity Major, created_at 2018_10_25, malware_family Sharik, malware_family SmokeLoader, performance_impact Low, updated_at 2018_10_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12218
130
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
131
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/KeyRedirEx Banker Requesting Redirect/Inject List"; flow:established,to_server; content:"GET"; http_method; content:"/red/info.php"; http_uri; depth:13; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026562; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_29, malware_family KeyRedirEx, performance_impact Low, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/surica
132
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
133
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MSIL/KeyRedirEx Banker Receiving Redirect/Inject List"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"REDIR|3b|"; depth:6; content:"|7c 2d 7c|http"; distance:0; within:50; fast_pattern; metadata: former_category TROJAN; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026563; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_29, malware_family KeyRedirEx, performance_impact Low, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12220
134
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
135
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MSIL/KeyRedirEx Banker Receiving Exit Instruction"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"EXIT|3b|"; depth:5; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_29, malware_family KeyRedirEx, performance_impact Low, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12221
136
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
137
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TrueBot/Silence.Downloader CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|C|3a 5c|"; http_client_body; content:".DAT|22 3b 0d 0a|"; http_client_body; distance:0; content:"|0d 0a|Host Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http_client_body; distance:0; content:"|0d 0a|OS Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http_client_body; distance:0; content:"|0d 0a|OS Version|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http_client_body; distance:0; http_header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:trojan-activity
138
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
139
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TrueBot/Silence.Downloader Keep-Alive"; flow:established,to_server; content:"GET"; http_method; content:".php?dns="; http_uri; fast_pattern; pcre:"/^[a-f0-9]{8}$/RUs"; http_header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:trojan-activity; sid:2026560; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_29, malware_family TrueBot, malware_family Silence_Downloader, performance_impact Moderate, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12223
140
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
141
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.BackNet Checkin"; flow:established,to_server; content:"POST"; http_method; content:"data=%7B%22host_key%22%3A%22"; http_client_body; depth:28; http_header_names; content:!"Referer"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,aebb382b54e1521ad1309f66d29a1d1c; classtype:trojan-activity; sid:2026572; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_02, malware_family Stealer, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12226
142
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
143
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Lordix Stealer Exfiltrating Data"; flow:established,to_server; content:"POST"; http_method; content:".php?hw="; http_uri; content:"&ps="; http_uri; distance:0; content:"&ck="; http_uri; distance:0; content:"&fl="; http_uri; distance:0; content:"log.txt"; http_client_body; content:"cookies/Chrome_Cookies.txt"; http_client_body; distance:0; fast_pattern; http_header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:trojan-activity; sid:2026571; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, tag Stealer, signature_severity Major, created_at 2018_11_02, malware_family Lordix, performance_impact Low, updated_at 
144
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
145
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT33/CharmingKitten JS/HTA Stage 1 CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?anti="; http_uri; content:"&cliname="; http_uri; distance:0; fast_pattern; http_accept; content:"*/*"; isdataat:!1,relative; http_accept_enc; content:"gzip, deflate"; isdataat:!1,relative; http_header_names; content:"User-Agent"; content:!"Cache"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,e15b3d2c39888fe459dc2d9c8dec331d; classtype:trojan-activity; sid:2026575; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rul
146
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
147
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT33/CharmingKitten Shellcode Communicating with CnC"; flow:established,to_server; dsize:<150; content:"|16 03|"; depth:2; content:"|00|"; distance:1; within:1; content:"|01 00 00|"; distance:1; within:3; content:"|03|"; distance:1; within:1; content:"|5b e0 37|"; distance:1; within:3; fast_pattern; content:"|00|"; distance:0; content:"|00|"; distance:1; within:1; content:"|00|"; distance:1; within:1; threshold: type limit, count 1, seconds 30, track by_dst; metadata: former_category TROJAN; reference:md5,a60f127a06e5b3dcacd1ec346f7995c5; classtype:trojan-activity; sid:2026576; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33_CharmingKitten, tag Shellcode, signature_severity Major, created_at 2018_11_05, malware_family Shellcode, performan
148
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
149
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT33/CharmingKitten Retrieving New Payload (flowbit set)"; flow:established,to_server; content:"GET"; http_method; content:"/images/static/content/"; http_uri; depth:23; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Cache"; content:!"Accept"; content:!"Referer"; flowbits:set,ET.APT33CharmingKitten.1; metadata: former_category TROJAN; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:trojan-activity; sid:2026577; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_12_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12230
150
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
151
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT33/CharmingKitten Encrypted Payload Inbound"; flow:established,from_server; content:"200"; http_stat_code; content:"|0d 0a|CacheControl|3a 20|"; http_header; fast_pattern; file_data; pcre:"/^(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=|[A-Z0-9+\/]{4})$/i"; flowbits:isset,ET.APT33CharmingKitten.1; metadata: former_category TROJAN; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:trojan-activity; sid:2026578; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12231
152
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
153
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Perl/Shellbot.SM IRC CnC Checkin"; flow:established,to_server; content:"JOIN"; depth:4; content:"Procesor - model name"; distance:0; content:"Numar Procesoare"; distance:0; fast_pattern; content:"|3a|uid="; distance:0; content:"gid="; distance:0; content:"groups="; distance:0; metadata: former_category TROJAN; reference:md5,ca42fda581175fd85ba7dab8243204e4; classtype:trojan-activity; sid:2026579; rev:1; metadata:attack_target Client_and_Server, deployment Perimeter, tag Perl, signature_severity Major, created_at 2018_11_05, malware_family Shellbot_SM, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12232
154
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
155
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (MICROPSIA CnC Domain)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; tls_cert_subject; content:"CN=new.young-spencer.com"; fast_pattern; metadata: former_category TROJAN; reference:md5,738b3370230bd3168a97a7171d17ed64; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025918; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_27, malware_family MICROPSIA, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12233
156
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
157
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M1"; dns_query; content:"mynetwork.ddns.net"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:trojan-activity; sid:2026573; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12235
158
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
159
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M2"; dns_query; content:"mypsh.ddns.net"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:trojan-activity; sid:2026574; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12236
160
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
161
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaRAT CnC Init Activity"; flow:established,to_client; dsize:11; content:"AUT_packet_"; depth:11; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026580; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, malware_family JavaRAT, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12237
162
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
163
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaRAT CnC Checkin"; flow:established,to_server; dsize:<150; content:"aut_sep_"; depth:8; fast_pattern; content:"_sep_"; distance:0; content:"_packet_"; distance:0; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12238
164
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
165
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaRAT Keep-Alive (inbound)"; flow:established,to_client; dsize:11; content:"PNG_packet_"; depth:11; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026582; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12239
166
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
167
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaRAT Keep-Alive (outbound)"; flow:established,to_server; dsize:11; content:"PNG_packet_"; depth:11; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026583; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12240
168
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
169
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaRAT Sending Screen Size"; flow:established,to_server; dsize:<50; content:"sc.op_sep_"; depth:10; nocase; fast_pattern; content:"_packet_"; distance:0; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12241
170
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
171
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaRAT Sending Screenshot"; flow:established,to_server; dsize:>1000; content:"sc.cap_sep_"; depth:11; nocase; fast_pattern; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, malware_family JavaRAT, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12242
172
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
173
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 12"; flow:established,to_server; content:"POST"; http_method; urilen:<6; content:"/"; http_uri; isdataat:!1,relative; content:!"."; http_uri; content:!"&"; http_uri; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; content:"63"; fast_pattern; depth:2; isdataat:!1,relative; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Host|0d 0a|Referer|0d 0a|User-Agent"; metadata: former_category TROJAN; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:trojan-activity; sid:2026555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, cr
174
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
175
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaRAT Requesting Screenshot"; flow:established,to_client; dsize:<50; content:"SC.CAP_sep_"; depth:11; nocase; content:"_sep_"; distance:0; content:"_packet_"; distance:0; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026587; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, malware_family JavaRAT, performance_impact Moderate, updated_at 2018_11_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12244
176
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
177
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaRAT Requesting Screen Size"; flow:established,to_client; dsize:13; content:"SC.OP_packet_"; depth:13; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12245
178
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
179
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ArrobarLoader CnC Checkin M1"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:"4RR0B4R 4 X0T4 D4 TU4 M4E"; http_user_agent; fast_pattern; content:"0"; http_client_body; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,3d7436bcf635a7e56a785c9d26ed3767; classtype:trojan-activity; sid:2026528; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loader, signature_severity Major, created_at 2018_02_07, malware_family ArrobarLoader, performance_impact Low, updated_at 2018_11_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12246
180
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
181
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.Kraken.v2 HTTP Pattern"; flow:established,to_server; content:"Kraken web request agent/"; http_user_agent; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,e1aee9ef64d71e0c9bb8eee9742efdef; reference:url,securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/; classtype:trojan-activity; sid:2026588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2018_11_09, malware_family Ransomware, malware_family Kraken_Ransomware, updated_at 2018_11_09;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12247
182
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
183
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET !80 -> $EXTERNAL_NET [!25,!445,!1500] (msg:"ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin"; flow:established,to_server; dsize:>800; content:"|77 77|"; offset:2; depth:2; content:"|77|"; distance:1; within:1; content:"|77 77 77 77 77 77 77 77 77 77 77 77 77|"; distance:1; within:13; fast_pattern; metadata: former_category TROJAN; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:trojan-activity; sid:2026525; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_18, malware_family BlackCarat, performance_impact Low, updated_at 2018_11_12;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12249
184
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
185
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DarkGate CNC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"id="; http_client_body; depth:3; content:"&data="; http_client_body; distance:0; content:"&action="; http_client_body; distance:0; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|Synapse|29|"; http_user_agent; isdataat:!1,relative; fast_pattern; flowbits:set,ET.DarkGate.1; http_protocol; content:"HTTP/1.0"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026629; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_11_19, malware_family DarkGate, performance
186
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
187
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DarkGate CnC Requesting Data Exfiltration from Bot"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"getbotdata"; depth:10; fast_pattern; isdataat:!1,relative; flowbits:isset,ET.DarkGate.1; metadata: former_category TROJAN; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_11_19, malware_family DarkGate, performance_impact Low, updated_at 2018_11_19;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12263
188
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
189
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SC.Backdoor/TeleRAT Checkin"; flow:to_server,established; content:".php?a="; http_uri; content:"&b="; http_uri; distance:0; content:"&c="; http_uri; distance:0; content:"Windows|20|"; http_uri; distance:0; fast_pattern; content:"&d="; http_uri; distance:0; content:"&e="; http_uri; distance:0; http_header_names; content:!"User-Agent"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,a1bdb1889d960e424920e57366662a59; classtype:trojan-activity; sid:2026641; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_21, malware_family RAT, updated_at 2018_11_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12278
190
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
191
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN L0rdix Stealer CnC Sending Screenshot"; flow:established,to_server; content:"POST"; http_method; content:".php?h="; http_uri; fast_pattern; content:"&o="; http_uri; content:"&c="; http_uri; content:"&g="; http_uri; content:"&w="; http_uri; content:"&p="; http_uri; content:"&r="; http_uri; content:"&f="; http_uri; content:"&rm="; http_uri; content:"&d="; http_uri; content:"img="; http_client_body; depth:4; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,blog.ensilo.com/l0rdix-attack-tool; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:trojan-activity; sid:2026670; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_28, malware_family L0rdix, performance_impact
192
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
193
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN L0rdix Stealer CnC Data Exfil"; flow:established,to_server; content:"POST"; http_method; content:".php?hw="; http_uri; fast_pattern; content:"&ps="; http_uri; content:"&ck="; http_uri; content:"&fl="; http_uri; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,blog.ensilo.com/l0rdix-attack-tool; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:trojan-activity; sid:2026671; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_28, malware_family L0rdix, performance_impact Moderate, updated_at 2018_11_28;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line
194
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
195
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Erebus variant outbound connection"; flow:to_server,established; file_data; urilen:1; content:"h="; depth:2; http_client_body; content:"&v="; within:3; distance:8; http_client_body; content:"&k="; within:3; distance:3; fast_pattern; http_client_body; content:"Expect|3A| 100-continue|0D 0A 0D 0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert, service http; reference:url,virustotal.com/en/file/0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f/analysis/; classtype:trojan-activity; sid:43351; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28146
196
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
197
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN DNS Query for DNSpionage CnC Domain"; dns_query; content:".0ffice36o.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,c00c9f6ebf2979292d524acff19dd306; classtype:trojan-activity; sid:2026557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNSpionage, tag DNS_tunneling, signature_severity Major, created_at 2018_10_26, updated_at 2018_10_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12290
198
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
199
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Critroni outbound connection"; flow:to_server,established; dsize:174; urilen:1; content:"/"; http_uri; content:"Host|3A| ip.telize.com|0D 0A|Accept|3A| */*|0D 0A|User-Agent|3A| Mozilla/5.0 |28|Windows NT 6.1|3B| WOW64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/31.0.1650.63 Safari/537.36"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b3c92d7a9dead6011f3c99829c745c384dd776d88f57bbd60bc4f9d66641819b/analysis/; classtype:trojan-activity; sid:31718; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26912
200
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
201
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro outbound connection"; flow:to_server,established; dsize:<200; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/"; http_header; content:"ompatible|3B| MSIE 31|3B| "; within:20; distance:6; fast_pattern; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f5c716890a2a76785d53e8f9a5db2268501a30df807df4c4323967672efe452c/analysis/; classtype:trojan-activity; sid:31813; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26935
202
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
203
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IcedID WebSocket Request"; flow:established,to_server; content:"GET"; http_method; content:"/data2.php?"; http_uri; pcre:"/^[A-F0-9]{16}$/UR"; content:"Upgrade|3a 20|websocket|0d 0a|Connection|3a 20|Upgrade|0d 0a|"; http_header; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,b17a729efb71d1781405c6c00052c85e; classtype:trojan-activity; sid:2026673; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_29, malware_family IcedID, updated_at 2018_12_12;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12325
204
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
205
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS W32/Renos.Downloader User Agent zeroup"; flow:established,to_server; content:"User-Agent|3A 20|zeroup"; http_header; reference:url,www.f-secure.com/v-descs/trojan_w32_renos_h.shtml; reference:md5,35ba53f6aeb6b38c1107018f271189af; classtype:trojan-activity; sid:2014817; rev:2; metadata:created_at 2012_05_25, updated_at 2012_05_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12363
206
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
207
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (DownloadMR)"; flow:to_server,established; content:"DownloadMR"; nocase; depth:10; http_user_agent; reference:url,www.virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016903; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2013_05_21, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12374
208
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
209
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rehtesyk outbound connection"; flow:to_server,established; content:"User-Agent: Firefox|0D 0A|"; fast_pattern:only; content:"first="; depth:6; http_client_body; content:"&data="; within:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea/analysis/; classtype:trojan-activity; sid:32311; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27026
210
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
211
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Fake AV Downloader.Onestage/FakeAlert.ZR User-Agent (AV1)"; flow:established,to_server; content:"User-Agent|3a| AV1|0d 0a|"; http_header; metadata: former_category TROJAN; reference:md5,208e5551efce47ac6c95691715c12e46; reference:md5,735dff747d0c7ce74dde31547b2b5750; reference:md5,a84a144677a786c6855fd4899d024948; classtype:trojan-activity; sid:2009223; rev:9; metadata:created_at 2010_07_30, updated_at 2017_10_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12497
212
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
213
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28344
214
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
215
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27094
216
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
217
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27095
218
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
219
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)"; fast_pattern:only; http_header; content:"/"; depth:1; offset:9; http_uri; content:"/"; within:1; distance:8; http_uri; content:"Host:"; http_header; content:":8080"; within:30; http_header; content:"POST"; http_method; dsize:<480; pcre:"/^\/[a-f0-9]{8}\/[a-f0-9]{8}\/$/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/27c298c77e16bbc3f056653034c2d918418f877bb0193a9ca533b5527d830a94/analysis/; classtype:trojan-activity; sid:32770; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27110
220
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
221
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Aura Ransomware User-Agent"; flow:established,to_server; content:"{KIARA}"; http_user_agent; depth:7; isdataat:!1,relative; fast_pattern; metadata: former_category USER_AGENTS; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:trojan-activity; sid:2026100; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_06, malware_family Aura, performance_impact Moderate, updated_at 2018_09_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12575
222
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
223
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MSIL/Peppy User-Agent"; flow:established,to_server; content:"onedru/"; http_user_agent; depth:7; isdataat:!1,relative; fast_pattern; metadata: former_category USER_AGENTS; reference:md5,ebffb046d0e12b46ba5f27c0176b01c5; classtype:trojan-activity; sid:2026101; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_07, malware_family Peppy, performance_impact Moderate, updated_at 2018_09_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12576
224
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
225
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (IEhook)"; flow:established,to_server; content:"IEhook"; http_user_agent; depth:6; isdataat:!1,relative; fast_pattern; metadata: former_category USER_AGENTS; reference:md5,f0483493bcb352bd2f474b52f3b2f273; classtype:trojan-activity; sid:2026558; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Minor, created_at 2018_10_26, performance_impact Low, updated_at 2018_10_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12582
226
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
227
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt"; flow:to_server,established; file_data; content:"User-Agent"; nocase; http_header; content:"Rarog"; within:200; fast_pattern; nocase; http_header; pcre:"/User-Agent\s*:[^\r\n]*Rarog/iH"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46240; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28442
228
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
229
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|40 E8 D4 F1 FF 33|"; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12606
230
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
231
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/4.0/method/"; depth:12; nocase; http_uri; pcre:"/\/4\.0\/method\/(check|cores|installSuccess|modules|threads|blacklist)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46239; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28443
232
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
233
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/2.0/method/"; depth:12; nocase; http_uri; pcre:"/\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46238; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28444
234
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
235
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27171
236
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
237
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
238
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27199
239
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution"; flow:established,to_client; flowbits:isset,DXF.Ext.Access; content:"|0A 45 4E 44 53 45 43|"; content:!"|0a|"; within:2; byte_test:1,>,81,2,relative; reference:url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow; reference:url,www.exploit-db.com/exploits/14944/; reference:cve,2010-1681; reference:url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx; reference:bid,39836; classtype:attempted-user; sid:2012153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at l
240
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
241
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Android Webkit removeChild Use-After-Free Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById|28|"; nocase; content:"id.getAttributeNode|28|"; nocase; distance:0; content:"attribute.childNodes"; nocase; distance:0; content:"document.body.removeChild|28|"; nocase; distance:0; content:"attribute.removeChild|28|"; fast_pattern; nocase; distance:0; reference:bid,40642; reference:cve,2010-1119; classtype:attempted-user; sid:2012509; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_16, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12644
242
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
243
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Audition Malformed Session File Buffer Overflow Attempt"; flow:established,to_client; content:"COOLNESS"; content:"TRKM"; distance:0; content:"A|00|u|00|d|00|i|00|t|00|i|00|o|00|n|00|"; nocase; distance:0; content:"A|00|u|00|d|00|i|00|o|00 20 00|O|00|u|00|t|00|p|00|u|00|t|00|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.coresecurity.com/content/Adobe-Audition-malformed-SES-file; reference:bid,47838; reference:cve,2011-0615; classtype:attempted-user; sid:2012978; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_08, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at l
244
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
245
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox nsTreeSelection Element invalidateSelection Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById(|27|treeset|27|)"; nocase; content:"view.selection"; nocase; distance:0; content:"invalidateRange"; nocase; distance:0; reference:bid,41853; reference:cve,2010-2753; classtype:attempted-user; sid:2013144; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12663
246
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_uri" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
247
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Outbound malicious vbscript attempt"; flow:to_server,established; file_data; content:"/ilha/"; fast_pattern; nocase; http_uri; content:"logs.php"; within:9; distance:2; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46792; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28527
248
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
249
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt"; flow:established,to_client; content:"util.printf|28 22 25|"; nocase; fast_pattern:only; pcre:"/util.printf\x28\x22\x25[^\x2C\x29]*f\x22\x2C/i"; reference:url,www.coresecurity.com/content/adobe-reader-buffer-overflow; reference:bid,30035; reference:cve,2008-2992; classtype:attempted-user; sid:2013152; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12665
250
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
251
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern:only; pcre:"/<<[^>]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12666
252
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
253
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt"; flow:to_client,established; content:"PDF-"; depth:300; content:"this.media.newPlayer|28|null"; nocase; distance:0; content:"util.printd"; nocase; within:150; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb; reference:url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html; reference:bid,37331; reference:cve,2009-4324; classtype:attempted-user; sid:2010495; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata
254
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
255
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Overflow Attempt"; flowbits:isset,OLE.CompoundFile; flow:established,to_client; content:"rtf"; nocase; content:"|7B 5C|sp|7B 5C|sn pFragments|7D 7B 5C|sv"; nocase; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013280; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_15, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12669
256
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
257
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|D2 60 38 40 BA 03 14 0E|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:bid,40586; reference:cve,2010-1297; classtype:attempted-user; sid:2013281; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_15, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12670
258
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
259
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|"; reference:bid,44504; reference:cve,2010-3654; classtype:attempted-user; sid:2013282; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_15, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12671
260
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
261
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"|2e|location|2e|reload|28 29|"; content:"implementation=|22 23|default|23|time"; nocase; content:"contenteditable=|22|true|22|"; nocase; distance:0; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013252; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_11, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12672
262
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
263
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading Arbitrary Code Execution Attempt"; flow:established,to_server; content:"/mfc71"; http_uri; nocase; pcre:"/mfc71[a-z]{2,3}\x2Edll/Ui"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=23601; reference:url,www.microsoft.com/technet/security/bulletin/MS11-055.mspx; reference:bid,42681; reference:cve,2010-3148; classtype:attempted-user; sid:2013322; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_27, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12673
264
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
265
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader 9.4 this.printSeps Memory Corruption Attempt"; flow:established,to_client; content:".printSeps"; nocase; pcre:"/(this|doc)\x2EprintSeps/i"; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2011910; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_11_08, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12674
266
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
267
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt"; flow:established,to_client; content:"QueryInterface|28|Components.interfaces.nsIChannelEventSink|29|"; nocase; content:"onChannelRedirect|28|null"; nocase; distance:0; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; reference:bid,47635; reference:cve,2011-0065; classtype:attempted-user; sid:2013417; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_08_17, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12676
268
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
269
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer Overflow Attempt"; flow:established,to_client; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|5C|sp"; nocase; content:"|5C|sn"; nocase; within:80; content:"pFragments"; nocase; within:80; content:"|5C|sv"; nocase; within:80; isdataat:100,relative; content:!"|0A|"; distance:1; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013250; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_11, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 
270
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
271
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; pcre:"/<<[^>]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_14, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12679
272
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
273
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt"; flow:established,to_client; content:"document.getElementById|28 27|tableid|27 29|.cloneNode"; nocase; content:"cells.urns"; nocase; distance:0; content:"cells.item"; nocase; distance:0; reference:url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:bid,37894; reference:cve,2010-0248; classtype:attempted-user; sid:2014463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_04_04, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at li
274
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
275
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow"; flow:to_client,established; flowbits:isset,NtDll.ImageBase.Module.Called; content:"ZwProtectVirtualMemory|22|"; content:"strDup|28|"; distance:0; content:"<object|20|"; distance:0; content:"application|2f|x|2d|java|2d|applet"; within:35; content:"|3c|param|20|name"; distance:0; content:"|22|launchjnlp|22|"; within:20; content:"|3c|param|20|name"; distance:0; content:"|22|docbase|22|"; within:20; content:"|3c|fieldset|3e 3c|legend|3e|"; distance:0; content:"object"; within:10; content:"|2e|innerHTML"; distance:0; reference:url,www.exploit-db.com/exploits/15241/; reference:cve,2010-3552; reference:bid,44023; classtype:attempted-user; sid:2012100; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_En
276
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
277
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Known in Wild Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"TTu0d0fu0d0eKKJJu0d0du0d0dLL1043416UU"; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013251; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_11, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12753
278
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
279
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code Execution Attempt"; flow:established,to_client; content:"|66 74 79 70 6D 70 34|"; content:"|01 6D 70 34 32 69 73 6F 6D|"; distance:0; content:"|63 70 72 74 00 FF FF FF|"; distance:0; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; reference:bid,52034; reference:cve,2012-0754; classtype:attempted-user; sid:2014335; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_03_08, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12756
280
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
281
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.AAEH variant outbound connection"; flow:to_server,established; urilen:<15; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| SV1)"; fast_pattern:only; content:"Host: "; nocase; http_header; content:"|3A|"; within:16; http_header; content:!"Referer: "; nocase; http_header; content:!"Accept"; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0ccade380fd3a9ef7635e5c4e54b82c4ccd434c0bc3bbf76af3a99d744a1c5e7/analysis/; classtype:trojan-activity; sid:34246; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27341
282
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
283
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banking download attempt initiated"; flow:to_client; file_data; content:"pgs99.online"; content:"painelhost.uol.com.br"; fast_pattern:only; content:!"User-Agent:"; nocase; http_header; content:!"Referer:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/91781126feeae4d1a783f3103dd5ed0f8fc4f2f8e6f51125d1bfc06683b01c39; classtype:trojan-activity; sid:48356; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28751
284
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
285
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28780
286
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
287
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt"; flow:to_server,established; uricontent:"/cgi-bin/|3B|"; nocase; pcre:"/\x2Fcgi\x2Dbin\x2F\x3B.+[a-z]/Ui"; reference:url,isc.sans.org/diary.html?storyid=6853; reference:url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/; reference:url,doc.emergingthreats.net/2009678; reference:url,www.dd-wrt.com/phpBB2/viewtopic.php?t=55173; reference:bid,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:2009678; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12905
288
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
289
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Panskeg outbound connection"; flow:to_server,established; file_data; dsize:10; content:"|79 40 1F F2 03 3C 20 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/81c6fa11d46bf173932b067c32a852f048ba51873210c3e24ac367c95e799e42/analysis/; classtype:trojan-activity; sid:36610; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27590
290
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
291
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&syspath="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"&macid="; nocase; http_client_body; content:"&os1="; distance:0; nocase; http_client_body; content:"&os2="; distance:0; nocase; http_client_body; content:"&syspath="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36630; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27594
292
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
293
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&vs="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"v="; nocase; http_client_body; content:"&id="; distance:0; nocase; http_client_body; content:"&uid="; distance:0; nocase; http_client_body; content:"&vs="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36629; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27595
294
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
295
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC Win.Trojan.Trochulis variant outbound connection"; flow:to_server,established; file_data; content:"|BF BF AF AF 7E 00 00 00|"; fast_pattern:only; dsize:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/da6905d96cc860b443deb5f27271a2cfb2ce17f067a59ca7f0fd12c1d70c4372/analysis/; classtype:trojan-activity; sid:37370; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27664
296
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
297
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27738
298
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
299
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/surica
300
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
301
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Helminth variant outbound connection"; flow:to_server,established; content:"UIET9fWR"; fast_pattern:only; content:"User-Agent: Mozilla/5.0"; http_header; content:"|20|Trident/5.0|0D 0A|"; within:14; distance:39; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/632be0a3d8d298f2ded928a4ac27846904ed842ad08b355acab53132d31eaf24/analysis/; classtype:trojan-activity; sid:39176; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27794
302
Dec 13 01:25:08 charon suricata[33142]: [100139] <Notice> -- rule reload complete
303
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
304
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29239
305
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
306
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29240
307
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
308
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 1"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|09a0aa1091460d23e5a68550826b359b|22|"; distance:0; fast_pattern; metadata: former_category WEB_SERVER; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026337; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag WebShell, signature_severity Major, created_at 2018_09_20, malware_family SJavaWebManage, performance_impact Low, updated_at 2018_09_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 13303
309
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
310
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45444; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29269
311
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
312
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
313
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 2"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|098f6bcd4621d373cade4e832627b4f6|22|"; distance:0; fast_pattern; metadata: former_category WEB_SERVER; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026338; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag WebShell, signature_severity Major, created_at 2018_09_20, malware_family SJavaWebManage, performance_impact Low, updated_at 2018_09_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 13304
314
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45443; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29270
315
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
316
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Access"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"|22|os.name|22|"; distance:0; content:"|22|/bin/sh|22|"; distance:0; content:"getRuntime|28 29|.exec|28|"; fast_pattern; metadata: former_category WEB_SERVER; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026336; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag WebShell, signature_severity Major, created_at 2018_09_20, malware_family SJavaWebManage, performance_impact Low, updated_at 2018_09_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 13305
317
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
318
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Erebus variant outbound connection"; flow:to_server,established; file_data; urilen:1; content:"h="; depth:2; http_client_body; content:"&v="; within:3; distance:8; http_client_body; content:"&k="; within:3; distance:3; fast_pattern; http_client_body; content:"Expect|3A| 100-continue|0D 0A 0D 0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert, service http; reference:url,virustotal.com/en/file/0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f/analysis/; classtype:trojan-activity; sid:43351; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28100
319
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
320
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28298
321
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
322
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00 00 00 00 00|"; depth:6; offset:4; content:"|00 00 29|"; within:3; distance:2; content:"|FE|"; within:1; distance:8; byte_test:2,>,4,-3,relative; byte_math:bytes 2,offset -3,oper -,rvalue 4,result rdlen_minus_four,relative; byte_test:2,>,rdlen_minus_four,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14496; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44482; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29803
323
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
324
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt"; flow:to_server,established; file_data; content:"User-Agent"; nocase; http_header; content:"Rarog"; within:200; fast_pattern; nocase; http_header; pcre:"/User-Agent\s*:[^\r\n]*Rarog/iH"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46240; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28396
325
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
326
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/4.0/method/"; depth:12; nocase; http_uri; pcre:"/\/4\.0\/method\/(check|cores|installSuccess|modules|threads|blacklist)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46239; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28397
327
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
328
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/2.0/method/"; depth:12; nocase; http_uri; pcre:"/\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46238; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28398
329
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
330
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server,established,only_stream; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20395; rev:5;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29869
331
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
332
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19389; rev:8;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29870
333
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
334
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29871
335
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
336
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29872
337
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_uri" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
338
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Outbound malicious vbscript attempt"; flow:to_server,established; file_data; content:"/ilha/"; fast_pattern; nocase; http_uri; content:"logs.php"; within:9; distance:2; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46792; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28481
339
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
340
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banking download attempt initiated"; flow:to_client; file_data; content:"pgs99.online"; content:"painelhost.uol.com.br"; fast_pattern:only; content:!"User-Agent:"; nocase; http_header; content:!"Referer:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/91781126feeae4d1a783f3103dd5ed0f8fc4f2f8e6f51125d1bfc06683b01c39; classtype:trojan-activity; sid:48356; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28705
341
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
342
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28734
343
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
344
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow"; flow:to_server,established; content:"APSCOOKIE"; fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|"; nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6909; reference:url,fortiguard.com/advisory/FG-IR-16-023; classtype:attempted-admin; sid:40241; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30208
345
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
346
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44502; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30339
347
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
348
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44501; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30340
349
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
350
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|00 00 00 07|"; within:4; distance:5; fast_pattern; content:"|00 00 00 01|"; within:4; distance:4; byte_math:bytes 4,offset 0,oper +,rvalue 8,result sub_len_plus_eight,relative; byte_test:4,!=,sub_len_plus_eight,-8,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-0171; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2; classtype:attempted-dos; sid:46468; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30389
351
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14
352
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30413
353
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,1,2,relative,bitmask 0x01
354
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba tree connect andx memory corruption attempt"; flow:to_server,established; content:"|FF|SMB|75|"; fast_pattern:only; content:"|04 75 00|"; byte_test:1,=,1,2,relative,bitmask 0x01; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14746; classtype:attempted-user; sid:45255; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30414
355
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
356
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMemcachedAdmin path traversal attempt"; flow:to_server,established; content:"live_stats_id"; fast_pattern:only; content:"live_stats_id"; http_cookie; content:"="; within:1; distance:32; http_cookie; content:"../"; distance:0; http_cookie; metadata:policy security-ips drop, service http; reference:cve,2014-8731; reference:url,securityfocus.com/archive/1/533968; classtype:web-application-attack; sid:32611; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30513
357
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
358
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34056; rev:3;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30558
359
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
360
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34055; rev:3;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30559
361
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
362
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29193
363
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
364
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29194
365
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
366
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45444; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29223
367
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
368
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45443; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29224
369
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
370
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt"; flow:to_server,established; content:"/borderpost/imp/compose.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_raw_cookie; content:"%3B"; distance:0; nocase; http_raw_cookie; pcre:"/sid=[^\x3b]*?%3B/Ki"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:attempted-admin; sid:35573; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30683
371
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
372
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36102; rev:3;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30709
373
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
374
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36101; rev:3;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30710
375
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
376
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00 00 00 00 00|"; depth:6; offset:4; content:"|00 00 29|"; within:3; distance:2; content:"|FE|"; within:1; distance:8; byte_test:2,>,4,-3,relative; byte_math:bytes 2,offset -3,oper -,rvalue 4,result rdlen_minus_four,relative; byte_test:2,>,rdlen_minus_four,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14496; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44482; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29757
377
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
378
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server,established,only_stream; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20395; rev:5;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29823
379
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
380
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19389; rev:8;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29824
381
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
382
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29825
383
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
384
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29826
385
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
386
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera multipart boundary stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; nocase; http_uri; content:"usrBeatHeart"; fast_pattern:only; content:"Boundary="; nocase; http_raw_header; isdataat:256,relative; content:!"|0A|"; within:256; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2830; reference:url,www.talosintelligence.com/reports/TALOS-2017-0331/; classtype:web-application-attack; sid:42437; rev:3;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 31221
387
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
388
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow"; flow:to_server,established; content:"APSCOOKIE"; fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|"; nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6909; reference:url,fortiguard.com/advisory/FG-IR-16-023; classtype:attempted-admin; sid:40241; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30162
389
Dec 13 01:25:09 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
390
Dec 13 01:25:09 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_pattern:only; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 31369
391
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
392
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44502; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30293
393
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
394
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44501; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30294
395
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
396
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|00 00 00 07|"; within:4; distance:5; fast_pattern; content:"|00 00 00 01|"; within:4; distance:4; byte_math:bytes 4,offset 0,oper +,rvalue 8,result sub_len_plus_eight,relative; byte_test:4,!=,sub_len_plus_eight,-8,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-0171; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2; classtype:attempted-dos; sid:46468; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30343
397
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14
398
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30367
399
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,1,2,relative,bitmask 0x01
400
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba tree connect andx memory corruption attempt"; flow:to_server,established; content:"|FF|SMB|75|"; fast_pattern:only; content:"|04 75 00|"; byte_test:1,=,1,2,relative,bitmask 0x01; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14746; classtype:attempted-user; sid:45255; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30368
401
Dec 13 01:25:09 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
402
Dec 13 01:25:09 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 31542
403
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
404
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMemcachedAdmin path traversal attempt"; flow:to_server,established; content:"live_stats_id"; fast_pattern:only; content:"live_stats_id"; http_cookie; content:"="; within:1; distance:32; http_cookie; content:"../"; distance:0; http_cookie; metadata:policy security-ips drop, service http; reference:cve,2014-8731; reference:url,securityfocus.com/archive/1/533968; classtype:web-application-attack; sid:32611; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30467
405
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
406
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34056; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30512
407
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
408
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34055; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30513
409
Dec 13 01:25:09 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
410
Dec 13 01:25:09 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/cacti/utilities.php"; nocase; uricontent:"tail_lines="; nocase; uricontent:"message_type="; nocase; uricontent:"filter="; nocase; pcre:"/filter\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,42575; reference:cve,2010-2544; reference:cve,2010-2545; classtype:web-application-attack; sid:2011423; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 14871
411
Dec 13 01:25:09 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
412
Dec 13 01:25:09 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt"; flow:to_server,established; content:"query=--open-files-in-pager"; fast_pattern:only; content:"/tree/"; http_uri; content:"/search"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:47599; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 31634
413
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
414
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt"; flow:to_server,established; content:"/borderpost/imp/compose.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_raw_cookie; content:"%3B"; distance:0; nocase; http_raw_cookie; pcre:"/sid=[^\x3b]*?%3B/Ki"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:attempted-admin; sid:35573; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30637
415
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
416
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36102; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30663
417
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
418
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36101; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30664
419
Dec 13 01:25:09 charon suricata[27331]: [100669] <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210042, gid 1: unknown rule
420
Dec 13 01:25:09 charon suricata[27331]: [100669] <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210044, gid 1: unknown rule
421
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
422
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera multipart boundary stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; nocase; http_uri; content:"usrBeatHeart"; fast_pattern:only; content:"Boundary="; nocase; http_raw_header; isdataat:256,relative; content:!"|0A|"; within:256; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2830; reference:url,www.talosintelligence.com/reports/TALOS-2017-0331/; classtype:web-application-attack; sid:42437; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 31175
423
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
424
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_pattern:only; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 31323
425
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
426
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 31496
427
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
428
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt"; flow:to_server,established; content:"query=--open-files-in-pager"; fast_pattern:only; content:"/tree/"; http_uri; content:"/search"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:47599; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 31588
429
Dec 13 01:25:09 charon suricata[31827]: [100148] <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210042, gid 1: unknown rule
430
Dec 13 01:25:09 charon suricata[31827]: [100148] <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210044, gid 1: unknown rule
431
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
432
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SPECIFIC_APPS Oracle Fusion Middleware BPEL Console Cross Site Scripting"; flow:established,to_server; content:"/BPELConsole/default/processLog.jsp"; nocase; depth:50; content:"processName="; nocase; within:100; pcre:"/processName\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:bid,43954; reference:cve,2010-3581; classtype:attempted-admin; sid:2011860; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_10_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17191
433
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
434
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt"; flow:established,to_server; content:"awstats.cgi"; nocase; http_uri; content:"config="; nocase; http_uri; content:"pluginmode=rawlog"; nocase; http_uri; content:"configdir=|5C 5C|"; nocase; http_uri; fast_pattern; reference:bid,45123; reference:cve,2010-4367; classtype:web-application-attack; sid:2012393; rev:2; metadata:created_at 2011_02_28, updated_at 2011_02_28;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17248
435
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
436
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; content:"stconf.nsf/WebMessage"; nocase; http_uri; content:"OpenView"; nocase; http_uri; content:"messageString="; nocase; http_uri; pcre:"/messageString\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012394; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17249
437
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
438
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; content:"stconf.nsf"; nocase; http_uri; content:"unescape"; nocase; fast_pattern; http_uri; pcre:"/stconf.nsf.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D).+unescape/Ui"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012395; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17250
439
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
440
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Communications Manager xmldirectorylist.jsp SQL Injection Attempt"; flow:established,to_server; content:"/ccmcip/xmldirectorylist.jsp?f=vsr|27 7C 7C|"; nocase; http_uri; pcre:"/f\x3Dvsr\x27\x7C\x7C.+(or|and|select|delete|union|delete|update|insert)/Ui"; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a0080b79904.shtml; reference:bid,47607; reference:cve,2011-1609; classtype:web-application-attack; sid:2012760; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_02, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17448
441
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
442
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter XSS Attempt"; flow:established,to_server; content:"/cgi-bin/config.cgi"; nocase; http_uri; content:"type=command&expand="; nocase; http_uri; pcre:"/expand\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,48087; classtype:web-application-attack; sid:2012919; rev:2; metadata:created_at 2011_06_02, updated_at 2011_06_02;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17486
443
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
444
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS HP Insight Diagnostics Online Edition search.php XSS Attempt"; flow:established,to_server; content:"/hpdiags/frontend2/help/search.php?query="; http_uri; nocase; pcre:"/query\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,45420; reference:cve,2010-4111; classtype:web-application-attack; sid:2012976; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17496
445
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
446
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/nagios/cgi-bin/config.cgi"; nocase; http_uri; content:"type=command&expand="; fast_pattern; http_uri; nocase; pcre:"/expand\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,48087; reference:cve,2011-2179; classtype:web-application-attack; sid:2013095; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17518
447
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
448
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET 4848 (msg:"ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt"; flow:established,to_server; content:"TRACE"; http_method; content:".jsf"; nocase; http_uri; reference:url,www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass; reference:bid,47818; reference:cve,2011-1511; classtype:attempted-recon; sid:2012977; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17979
449
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
450
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Sort Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/sessions?path="; nocase; http_uri; content:"sort="; nocase; http_uri; pcre:"/sort\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013117; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_24, updated_at 2017_05_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 18008
451
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
452
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/sessions?path="; nocase; http_uri; content:"orderby="; nocase; http_uri; pcre:"/orderby\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013118; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_24, updated_at 2017_05_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 18009
453
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
454
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud wg.txt Checkin"; flow:established,to_server; content:"/wg.txt"; http_uri; reference:md5,a89f7289d5cce821a194542e90026082; reference:md5,fd56ce176889d4fbe588760a1da6462b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; classtype:trojan-activity; sid:2014402; rev:2; metadata:created_at 2012_03_19, updated_at 2012_03_19;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 18112
455
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
456
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Njw0rm CnC Beacon"; flow:established,to_server; content:"lv0njxq80"; depth:9; content:"njxq80"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-brother-from-the-same-mother.html; reference:md5,4c60493b14c666c56db163203e819272; reference:md5,b0e1d20accd9a2ed29cdacb803e4a89d; classtype:trojan-activity; sid:2017404; rev:3; metadata:created_at 2013_08_30, updated_at 2013_08_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 18113
457
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
458
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer XSS filter bypass attempt"; flow:to_server,established; content:"%253C"; fast_pattern:only; content:"%253C"; nocase; http_raw_uri; content:"%253E"; distance:4; nocase; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-6365; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:web-application-attack; sid:32710; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 18562
459
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
460
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated"; flow:to_client,established; dsize:<2056; file_data; content:"CollectGarbage"; fast_pattern:only; content:"createElement"; nocase; content:"cloneNode"; within:128; nocase; content:"clearAttributes"; within:128; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:16339; rev:13;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 18949
461
Dec 13 01:25:12 charon suricata[27331]: [100669] <Notice> -- rule reload complete
462
Dec 13 01:25:12 charon suricata[35382]: [100163] <Warning> -- [ERRCODE: SC_ERR_RUNMODE(187)] - Can't use 'replace' keyword in non IPS mode: drop tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,6503,6504] (msg:"CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt"; flow:established,to_server; content:"|05 00 0B|"; content:"NTLMSSP|00 01 00 00 00|"; distance:0; content:"|0A 06 00 00|"; within:4; distance:-20; replace:"|0A 02 00 00|"; metadata:policy max-detect-ips drop; classtype:protocol-command-decode; sid:18469; rev:7;)
463
Dec 13 01:25:13 charon suricata[31827]: [100148] <Notice> -- rule reload complete
464
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
465
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; dsize:<1201; byte_extract:4,1,file_length,relative; isdataat:!file_length,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4138; reference:cve,2017-2933; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39309; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23108
466
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
467
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; dsize:<1201; byte_extract:4,1,file_length,relative; isdataat:!file_length,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4138; reference:cve,2017-2933; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39308; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23109
468
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
469
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|127.0.0.1"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|127.0.0.1"; distance:0; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39543; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23176
470
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
471
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|localhost"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|localhost"; distance:0; nocase; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39540; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23179
472
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,7,6,relative,bitmask 0xF0
473
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; byte_test:1,=,7,6,relative,bitmask 0xF0; content:"|00 00 FF E2|"; within:4; distance:11; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4936; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46261; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23474
474
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,7,6,relative,bitmask 0xF0
475
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; byte_test:1,=,7,6,relative,bitmask 0xF0; content:"|00 00 FF E2|"; within:4; distance:11; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4936; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46260; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23475
476
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
477
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|92 86|"; http_client_body; byte_extract:4,6,offset,relative,big; content:"|0D 0A 0D 0A|"; http_client_body; content:"JIS|00 00 00 00 00|"; within:8; distance:offset; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40244; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23720
478
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
479
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes  4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45822; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26148
480
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
481
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes  4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45821; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26149
482
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
483
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes  4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45820; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26150
484
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
485
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes  4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45819; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26151
486
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,1,4,relative,little,bitmask 0x01
487
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt"; flow:to_server; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_test:1,=,1,4,relative,little,bitmask 0x01; byte_test:2,>,250,24,relative,little; byte_jump:2,38,relative,little,from_beginning; content:"PK|03 04|"; within:4; byte_test:2,<,10,22,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-1000035; classtype:attempted-user; sid:47587; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26279
488
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,1,4,relative,little,bitmask 0x01
489
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt"; flow:to_client; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_test:1,=,1,4,relative,little,bitmask 0x01; byte_test:2,>,250,24,relative,little; byte_jump:2,38,relative,little,from_beginning; content:"PK|03 04|"; within:4; byte_test:2,<,10,22,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1000035; classtype:attempted-user; sid:47586; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26280
490
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,4,1,relative,bitmask 0x7f
491
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"|08 40|"; within:2; distance:12; byte_test:1,=,4,1,relative,bitmask 0x7f; byte_extract:4,2,regionSize,relative,little; byte_test:4,>,regionSize,8,little,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12762; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47683; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26285
492
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,4,1,relative,bitmask 0x7f
493
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"|08 40|"; within:2; distance:12; byte_test:1,=,4,1,relative,bitmask 0x7f; byte_extract:4,2,regionSize,relative,little; byte_test:4,>,regionSize,8,little,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12762; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47682; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26286
494
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
495
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27235
496
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
497
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27236
498
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
499
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27237
500
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
501
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27238
502
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
503
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27239
504
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
505
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt"; flow:to_client,established; file_data; content:"Content-"; nocase; http_header; content:"rfc822"; within:50; nocase; http_header; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:41714; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27436
506
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
507
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27635
508
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
509
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt"; flow:to_server,established; file_data; content:"User-Agent"; nocase; http_header; content:"Rarog"; within:200; fast_pattern; nocase; http_header; pcre:"/User-Agent\s*:[^\r\n]*Rarog/iH"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46240; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27753
510
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
511
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/4.0/method/"; depth:12; nocase; http_uri; pcre:"/\/4\.0\/method\/(check|cores|installSuccess|modules|threads|blacklist)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46239; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27754
512
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
513
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/2.0/method/"; depth:12; nocase; http_uri; pcre:"/\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46238; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27755
514
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_uri" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
515
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Outbound malicious vbscript attempt"; flow:to_server,established; file_data; content:"/ilha/"; fast_pattern; nocase; http_uri; content:"logs.php"; within:9; distance:2; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46792; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27820
516
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
517
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banking download attempt initiated"; flow:to_client; file_data; content:"pgs99.online"; content:"painelhost.uol.com.br"; fast_pattern:only; content:!"User-Agent:"; nocase; http_header; content:!"Referer:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/91781126feeae4d1a783f3103dd5ed0f8fc4f2f8e6f51125d1bfc06683b01c39; classtype:trojan-activity; sid:48356; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28047
518
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
519
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:16; dsize:29; content:"|05 00 00 03 10 00 00 00|"; depth:8; content:"|10 00|"; within:2; distance:14; byte_extract:1,0,memoryAddr,relative,multiplier 257; byte_test:2,=,memoryAddr,0,relative; byte_test:2,=,memoryAddr,1,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2006-6076; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:36877; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28172
520
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
521
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28220
522
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
523
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28221
524
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
525
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45444; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28250
526
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
527
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45443; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28251
528
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
529
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Certification service XSS attempt"; flow:to_server,established; content:"certfnsh|2E|asp"; nocase; http_uri; content:"TargetStoreFlagsObserve"; nocase; http_client_body; pcre:"/^=[^\s\x26]*[\x3C\x3E\x22\x27\x28\x29]/R"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-051; classtype:attempted-user; sid:19186; rev:10;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28444
530
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
531
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER CA ARCserve Axis2 default credential login attempt"; flow:to_server,established; content:"/axis2-admin/login"; fast_pattern:only; http_uri; content:"userName=admin"; nocase; http_client_body; content:"password="; nocase; http_client_body; pcre:"/^(admin|axis2)/iR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45625; reference:cve,2010-0219; classtype:default-login-attempt; sid:18985; rev:11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29027
532
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
533
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00 00 00 00 00|"; depth:6; offset:4; content:"|00 00 29|"; within:3; distance:2; content:"|FE|"; within:1; distance:8; byte_test:2,>,4,-3,relative; byte_math:bytes 2,offset -3,oper -,rvalue 4,result rdlen_minus_four,relative; byte_test:2,>,rdlen_minus_four,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14496; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44482; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29147
534
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
535
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server,established,only_stream; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20395; rev:5;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29337
536
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
537
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19389; rev:8;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29338
538
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
539
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq buffer overflow attempt"; flow:to_server; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3a\s+[^\r\n]{25}/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,13504; reference:bugtraq,15711; reference:bugtraq,18906; reference:bugtraq,36015; reference:cve,2005-1461; reference:cve,2005-4050; reference:cve,2006-3524; reference:cve,2009-2726; reference:nessus,18986; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11971; rev:7;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29339
540
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
541
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"|0D 0A 0D 0A|"; content:!"Contact"; nocase; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21101; rev:7;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29344
542
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
543
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt"; flow:to_server,established; sip_method:invite; content:"Remote-Party-Id"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:20425; rev:9;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29345
544
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
545
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt"; flow:to_server,established; content:"a|3D|rtpmap|3A|"; fast_pattern:only; sip_method:invite,bye; pcre:"/(^a\x3Drtpmap\x3A[^\n]*\r\n){31}/Psmi"; metadata:policy max-detect-ips drop; reference:cve,2008-1289; classtype:misc-attack; sid:20392; rev:9;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29346
546
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
547
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt"; flow:to_server; content:"a|3D|rtpmap|3A|"; fast_pattern:only; sip_method:invite,bye; pcre:"/(^a\x3Drtpmap\x3A[^\n]*\r\n){31}/Psmi"; metadata:policy max-detect-ips drop; reference:cve,2008-1289; classtype:misc-attack; sid:20391; rev:9;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29347
548
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
549
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Attribute header rtpmap field invalid payload type"; flow:to_server,established; content:"a=rtpmap|3A|"; nocase; byte_test:9,>,256,0,relative,string; metadata:policy max-detect-ips drop; reference:bugtraq,28308; reference:cve,2008-1289; reference:url,www.asterisk.org/node/48466; classtype:attempted-user; sid:20390; rev:8;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29348
550
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
551
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Remote-Party-ID header hexadecimal characters in IP address field"; flow:to_server,established; content:"Remote-Party-ID|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\s+[^\r\n]+\x40[^\r\n]*?[\x80-\xFF]/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/en/US/products/products_security_response09186a00808075ad.html; classtype:attempted-admin; sid:20381; rev:7;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29349
552
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
553
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq buffer overflow attempt"; flow:to_server,established; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3a\s+[^\r\n]{25}/smi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,13504; reference:bugtraq,15711; reference:bugtraq,18906; reference:bugtraq,36015; reference:cve,2005-1461; reference:cve,2005-4050; reference:cve,2006-3524; reference:cve,2009-2726; reference:nessus,18986; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:16351; rev:11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29352
554
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
555
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Attribute header rtpmap field invalid payload type"; flow:to_server; content:"a=rtpmap|3A|"; nocase; byte_test:9,>,256,0,relative,string; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,28308; reference:cve,2008-1289; reference:url,www.asterisk.org/node/48466; classtype:attempted-user; sid:13693; rev:12;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29353
556
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
557
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Remote-Party-ID header hexadecimal characters in IP address field"; flow:to_server; content:"Remote-Party-ID|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\s+[^\r\n]+\x40[^\r\n]*?[\x80-\xFF]/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/en/US/products/products_security_response09186a00808075ad.html; classtype:attempted-admin; sid:13664; rev:9;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29354
558
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
559
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt"; flow:to_server; sip_method:invite; content:"Remote-Party-Id"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/Hsmi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:11970; rev:13;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29355
560
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
561
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29356
562
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
563
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29357
564
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
565
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts CookieInterceptor classloader access attempt"; flow:to_server,established; content:"ClassLoader"; fast_pattern:only; content:"class"; nocase; http_cookie; content:"ClassLoader"; distance:0; nocase; http_cookie; pcre:"/class([\x2e\x5b]|%2e|%5b)([\x22\x27]|%22|%27)?ClassLoader/Ci"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,67081; reference:cve,2014-0113; reference:url,cwiki.apache.org/confluence/display/WW/S2-021; classtype:attempted-admin; sid:30944; rev:4;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29405
566
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
567
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow"; flow:to_server,established; content:"APSCOOKIE"; fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|"; nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6909; reference:url,fortiguard.com/advisory/FG-IR-16-023; classtype:attempted-admin; sid:40241; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30346
568
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
569
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44502; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30474
570
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
571
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44501; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30475
572
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
573
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|00 00 00 07|"; within:4; distance:5; fast_pattern; content:"|00 00 00 01|"; within:4; distance:4; byte_math:bytes 4,offset 0,oper +,rvalue 8,result sub_len_plus_eight,relative; byte_test:4,!=,sub_len_plus_eight,-8,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-0171; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2; classtype:attempted-dos; sid:46468; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30547
574
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
575
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MSN MSNP2P SLP message integer overflow attempt"; flow:to_client,established; content:"MSG"; content:"|0A|P2P-Dest|3A|"; within:200; nocase; content:"|0D 0A 0D 0A|"; within:100; content:!"|00 00 00 00|"; within:4; distance:8; content:!"|00 00 00 00|"; within:4; distance:24; byte_extract:4,24,message_len,relative,little; byte_math:bytes 4, offset -20, oper +, rvalue message_len, result cumulative_size, relative, endian little; byte_test:4,>,cumulative_size,-20,relative,little; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29956; reference:cve,2008-2927; reference:url,pidgin.im/news/security/?id=25; classtype:attempted-user; sid:46784; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30550
576
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14
577
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30587
578
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,1,2,relative,bitmask 0x01
579
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba tree connect andx memory corruption attempt"; flow:to_server,established; content:"|FF|SMB|75|"; fast_pattern:only; content:"|04 75 00|"; byte_test:1,=,1,2,relative,bitmask 0x01; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14746; classtype:attempted-user; sid:45255; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30588
580
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
581
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Airlive IP Camera directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/admin"; fast_pattern:only; content:"/cgi-bin/admin"; http_raw_uri; content:"filePath"; distance:0; nocase; http_raw_uri; content:"../"; distance:0; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,60549; reference:cve,2013-3541; classtype:web-application-attack; sid:29595; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30692
582
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
583
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt"; flow:to_server,established; content:"/agentUpload"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, service http; reference:bugtraq,69482; reference:cve,2014-6037; classtype:web-application-attack; sid:31838; rev:5;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30720
584
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
585
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt"; flow:to_server,established; content:"/agentUpload"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, service http; reference:bugtraq,69482; reference:cve,2014-6037; classtype:web-application-attack; sid:32044; rev:4;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30725
586
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
587
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34056; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30748
588
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
589
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34055; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30749
590
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
591
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell iManager ClassName handling overflow attempt"; flow:to_server,established; content:"/nps/servlet/webacc"; nocase; http_uri; content:"ClassName="; fast_pattern; nocase; http_client_body; pcre:"/^[^\x26]{512}/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40480; reference:cve,2010-1929; classtype:attempted-admin; sid:18796; rev:9;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30903
592
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
593
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovet_demandpoll.exe format string execution attempt"; flow:to_server,established; content:"/OvCgi/webappmon.exe"; fast_pattern:only; http_uri; content:"sel="; http_client_body; pcre:"/^[^\x26]*?\x25/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40065; reference:cve,2010-1550; classtype:attempted-admin; sid:18795; rev:11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30904
594
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
595
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt"; flow:to_server,established; content:"/borderpost/imp/compose.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_raw_cookie; content:"%3B"; distance:0; nocase; http_raw_cookie; pcre:"/sid=[^\x3b]*?%3B/Ki"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:attempted-admin; sid:35573; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31059
596
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
597
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36102; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31096
598
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
599
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36101; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31097
600
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
601
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP ZipArchive getFromIndex and getFromName integer overflow attempt"; flow:to_server,established; content:".php"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; content:"|00 00|"; within:2; distance:16; byte_test:4,>=,0x00FFFFFF,0,relative,little; metadata:policy max-detect-ips drop, service http; reference:cve,2016-3078; reference:url,bugs.php.net/bug.php?id=71923; classtype:attempted-admin; sid:41383; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31360
602
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
603
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Squid ESI processing buffer overflow attempt"; flow:to_client,established; file_data; content:"Surrogate-Control:"; fast_pattern; http_header; content:"ESI/1.0"; within:100; nocase; http_header; content:"Content-Type:"; nocase; http_header; content:"text/"; within:50; nocase; http_header; content:"<"; isdataat:2000,relative; content:!">"; within:2000; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4054; reference:url,www.squid-cache.org/Advisories/SQUID-2016_6.txt; classtype:attempted-user; sid:43268; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31599
604
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
605
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera multipart boundary stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; nocase; http_uri; content:"usrBeatHeart"; fast_pattern:only; content:"Boundary="; nocase; http_raw_header; isdataat:256,relative; content:!"|0A|"; within:256; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2830; reference:url,www.talosintelligence.com/reports/TALOS-2017-0331/; classtype:web-application-attack; sid:42437; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31658
606
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
607
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX recording interface file upload code execution attempt"; flow:to_server,established; content:"config.php"; fast_pattern:only; content:"Content-Disposition"; nocase; http_client_body; content:"name="; distance:0; http_client_body; content:"../"; distance:0; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43454; reference:cve,2010-3490; classtype:web-application-attack; sid:45226; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31804
608
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
609
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_pattern:only; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31813
610
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
611
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 32006
612
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
613
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt"; flow:to_server,established; content:"query=--open-files-in-pager"; fast_pattern:only; content:"/tree/"; http_uri; content:"/search"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:47599; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 32112
614
Dec 13 01:25:17 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
615
Dec 13 01:25:17 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_server,established; file_data; content:"POST"; http_method; content:"|00 09 00 00|"; depth:5; offset:1; fast_pattern; content:!"|00|"; depth:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:43364; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/flowbit-required.rules at line 2230
616
Dec 13 01:25:17 charon suricata[35382]: [100163] <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210042, gid 1: unknown rule
617
Dec 13 01:25:17 charon suricata[35382]: [100163] <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210044, gid 1: unknown rule
618
Dec 13 01:25:20 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Unable to find the sm in any of the sm lists
619
Dec 13 01:25:20 charon suricata[35382]: [100163] <Notice> -- rule reload complete
620
Dec 13 01:35:27 charon charon.m.browsepage.com nginx: 2018/12/13 01:35:27 [error] 53294#100242: send() failed (54: Connection reset by peer)
621
Dec 13 01:35:42 charon php-fpm[99033]: /status_logs.php: Successful login for user 'admin' from: 10.1.100.2 (Local Database)
622
Dec 13 01:40:49 charon check_reload_status: Syncing firewall
623
Dec 13 01:40:49 charon check_reload_status: Reloading filter
624
Dec 13 01:40:54 charon check_reload_status: Syncing firewall
625
Dec 13 01:41:20 charon check_reload_status: Syncing firewall
626
:!"Referer"; content:!"Accept"; reference:md5,7943a103d7b79f87843655e6b2f8e80c; classtype:trojan-activity; sid:2020181; rev:8; metadata:created_at 2015_01_14, updated_at 2015_01_14;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11783
627
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
628
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Generic gate[.].php GET with minimal headers"; flow:established,to_server; content:"GET"; http_method; content:"/gate.php"; http_uri; nocase; fast_pattern; http_header_names; content:!"Referer"; content:!"Accept"; reference:md5,ad4045887298439f5a21700bdbc7a311; classtype:trojan-activity; sid:2022818; rev:3; metadata:created_at 2016_05_18, updated_at 2016_05_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11787
629
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
630
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 2"; flow:to_server,established; content:"GET"; http_method; content:".jpg?resid="; http_uri; fast_pattern; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:trojan-activity; sid:2021200; rev:3; metadata:created_at 2015_06_08, updated_at 2015_06_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11792
631
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
632
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Jadtree Downloader rar"; flow:established,to_server; content:".rar"; nocase; http_uri; isdataat:!1,relative; pcre:"/^\d{4}$/V"; reference:md5,13cbc8d458c6dd30e94f46b00f8bda00; classtype:trojan-activity; sid:2018046; rev:3; metadata:created_at 2014_01_30, updated_at 2014_01_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11793
633
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
634
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FakeAV checkin"; flow:established,to_server; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; http_user_agent; fast_pattern; http_header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:!"Accept"; reference:md5,dd4d18c07e93c34d082dab57a38f1b86; reference:md5,5a864ccfeee9c0c893cfdc35dd8820a6; classtype:trojan-activity; sid:2016089; rev:5; metadata:created_at 2012_12_21, updated_at 2012_12_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11794
635
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
636
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Win32/Hupigon ip.txt with a Non-Mozilla UA"; flow:established,to_server; content:"/ip.txt"; http_uri; nocase; isdataat:!1,relative; fast_pattern; content:!"Mozilla"; http_user_agent; content:!"%E5%A4%A7%E4%BC%97%E7%82%B9%E8%AF%84"; http_header; reference:md5,4d23395fcbab1dabef9afe6af81df558; classtype:trojan-activity; sid:2016950; rev:4; metadata:created_at 2013_05_31, updated_at 2013_05_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11796
637
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
638
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Atraps Receiving Config via Image File (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|FF D9 23|"; distance:0; content:"$|3a|1|3a|$"; distance:0; fast_pattern; pcre:"/^[A-Za-z0-9+/=]+\x24\x3a\d+\x3a\x24$/R"; metadata: former_category TROJAN; reference:md5,3dce01df285b3570738051672664068d; classtype:trojan-activity; sid:2025070; rev:3; metadata:created_at 2016_04_06, updated_at 2017_11_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11798
639
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
640
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Zemot Requesting PE"; flow:established,to_server; content:"GET"; http_method; content:"ho"; http_uri; content:"ping/mod_"; within:10; http_uri; fast_pattern; content:"/"; http_uri; distance:0; isdataat:!1,relative; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,08aab7cdbfc2446fbca2a2f350df4ea2; classtype:trojan-activity; sid:2019759; rev:5; metadata:created_at 2014_11_20, updated_at 2014_11_20;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11800
641
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
642
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Scieron Retrieving Information"; flow:established,to_server; content:"GET"; http_method; urilen:7; content:"/ip.txt"; http_uri; fast_pattern; http_header_names; content:!"Accept"; content:!"Referer"; flowbits:set,ET.Trojan.Scieron.Ret; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020296; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11803
643
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
644
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gulpix/PlugX Client Request"; flow:established,to_server; content:"POST"; http_method; content:"1|3a 20|"; http_header; content:"2|3a 20|"; http_header; distance:0; content:"3|3a 20|"; http_header; distance:0; pcre:"/^(?P<vname>[^\r\n\x3a]+)(?P<n1>[0-4])\x3a\x20\d+\r\n(?P=vname)(?P<n2>((?!(?P=n1))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?P<n3>((?!((?P=n1)|(?P=n2)))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?:(?!((?P=n1)|(?P=n2)))[0-4])\x3a\x20\d+\r\n/Hm"; http_header_names; content:!"Referer"; reference:md5,663d7774b6727a070b558676cee9fe43; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html; classtype:trojan-activity; sid:2018169; rev:5; metadata:created_at 2014_02_21, updated_at 2014_02_21;)" from file /usr/local
645
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
646
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KINS/ZeusVM Variant Retrieving Config"; flow:established,to_server; content:"GET"; http_method; content:"/config"; http_uri; fast_pattern; content:".jpg"; http_uri; distance:0; isdataat:!1,relative; content:"Cache-Control|3a 20|no-cache"; http_header; pcre:"/\/config[^\x2e\x2f]*?\.jpg$/U"; pcre:"/(?:\x20MSIE\x20|rv\x3a11)/V"; http_header_names; content:!"Accept-"; content:!"Referer"; http_connection; content:"close"; nocase; metadata: former_category TROJAN; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021528; rev:5; metadata:created_at 2015_07_23, updated_at 2017_10_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11806
647
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
648
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2016-01-28"; flow:to_server,established; urilen:>82; content:"GET"; http_method; content:"/counter/?id="; http_uri; nocase; content: "&rnd="; http_uri; nocase; pcre:"/\/counter\/\?id=[A-Z0-9_-]{60,}&rnd=\d{1,}$/iU"; flowbits:set,ET.nemucod.exerequest; http_header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,d5c5cc9cae2e9a7a2d3a77efcb526e4c; classtype:trojan-activity; sid:2022483; rev:6; metadata:created_at 2016_02_02, updated_at 2016_11_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11807
649
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
650
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2"; flow:established,to_server; content:"od"; offset:2; depth:2; nocase; http_uri; content:".exe"; nocase; http_uri; isdataat:!1,relative; fast_pattern; pcre:"/^\/[mp]od[12]\/[^\/]+?\.exe$/Ui"; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent"; reference:md5,9db28205c8dd40efcf7f61e155a96de5; classtype:trojan-activity; sid:2018395; rev:5; metadata:created_at 2014_04_16, updated_at 2014_04_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11810
651
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
652
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
653
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Koobface variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/cap/?a=get&i="; nocase; http_uri; pcre:"/\d+&/miR"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16484; rev:9;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26166
654
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 6"; flow:to_server,established; content:"POST"; http_method; content:".asp?cookie="; http_uri; fast_pattern; content:"&type="; http_uri; content:"&vid="; http_uri; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:trojan-activity; sid:2021569; rev:3; metadata:created_at 2015_07_31, updated_at 2015_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11811
655
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
656
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon"; flow:established,to_server; urilen:31; content:"/b/eve/"; http_uri; depth:7; fast_pattern; pcre:"/^[a-f0-9]{24}$/URi"; metadata: former_category TROJAN; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:trojan-activity; sid:2018096; rev:3; metadata:created_at 2014_02_10, updated_at 2017_11_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11812
657
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
658
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WORM_VOBFUS Checkin Generic"; flow:established,to_server; content:"GET"; http_method; urilen:5; content:"/1/?"; http_uri; fast_pattern; depth:4; isdataat:!2,relative; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; http_user_agent; http_header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2015976; rev:3; metadata:created_at 2012_12_03, updated_at 2012_12_03;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11814
659
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
660
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN HTTPBrowser/Pisloader Covert DNS CnC Channel TXT Lookup"; content:"|01 00 00 01 00 00 00 00 00 00 11|"; depth:11; offset:2; fast_pattern; pcre:"/^[A-Z0-9]{17}/R"; content:"|00 00 10|"; distance:0; threshold:type limit, track by_src, count 1, seconds 300; content:!"|03|prs|0a|proofpoint|03|com|00|"; reference:md5,985eba97e12c3e5bce9221631fb66d68; reference:url,researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/; classtype:trojan-activity; sid:2022842; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_05_31, performance_impact Low, updated_at 2016_07_14;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11817
661
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
662
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Ransomware Locky .onion Payment Domain"; dns_query; content:"6dtxgqam4crv6rr6"; nocase; depth:16; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022548; rev:2; metadata:created_at 2016_02_18, updated_at 2016_02_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11819
663
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
664
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Locky CnC Beacon"; flow:established,to_server; urilen:9; content:"POST"; http_method; content:"/main.php"; http_uri; fast_pattern; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/Ps"; http_header_names; content:!"Referer"; http_content_len; byte_test:0,<,110,0,string,dec; byte_test:0,>=,100,0,string,dec; http_connection; content:"Keep-Alive"; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022538; rev:6; metadata:created_at 2016_02_17, updated_at 2016_02_17;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11820
665
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
666
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative;  http_header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; fast_pattern; content:!"Referer"; content:"Accept"; http_accept; pcre:"/^(?!m(?:ultipart|essage|odel)|a(?:pplication|udio|ccept)|(?:exampl|imag)e|video|text|\*)/i"; reference:md5,35a6de1e8dbea19bc44cf49ae0cae59e; classtype:trojan-activity; sid:2022502; rev:4; metadata:created_at 2016_02_10, updated_at 2016_02_10;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11821
667
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
668
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2016-02-01"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; isdataat:!1,relative; nocase; pcre:"/\/[0-9]{2}\.exe$/iU"; http_header_names; content:!"Referer"; flowbits:set,ET.nemucod.exerequest; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,8bdc81393a4fcfaf6d1b8dc01486f2f0; classtype:trojan-activity; sid:2022482; rev:3; metadata:created_at 2016_02_02, updated_at 2016_02_02;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11822
669
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
670
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET TROJAN W32/Dridex POST CnC Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Mozilla/5.0 (Windows NT 6.1|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko"; http_user_agent; fast_pattern; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/W"; http_connection; content:"Close"; isdataat:!1,relative; http_content_type; content:"octet/binary"; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,d37256439d5ab7f25561cc390d8aa1ea; classtype:trojan-activity; sid:2019891; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2014_12_08, malware_family Dridex, performance_impact Moderate, updated_at 2017_05_17;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11824
671
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
672
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad"; flow:established,to_server; content:"/gate.php"; nocase; http_uri; fast_pattern; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/W"; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022986; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_26, malware_family Zeus, performance_impact Low, updated_at 2016_07_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11827
673
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
674
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Locky CnC Beacon 2"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/userinfo.php"; http_uri; fast_pattern; pcre:"/[\x80-\xff]/P"; http_content_type; content:"www-form-urlencoded"; isdataat:!1,relative; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; content:!"Accept"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:trojan-activity; sid:2022769; rev:3; metadata:created_at 2016_04_27, updated_at 2016_04_27;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11829
675
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
676
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3)"; dns_query; content:"epmhyca5ol6plmx3"; nocase; depth:16; metadata: former_category TROJAN; reference:md5,a6061196c9df9364d48c01bea83d6cb7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~EccKrypt-D/detailed-analysis.aspx; classtype:trojan-activity; sid:2020882; rev:3; metadata:created_at 2015_04_08, updated_at 2017_03_28;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11831
677
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
678
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o)"; dns_query; content:"7tno4hib47vlep5o"; nocase; depth:16; metadata: former_category TROJAN; reference:md5,9377710d4787d1a9ee1c724dce8bf13a; classtype:trojan-activity; sid:2024106; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2015_02_09, updated_at 2017_03_28;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11833
679
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
680
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any any (msg:"ET TROJAN MewsSpy.AE Onion Domain (cxkefbwo7qcmlelb in DNS Lookup)"; dns_query; content:"cxkefbwo7qcmlelb"; nocase; depth:16; metadata: former_category TROJAN; reference:md5,e69b3a5b8fccd8607e08dd6d34ae99a9; classtype:trojan-activity; sid:2025121; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2017_12_05, performance_impact Low, updated_at 2017_12_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11837
681
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
682
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njRAT/Bladabindi Variant (Lime) CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|ll"; within:6; content:"TGltZV8"; distance:0; within:30; fast_pattern; pcre:"/^[0-9]{2,3}\x00\x6c\x6c(?P<var>[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e][\x20-\x7e]+?[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?P=var)[^\r\n]+(?P=var)$/s"; metadata: former_category TROJAN; reference:md5,ce37b5b473377810bc76e0491533b4e7; classtype:trojan-activity; sid:2025136; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_06, malware_family njrat, performance_impact Moderate, updated_at 2017_12_06;)" from file /usr/local/etc/suricata/surica
683
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
684
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18 2015"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/U"; content:"office"; http_user_agent; nocase; fast_pattern; pcre:"/ms-?office/V"; content:!".money-media.com"; http_host; content:!"ad.payclick.it"; http_host; content:!"sellercore.com"; http_host; metadata: former_category TROJAN; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:7; metadata:created_at 2015_08_18, updated_at 2017_12_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11839
685
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
686
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 8"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; isdataat:!1,relative; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; http_user_agent; isdataat:!1,relative; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; byte_test:0,<,100,0,string,dec; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|"; depth:51; fast_pattern; metadata: former_category TROJAN; reference:md5,5b0e06e3e896d541264a03abef5f30c7; classtype:trojan-activity; sid:2025142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, depl
687
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
688
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat C1 (no alert)"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.Netwire.HB; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018281; rev:4; metadata:created_at 2014_03_14, updated_at 2014_03_14;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11843
689
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
690
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN GratefulPOS Covert DNS CnC Initial Checkin"; dns_query; content:".grp"; within:12; content:"ping.adm."; distance:0; within:15; fast_pattern; isdataat:30,relative; pcre:"/^[a-f0-9]{8}\.grp[0-9]*\.ping\.adm\.(?:[a-f0-9]+\.){2,}/"; metadata: former_category TROJAN; reference:md5,67a53bd24ee8499fed79c8c368e05f7a; reference:url,community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season; classtype:trojan-activity; sid:2025144; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_11, malware_family Grateful_POS, performance_impact Moderate, updated_at 2017_12_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line
691
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
692
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Randrew.A CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".aspx?A="; http_uri; fast_pattern; pcre:"/^[A-Z0-9\-]{30,42}$/RU"; content:"Accept-Language|3a 20|zh-TW"; http_header; http_header_names; content:"Referer|3a 20|"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,BFB3C542AD815436EC3F2FD71582AD08B7E7301C; classtype:trojan-activity; sid:2025145; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_11, malware_family Randrew_A, performance_impact Low, updated_at 2017_12_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11845
693
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
694
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:trojan-activity; sid:2018283; rev:5; metadata:created_at 2014_03_14, updated_at 2014_03_14;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11846
695
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
696
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Downloader.Small.BIL CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?a=Te"; http_uri; fast_pattern; isdataat:!1,relative; pcre:"/^Host\x3a\x20[^\r\n]+\r\nConnection\x3a\x20[^\r\n]+\r\n(?:\r\n)?$/Hi"; http_header_names; content:!"User-Agent"; content:!"Referer"; content:!"Cache"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,4C669A60719FC1051FB336CB25B209FD; classtype:trojan-activity; sid:2025147; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_13, malware_family Downloader_Small_BIL, performance_impact Low, updated_at 2017_12_13;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11847
697
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
698
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bot.Sezin CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?machine_id="; http_uri; fast_pattern; content:"&x64"; http_uri; distance:0; content:"&version="; http_uri; distance:0; content:"&video_card="; http_uri; distance:0; content:"&cpu="; http_uri; distance:0; content:"&junk="; http_uri; distance:0; http_header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,73611bd5d1d0ad865cd26b003aa525b4; classtype:trojan-activity; sid:2025148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_13, malware_family Bot_Sezin, performance_impact Low, updated_at 2017_12_13;)" from file /usr/local/etc/suricata/suric
699
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
700
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 7"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; depth:1; content:"/"; http_uri; distance:0; isdataat:!1,relative; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; content:"63"; fast_pattern; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_05, updated_at 2017_12_05;)" from file /usr
701
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
702
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.YesMaster CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"x-user-agent|3a 20|YesMaster|0d 0a|"; http_header; fast_pattern; http_header_names; content:"|0d 0a|x-user-agent|0d 0a|"; content:"|0d 0a|x-whoami|0d 0a|"; content:"|0d 0a|x-pwd|0d 0a|"; content:"|0d 0a|x-hostname|0d 0a|"; content:"|0d 0a|x-isadm|0d 0a|"; content:"|0d 0a|x-is64Env|0d 0a|"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,4941501aca63cb8bdc86dadeffc9c29c; classtype:trojan-activity; sid:2025157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_20, malware_family YesMaster, performance_impact Moderate, updated_at 2017_12_20;)" from file /usr/local/etc/suricata/suricat
703
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
704
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WooSIP Downloader CnC CreateFolderOnServer"; flow:established,to_server; content:"GET"; http_method; content:"/process_ad.php?sDir="; http_uri; nocase; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; metadata: former_category TROJAN; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:trojan-activity; sid:2025165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11853
705
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
706
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WooSIP Downloader CnC DeleteFileOnServer"; flow:established,to_server; content:"GET"; http_method; content:"/process_ad.php?fileDel="; http_uri; nocase; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; metadata: former_category TROJAN; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:trojan-activity; sid:2025166; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11854
707
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
708
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WooSIP Downloader CnC WriteMetadataOnServer"; flow:established,to_server; content:"GET"; http_method; content:"/write_meta.php?sDir="; http_uri; nocase; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; metadata: former_category TROJAN; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:trojan-activity; sid:2025167; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11855
709
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
710
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Smurf2 CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Mozilla/5.0"; http_user_agent; content:"teststr="; depth:8; nocase; http_client_body; fast_pattern; content:"&testval="; nocase; distance:0; http_client_body; http_accept; content:"??"; metadata: former_category TROJAN; reference:md5,e2d136bb63edc092d2f3d26885b239d9; classtype:trojan-activity; sid:2025168; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11856
711
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
712
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin M1"; flow:established,to_server; http_request_line; content:"GET|20|/api/up.php|20|HTTP/1.1"; fast_pattern; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(?:Connection\r\n)?\r\n$/R"; content:!"Content-Type"; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:trojan-activity; sid:2025170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, performance_impact Moderate, updated_at 2017_12_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11860
713
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
714
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin M2"; flow:established,to_server;  content:"POST"; http_method; content:"/update.php"; http_uri; isdataat:!1,relative; fast_pattern; content:"data="; http_client_body; depth:5; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/PRsi"; http_header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:trojan-activity; sid:2025171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, performance_impact Moderate, updated_at 2017_12_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rul
715
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
716
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26243
717
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
718
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Agent.qweydh CnC Activity"; flow:established,to_server; content:".php?mac="; http_uri; fast_pattern; pcre:"/^[0-9A-F]{12}$/RU"; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(?:Connection\r\n)?\r\n$/R"; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:trojan-activity; sid:2025172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, performance_impact Moderate, updated_at 2017_12_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11862
719
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
720
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Zeus Panda CnC Domain (in DNS Lookup)"; dns_query; content:"pprulispikosqcsiwef.info"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,20adfac68ced5225c9021bc051e66d18; classtype:trojan-activity; sid:2025177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_29, malware_family Zeus_Panda, performance_impact Moderate, updated_at 2017_12_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11863
721
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
722
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 9"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; urilen:1; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; content:"63"; fast_pattern; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025178; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_29, updated_at 2017_12_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.ru
723
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
724
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MedusaHTTP CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; http_user_agent; fast_pattern; isdataat:!1,relative; content:"xyz="; http_client_body; depth:4; content:"|7c|"; http_client_body; distance:0; content:"|7c|"; http_client_body; distance:0;  http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,d463ee91a2d7b8482554c23bb7d9aa3d; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:trojan-activity; sid:2025187; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2
725
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
726
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 20000: -> $HOME_NET 1024: (msg:"ET TROJAN Sourtoff Receiving Simda Payload"; flow:established,from_server; flowbits:isset,ET.TROJAN.Sourtoff; dsize:1300<>1500; content:"|0a c0|"; depth:2; metadata: former_category TROJAN; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019313; rev:3; metadata:created_at 2014_09_29, updated_at 2018_01_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11893
727
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
728
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bitter RAT HTTP CnC Beacon M2"; flow:established,to_server; content:"GET"; http_method; content:".php?TIe="; http_uri; fast_pattern; pcre:"/^[a-zA-Z0-9\x21\x2a\x2f\x2e\x3b\x3a\x5b\x5d]+$/RU";content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; threshold: type both, count 5, seconds 120, track by_src; metadata: former_category TROJAN; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/10/malspam-delivers-bitter-rat-07-01-2018; reference:md5,cc58dd8592555ff6275196e62af3242e; classtype:trojan-activity; sid:2025198; rev:2; metadata:created_at 2018_01_11, updated_at 2018_01_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11894
729
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
730
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Mami CnC Checkin"; flow:established,to_server; content:"User-Agent|3a 20 0d 0a|"; http_header; fast_pattern; content:"r="; http_client_body; depth:2; content:"&rc="; distance:0; http_client_body; http_request_line; content:"POST|20|/|20|HTTP/1.1"; depth:15; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,objective-see.com/blog/blog_0x26.html; reference:md5,8482fc5dbc6e00da151bea3eba61e360; classtype:trojan-activity; sid:2025199; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_14, malware_family Mami, performance_impact Moderate, updated_at 2018_01_14;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11895
731
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
732
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> [82.163.143.135,82.163.142.137] any (msg:"ET TROJAN OSX/Mami Possible DNS Query to Evil DNS Server"; threshold:type limit, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,8482fc5dbc6e00da151bea3eba61e360; reference:url,objective-see.com/blog/blog_0x26.html; classtype:trojan-activity; sid:2025200; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, malware_family Mami, performance_impact Moderate, updated_at 2018_01_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11896
733
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
734
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Observed Evrial Domain (cryptoclipper .ru in TLS SNI)"; flow:established,to_server; tls_sni; content:"cryptoclipper.ru"; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025201; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, malware_family Evrial, performance_impact Moderate, updated_at 2018_01_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11897
735
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
736
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Trojan.Downloader VBA Script obfuscation (binary_getter)"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"(Chr((((asc(Mid("; depth:300; content:",1,1))-65))*25+(asc(Mid("; within:100; content:",2,1))-65)-"; within:100; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,bad07f85a7baaeaa8aeb72997712aa98; classtype:trojan-activity; sid:2025202; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, updated_at 2018_01_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11898
737
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
738
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MoneroPay Ransomware Payment Activity"; flow:established,to_server; content:"GET"; http_method; content:"/paid?id="; http_uri; fast_pattern; pcre:"/^[a-f0-9]{16}$/RU"; http_header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; content:!"Connection"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,14ea53020b4d0cb5acbea0bf2207f3f6; classtype:trojan-activity; sid:2025204; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, malware_family Ransomware, performance_impact Moderate, updated_at 2018_01_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11899
739
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
740
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Adwind SSL Certificate Observed"; flow:established,from_server; tls_cert_serial; content: "70:FE:E3:2F"; fast_pattern; tls_cert_issuer; content:"hgfyuilijhk"; metadata: former_category TROJAN; reference:md5,f2bf38a25919e24f0c96d9ec30e4e8d4; classtype:trojan-activity; sid:2025209; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, malware_family Adwind, malware_family Qarallex, performance_impact Low, updated_at 2018_01_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11901
741
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
742
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Formbook 0.3 Checkin"; flow:to_server,established; content:"POST"; http_method; content:"Mozilla"; http_user_agent; depth:7; content:"dat="; depth:4; http_client_body; nocase; fast_pattern; pcre:"/^[a-z0-9_\/+-]{1000}/PRi"; metadata: former_category TROJAN; reference:md5,6886a2ebbde724f156a8f8dc17a6639c; classtype:trojan-activity; sid:2024436; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_29, malware_family Password_Stealer, updated_at 2017_11_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11905
743
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
744
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Rodecap/Travle/PYLOT CnC Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; fast_pattern:5,20; http_header; content:"l"; http_client_body; depth:1; content:"=OTl"; within:8; http_client_body; content:"&e"; http_client_body; distance:0; content:"="; http_client_body; within:6; content:"&m"; http_client_body; distance:0; content:"="; http_client_body; within:6; metadata: former_category TROJAN; reference:md5,ba6dcea82f59799d86111fa28ae95641; reference:url,securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455; classtype:trojan-activity; sid:2025234; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Clien
745
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
746
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/SamMiner CnC Checkin M1"; flow:established,to_server; content:"GET"; http_method; content:".php?act=hi&uid="; http_uri; fast_pattern; content:"&ver="; http_uri; content:"&dotnetver="; http_uri; content:"&onwork="; http_uri; http_header_names; content:!"Referer"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:trojan-activity; sid:2025235; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_22, performance_impact Moderate, updated_at 2018_01_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11909
747
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
748
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/SamMiner CnC Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php?act=info&uid="; http_uri; fast_pattern; content:"&ver="; http_uri; content:"info="; depth:5; http_client_body; http_header_names; content:!"Referer"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:trojan-activity; sid:2025237; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_22, performance_impact Moderate, updated_at 2018_01_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11910
749
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
750
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Brazilian Banker CnC Activity"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Embarcadero URI Client/1.0"; http_user_agent; content:"AS100="; fast_pattern; http_client_body; content:"AS200="; distance:0; http_client_body; metadata: former_category TROJAN; reference:md5,94cd521945da6ab73bc7a1462283d22a; classtype:trojan-activity; sid:2025241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_01_22, malware_family Banking_Trojan, performance_impact Low, updated_at 2018_01_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11911
751
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
752
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ELF/TooEasy Miner CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?p="; http_uri; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|msg|22|"; http_client_body; content:"|0d 0a|Downloading files|0d 0a|"; http_client_body; fast_pattern; content:"curl/"; http_user_agent; depth:5; http_header_names; content:!"Accept-"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,dc62dd14321dfa9f14c094a7b1e20979; classtype:trojan-activity; sid:2025251; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_25, performance_impact Moderate, updated_at 2018_01_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11912
753
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
754
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/GandCrab Ransomware CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:".php?token="; http_uri; fast_pattern; pcre:"/^[0-9]{2,6}$/RU"; content:"data="; http_client_body; depth:5; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/RPs"; http_content_len; byte_test:0,>,200,0,string,dec; http_header_names; content:!"Referer"; content:!"Accept"; content:!"Cookie"; metadata: former_category TROJAN; reference:md5,aedf80c426fb649bb258e430a3830d85; classtype:trojan-activity; sid:2025254; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_26, malware_family GandCrab, performance_impact Moderate, updated_at 2018_01_26;)" from file /usr/local/etc/
755
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
756
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed Evrial Domain (cryptoclipper .ru in DNS Lookup)"; dns_query; content:"cryptoclipper.ru"; isdataat:!1,relative; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025256; rev:2; metadata:created_at 2018_01_29, updated_at 2018_01_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11915
757
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
758
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Observed Evrial Domain (projectevrial .ru in TLS SNI)"; flow:established,to_server; tls_sni; content:"projectevrial.ru"; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025257; rev:2; metadata:created_at 2018_01_29, updated_at 2018_01_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11916
759
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
760
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Evrial Stealer CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:"/upload.php?user="; http_uri; fast_pattern; content:"&hwid="; http_uri; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; http_client_body; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,485069677e997ff6ce193be7258c783f; classtype:trojan-activity; sid:2025266; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_29, malware_family Evrial, performance_impact Moderate, updated_at 2018_01_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11917
761
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
762
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Kuriyama Loader Checkin"; flow: established, to_server; content:"?hwid="; http_uri; content:"&group="; http_uri; fast_pattern; content:"&os="; http_uri; content:"&cpu="; http_uri; content:"GET"; http_method;  content:!"Referer|3a|"; http_header; threshold: type both, track by_src, count 2, seconds 60; metadata: former_category TROJAN; reference:url,darkwebs.ws/threads/41806/; reference:md5,e18c73ec38cbdd0bb0c66f360183e6d9; classtype:trojan-activity; sid:2025253; rev:4; metadata:created_at 2018_01_26, updated_at 2018_01_28;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11918
763
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
764
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check"; flow:established,to_server; content:"GET"; http_method; content:"/kb/"; http_uri; depth:4; fast_pattern; pcre:"/^\d{4,8}$/UR"; content:!"Microsoft Outlook"; http_user_agent; http_header_names; content:!"Referer"; content:"User-Agent"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025120; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_05, updated_at 2018_01_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11919
765
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
766
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-Dropper.Delf Checkin"; flow:established,to_server; content:"/autoupdate/versaoatual.txt"; fast_pattern; content:"Mozilla/3.0 (compatible|3b| Indy Library)"; http_user_agent; metadata: former_category TROJAN; reference:md5,52765b346c12d55e255a669bb8cfebb8; classtype:trojan-activity; sid:2025283; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_01, malware_family Dropper, performance_impact Low, updated_at 2018_02_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11921
767
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
768
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Elise Style IP Check"; flow:to_server,established; urilen:16; content:"/myip?format=txt"; http_uri; content:"api.ipaddress.com"; http_host; fast_pattern; content:"Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/4.0|3b| SLCC2|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.5.30729|3b| .NET CLR 3.0.30729|3b| Media Center PC 6.0|3b| .NET4.0C|3b| .NET4.0E)"; http_user_agent; http_header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:trojan-activity; sid:2025289; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perime
769
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
770
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Elise CnC Beacon 2 M2"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[a-z]{3,6}\/[a-z]{3,6}\.[a-z]{3}$/U"; content:"=|3b 20|"; http_cookie; content:"=|3b 20|"; http_cookie; distance:0; content:"=|3b|"; http_cookie; distance:0; isdataat:!1,relative; http_header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|Cookie|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:trojan-activity; sid:2025291; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deploy
771
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
772
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed ExecPS/Cobolt Domain (getfreshnews .com in DNS Lookup)"; dns_query; content:"getfreshnews.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,5d4d3ba6823a07f070f5a42cbcc7a5c8; classtype:trojan-activity; sid:2025304; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, performance_impact Moderate, updated_at 2018_02_02;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11926
773
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
774
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/SPARS/ARS Stealer Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?action="; http_uri; content:"&hwid="; http_uri; distance:0; content:"&access="; fast_pattern; http_uri; distance:0; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,76516b465b3589547a9c7c7d955238d8; classtype:trojan-activity; sid:2025344; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_12, malware_family Ars_Stealer, performance_impact Moderate, updated_at 2018_02_12;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11932
775
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
776
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Evrial Stealer Retrieving CnC Information"; flow:established,to_server; content:"GET"; http_method; content:"/Project-Evrial-C2-DOMAIN-"; http_uri; fast_pattern; nocase; http_header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; metadata: former_category TROJAN; reference:md5,540c736b7e11287805ddd4f3a9d37934; classtype:trojan-activity; sid:2025346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_13, malware_family Evrial, performance_impact Moderate, updated_at 2018_02_13;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11933
777
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
778
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Agent.BIC Variant CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?response="; http_uri; content:"&cpu="; http_uri; distance:0; content:"&gpu="; http_uri; distance:0; content:"&ram="; http_uri; distance:0; content:"&name="; http_uri; distance:0; content:"&os="; http_uri; distance:0; http_header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,C6C781F0ED065476A4297C2AC96A6D83; classtype:trojan-activity; sid:2025359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_15, malware_family Agent_BIC, performance_impact Low, updated_at 2018_02_15;)" from file /usr/local/etc/suricata/suricata_55
779
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
780
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Win32/Backdoor.Small.ao CnC Checkin"; flow:established,to_server;  content:"POST"; http_method; urilen:8; content:"/waiting"; http_uri; fast_pattern; content:"BC_Vic_"; http_user_agent; depth:7; content:"BC_SPL"; http_user_agent; distance:0; isdataat:!1,relative; threshold: type limit, track by_dst, seconds 30, count 1; http_header_names; content:"Expect"; content:!"Referer"; content:!"Accept"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c; classtype:trojan-activity; sid:2025370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_19, malware_family Backdoor_Small, performance_impact Low, updated_at 2018_02_19;)" from file /usr/local/etc/suricata/suricat
781
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
782
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Evrial Stealer CnC Activity M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|report - "; http_client_body; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; http_client_body; distance:19; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,ecd56f1f42f932865e98fd319301e1a5; classtype:trojan-activity; sid:2025375; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_21, malware_family Evrial, performance_impact Moderate, updated_at 2018_02_21;)" from file /usr/loca
783
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
784
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MalDoc Retrieving Malicious Payload (Possibly Ursnif)"; flow:established,to_server; content:".bin"; http_uri; isdataat:!1,relative; content:"Microsoft BITS/"; http_user_agent; depth:15; fast_pattern; content:!"microsoft.com"; http_host; content:!"pdfcomplete.com"; http_host; content:!"mymitchell.com"; http_host; content:!"azureedge.net"; http_host; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,dbba37d4aec066a525f9cf3d9bdb27d8; classtype:trojan-activity; sid:2024420; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Microsoft_Word, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_23, performance_impact Moderate, updated_at 2018_02_22;)" fro
785
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
786
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN [PTsecurity] QRat.Java.RAT (state_alive)"; flow:established,to_server; content:"|00 11 7b 22 73 74 61 74 65 22 3a 22 61 6c 69 76 65 22 7d|"; depth:19; isdataat:!1,relative; threshold: type both, track by_src, count 10, seconds 30; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025391; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Qrat, signature_severity Major, created_at 2018_02_26, malware_family QRat, updated_at 2018_03_06;)" from file /usr/local/etc/suricata/suricata_55516_em7
787
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
788
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin"; flow:established,to_server; content:"|00 00 00 69 64 3d|"; depth:10; content:"|26 6f 73 3d|"; distance:0; within:30; content:"|26 70 72 69 76 3d|"; distance:0; within:20; content:"|26 63 72 65 64 3d|"; distance:0; within:20; content:"|26 70 63 6e 61 6d 65 3d|"; distance:0; content:"|26 61 76 6e 61 6d 65 3d|"; distance:0; content:"|26 62 75 69 6c 64 5f 74 69 6d 65 3d|"; distance:0; fast_pattern; content:"|26 63 61 72 64 3d|"; distance:0; metadata: former_category TROJAN; reference:md5,32485b8cedc5b79aa1bf2d7ceae0ef31; classtype:trojan-activity; sid:2025408; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_01, malware_family FlawedAmmyy, performance_impact Moderate, update
789
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
790
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Bancos Variant CnC)"; flow:established,to_client; tls_cert_subject; content:"CN=www.instrumentshigh.com.br"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,f8b2e89717f77633c7d112c98f2d22ab; classtype:trojan-activity; sid:2025433; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2018_03_14, malware_family Bancos, performance_impact Moderate, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11955
791
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
792
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Oracle America)"; tls_cert_issuer; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; fast_pattern; tls_cert_subject; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc.";  metadata: former_category TROJAN; reference:md5,a0bbfdb2d4dbfb2f3c182bd394099803; classtype:trojan-activity; sid:2025413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)" from file /u
793
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
794
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Yahoo)"; tls_cert_issuer; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; fast_pattern; tls_cert_subject; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc.";  metadata: former_category TROJAN; reference:md5,ce413a29e6cde5701a26e7e4e02ecc66; classtype:trojan-activity; sid:2025412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)" from file /usr/local/etc/suricata/suricata_55516_
795
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
796
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Google)"; tls_cert_issuer; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; fast_pattern; tls_cert_subject; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc.";  metadata: former_category TROJAN; reference:md5,8c7722acb2f7400df1027fa6741e37d5; classtype:trojan-activity; sid:2025414; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 
797
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
798
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Oracle canada)"; tls_cert_issuer; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; fast_pattern; tls_cert_subject; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc.";  metadata: former_category TROJAN; reference:md5,f71d168b5b987d9fde792098ca5cca19; classtype:trojan-activity; sid:2025415; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)" from file /usr/lo
799
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
800
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Arkei Stealer IP Lookup"; flow:established,to_server;  content:"POST"; http_method; content:"Arkei/"; http_user_agent; depth:6; fast_pattern; content:"ip-api.com"; http_host; metadata: former_category TROJAN; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Stealer, signature_severity Major, created_at 2018_03_13, malware_family Arkei, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11960
801
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
802
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Arkei Stealer Config Download Request"; flow:established,to_server;  content:"POST"; http_method; content:"/grubConfig"; http_uri; content:"Arkei/"; http_user_agent; depth:6; fast_pattern; metadata: former_category TROJAN; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Stealer, signature_severity Major, created_at 2018_03_13, malware_family Arkei, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11961
803
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
804
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Panskeg outbound connection"; flow:to_server,established; file_data; dsize:10; content:"|79 40 1F F2 03 3C 20 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/81c6fa11d46bf173932b067c32a852f048ba51873210c3e24ac367c95e799e42/analysis/; classtype:trojan-activity; sid:36610; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 27636
805
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
806
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Cobalt Group SSL Certificate Detected"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|dns-verifon.com"; distance:1; within:16; metadata: former_category TROJAN; reference:md5,26406f5cc72e13c798485f80ad3cbbdb; classtype:trojan-activity; sid:2025438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_26, malware_family Cobalt_Group, performance_impact Low, updated_at 2018_03_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11966
807
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
808
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26381
809
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
810
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&syspath="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"&macid="; nocase; http_client_body; content:"&os1="; distance:0; nocase; http_client_body; content:"&os2="; distance:0; nocase; http_client_body; content:"&syspath="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36630; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 27640
811
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
812
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Banker.AAQD Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"valor="; depth:6; http_client_body; content:"verde"; http_client_body; content:"branco"; http_client_body; content:"vermelho"; fast_pattern:only; http_client_body; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,759db11b07f3a370338f2e0a28eb1def; reference:url,www.virusradar.com/en/Win32_Spy.Banker.AAQD/description; classtype:trojan-activity; sid:2018516; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2014_04_24, performance_impact Low, updated_at 2018_03_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11967
813
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
814
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&vs="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"v="; nocase; http_client_body; content:"&id="; distance:0; nocase; http_client_body; content:"&uid="; distance:0; nocase; http_client_body; content:"&vs="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36629; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 27641
815
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
816
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check M2"; flow:established,to_server; content:"GET"; http_method; content:"/vstudio"; http_uri; fast_pattern; urilen:8; content:"msdn.microsoft.com"; http_host; http_header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025439; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_27, malware_family Smoke_Loader, updated_at 2018_03_27;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11968
817
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
818
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check M3"; flow:established,to_server; content:"GET"; http_method; content:"/visualstudio/"; http_uri; fast_pattern; urilen:14; content:"www.microsoft.com"; http_host; http_header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025440; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_27, malware_family Smoke_Loader, updated_at 2018_03_27;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11969
819
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
820
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 10"; flow:established,to_server; content:"POST"; http_method; pcre:"/\/\d+\/$/U"; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_content_len; content:"63"; fast_pattern; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|User-Agent"; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025441; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_27, malware_family Smoke_Loader, performance_impact Moderate, updated_at 2018_03_27;)
821
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
822
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed GandCrab Ransomware Domain (chlenaverasiskihe .sex in DNS Lookup)"; dns_query; content:"chlenaverasiskihe.sex"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025454; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family GandCrab, performance_impact Moderate, updated_at 2018_04_02;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11972
823
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
824
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Quant Loader Download Request"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; http_uri; fast_pattern; content:"&c="; distance:0; nocase; http_uri; content:"&mk="; distance:0; nocase; http_uri; content:"&il="; distance:0; nocase; http_uri; content:"&vr="; distance:0; nocase; http_uri; content:"&bt="; distance:0; nocase; http_uri; content:!"Referer"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,23646295E98BD8FA022299374E4F76E0; classtype:trojan-activity; sid:2024452; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_10, performance_impact Moderate, updated_at 2018_04_04;)" from file 
825
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
826
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26400
827
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
828
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26401
829
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
830
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Sending Data to CnC"; flow:established,to_server; content:"POST"; http_method; content:".js"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; fast_pattern; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; metadata: former_category TROJAN; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025464; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, malware_family OceanLotus, 
831
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
832
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC"; flow:established,to_server; content:"GET"; http_method; content:".css"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; content:"|0d 0a|Cookie|3a 20|m_pixel_ratio="; fast_pattern; pcre:"/^m_pixel_ratio=[a-f0-9]{32}\x3b$/C"; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; threshold:type limit, count 1, seconds 30, track by_src; metadata: former_category TROJAN; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025465; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, crea
833
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
834
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/DanijBot User-Agent"; flow:established,to_server; content:"Botnet by Danij"; http_user_agent; fast_pattern; depth:15; isdataat:!1,relative;  http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_06, malware_family DanijBot, performance_impact Moderate, updated_at 2018_04_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11983
835
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
836
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/DanijBot CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?hwid="; http_uri; content:"&bit="; http_uri; content:"&info=Windows|3a 20|"; http_uri; content:"Botnet by Danij"; http_user_agent; fast_pattern; depth:15; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025470; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_06, malware_family DanijBot, performance_impact Moderate, updated_at 2018_04_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11984
837
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
838
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/DanijBot CnC Task Status"; flow:established,to_server; content:"GET"; http_method; content:"?hwid="; http_uri; content:"&taskId="; http_uri; distance:0; content:"Botnet by Danij"; http_user_agent; fast_pattern; depth:15; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_06, malware_family DanijBot, performance_impact Moderate, updated_at 2018_04_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11985
839
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
840
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN QRat.Java.RAT Post-Checkin Request"; flow:established,to_server; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; depth:10; offset:2; fast_pattern; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|2c 22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025393; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Qrat, signature_severity Major, create
841
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
842
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pontoeb CnC"; flow:established,to_server; content:"N0PE"; depth:4; http_user_agent; fast_pattern; content:"mode="; depth:5; http_client_body; metadata: former_category TROJAN; reference:md5,1a44b59105e584bac969408f9617133f; reference:url,urlhaus.abuse.ch/url/4452/; classtype:trojan-activity; sid:2025484; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2018_04_11, malware_family Pontoeb, performance_impact Low, updated_at 2018_04_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11987
843
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
844
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26422
845
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
846
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Iron/Maktub Locker Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"{|22|encry|22 3a 22|"; http_client_body; depth:10; fast_pattern; content:"|22|randk|22 3a 22|"; http_client_body; distance:0; content:"|22|guid|22 3a 22|"; http_client_body; distance:0; content:"|22|start|22 3a 22|"; http_client_body; distance:0; content:"|22|market|22 3a 22|"; http_client_body; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,1e60050db59e3d977d2a928fff3d34a6; reference:url,bartblaze.blogspot.com/2018/04/maktub-ransomware-possibly-rebranded-as.html; classtype:trojan-activity; sid:2025486; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 20
847
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
848
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (CoreBot C2)"; flow:established,from_server; tls_cert_subject; content:"CN=ok.investments"; fast_pattern; nocase; reference:md5,75368c9240a3c238aa3b5518906a3cdb; classtype:trojan-activity; sid:2025485; rev:3; metadata:created_at 2018_04_11, updated_at 2018_04_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11989
849
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
850
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN LokiBot Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Key|3a 20|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20/Hi"; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,5ba6cf36f57697a1eb5ac8deaa377b4b; classtype:trojan-activity; sid:2025381; rev:4; metadata:created_at 2015_11_23, updated_at 2018_04_13;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11991
851
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
852
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN LokiBot Fake 404 Response"; flow:established,from_server; flowbits:isset,ET.LokiBot; content:"404"; http_stat_code; file_data; content:"|08 00 00 00 00 00 00 00|File not found."; depth:23; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CA427D578AFA51B262272C78D1C04AB9; classtype:trojan-activity; sid:2025483; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_10, malware_family lokibot, performance_impact Low, updated_at 2018_04_13;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12001
853
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
854
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC Win.Trojan.Trochulis variant outbound connection"; flow:to_server,established; file_data; content:"|BF BF AF AF 7E 00 00 00|"; fast_pattern:only; dsize:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/da6905d96cc860b443deb5f27271a2cfb2ce17f067a59ca7f0fd12c1d70c4372/analysis/; classtype:trojan-activity; sid:37370; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 27710
855
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
856
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Quant Loader Download Response M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"exe=http://"; within:30; nocase; fast_pattern; content:"|2e|exe|3b|"; distance:0; nocase; metadata: former_category TROJAN; reference:md5,aa0b114a64683d89f62d26a088e164f6; classtype:trojan-activity; sid:2024206; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_17, performance_impact Moderate, updated_at 2017_04_17;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12009
857
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
858
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN HawkEye Keylogger FTP"; flow:established,to_server; content:"STOR HawkEye"; nocase; pcre:"/^(?:_|Keylogger)/Ri"; reference:md5,85f3b302afa0989a91053af6092f3882; classtype:trojan-activity; sid:2020410; rev:4; metadata:created_at 2015_02_11, updated_at 2015_02_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12012
859
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
860
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/G1 Stealer/GravityRAT Requesting Payload"; flow:established,to_server; content:"GET"; http_method; content:"?Value=13&idPayload="; http_uri; fast_pattern; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025539; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12013
861
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
862
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/G2 Stealer/GravityRAT CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?Value="; http_uri; content:"UserCode="; http_uri; distance:0; content:"MacId="; http_uri; distance:0; content:"HitDate="; http_uri; distance:0; content:"FingerPrint="; http_uri; distance:0; fast_pattern; content:"CurrentIp="; http_uri; http_header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; content:!"Connection"; metadata: former_category TROJAN; reference:md5,6899c2219764bac56007ce80021bfcbf; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_2
863
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
864
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/GX Stealer/GravityRAT Uploading File"; flow:established,to_server; content:"POST"; http_method; content:".php?VALUE=2&Type="; http_uri; fast_pattern; content:"&SIGNATUREHASH="; http_uri; distance:0; http_header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,ec629f648434fc3d17e9561532d038c8; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12015
865
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
866
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/G1 Stealer/GravityRAT Uploading File"; flow:established,to_server; content:"GET"; http_method; content:"?Value=11&FileName="; http_uri; fast_pattern; content:"&FileSize="; http_uri; distance:0; content:"&Macid="; http_uri; distance:0; content:"&UserCode="; http_uri; distance:0; metadata: former_category TROJAN; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12016
867
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
868
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely GandCrab Ransomware Domain in HTTP Host M1"; content:".bit"; http_host; isdataat:!1,relative; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/W"; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025547; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_30, malware_family GandCrab, updated_at 2018_04_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12020
869
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
870
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely GandCrab Ransomware Domain in HTTP Host M2"; content:".coin"; http_host; isdataat:!1,relative; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/W"; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025548; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_30, malware_family GandCrab, updated_at 2018_04_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12021
871
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
872
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)"; dns_query; content:"ransomware.bit"; nocase; isdataat:!1,relative; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family GandCrab, performance_impact Moderate, updated_at 2018_04_02;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12022
873
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
874
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup)"; dns_query; content:"zonealarm.bit"; nocase; isdataat:!1,relative; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025453; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family GandCrab, performance_impact Moderate, updated_at 2018_05_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12023
875
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
876
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup)"; dns_query; content:"carder.bit"; isdataat:!1,relative; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,9faf6dedd3e0cd018d2e45bc8855bd4a; classtype:trojan-activity; sid:2025546; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_30, malware_family GandCrab, updated_at 2018_05_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12024
877
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
878
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN RedLeaves HOGFISH APT Implant CnC"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; http_uri; nocase; isdataat:!1,relative; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|.NET4.0C|3b 20|.NET4.0E)"; http_user_agent; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_accept; content:"*/*"; http_connection; content:"Keep-Alive"; http_content_len; byte_test:0,<,110,0,string,dec; http_header_names; content:!"Referer"; content:!"Accept-Encoding"; content:!"Content-Type"; metadata: former_category TROJAN; reference:md5,2d9ac00470a104b9841d851ddf33cad7; reference:md5,627b903657b28f3a2e388393103722c8; reference:url,www.accenture.com/t20180423T05
879
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
880
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN BKransomware Domain (3whyfziey2vr41yq in DNS Lookup)"; dns_query; content:"3whyfziey2vr41yq";depth:16; metadata: former_category TROJAN; reference:md5,892da86e60236c5aaf26e5025af02513; classtype:trojan-activity; sid:2025559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_07, malware_family Ransomware, updated_at 2018_05_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12027
881
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
882
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/GandCrab Ransomware CnC Activity M2"; flow:established,to_server; content:"POST"; http_method; pcre:"/^\/[a-z]{3,20}(?:\?[a-z]{3,20}=[a-z]{0,10}&[a-z]{3,20}=[a-z]{0,10})?$/U"; pcre:"/\.(?:bit|coin|sex|com|gandcrab\d*)$/W";content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http_user_agent; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Psi"; http_content_len; byte_test:0,>,4000,0,string,dec; http_header_names; content:"|0d 0a|Host|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:67; fast_pattern; content:!"Accept"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,8b7d3093c477b2e99effde5065affbd5; classtype:trojan-activity; sid:2025455; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attac
883
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
884
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Iron Ransomware Domain (y5mogzal2w25p6bn .ml in DNS Lookup)"; dns_query; content:"y5mogzal2w25p6bn.ml"; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,5f1ab58f0639b5e43fca508eb0d4f97e; classtype:trojan-activity; sid:2025567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_08, malware_family Ransomware, updated_at 2018_05_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12029
885
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
886
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Patchwork.Backdoor CnC Check-in M2"; flow:established,to_server; content:"POST"; http_method; content:".php?b="; http_uri; nocase; pcre:"/^[A-F0-9]{30}$/URi"; http_content_len; content:"0"; metadata: former_category TROJAN; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:trojan-activity; sid:2025164; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2018_05_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12032
887
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
888
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Patchwork.Backdoor Communicating with CnC"; flow:established,to_server; content:"POST"; http_method; content:".php?cx="; http_uri; nocase; fast_pattern; content:"&b="; http_uri; nocase; distance:0; content:"&gt="; http_uri; nocase; distance:0; content:"&tx="; http_uri; nocase; distance:0; pcre:"/\.php\?cx=[A-F0-9]+&b=[A-F0-9]+&gt=[A-F0-9]+&tx=[A-F0-9]+$/Ui"; http_content_len; content:"0"; metadata: former_category TROJAN; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:trojan-activity; sid:2025163; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2018_05_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12033
889
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
890
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN InfoBot Sending Machine Details"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"infobot"; http_user_agent; depth:7; isdataat:!1,relative; content:"|7b 22|bits|22 3a 20 22|"; http_client_body; depth:10; content:"|22|cpun|22 3a 20 22|"; http_client_body; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,3549c3af4417a344b5cbf53dbe7ab36c; classtype:trojan-activity; sid:2025577; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_16, performance_impact Moderate, updated_at 2018_05_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12034
891
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
892
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN InfoBot Sending LAN Details"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"|7b 22 4c 61 6e 43 6e 74 22 3a 20 22|"; http_client_body; depth:12; fast_pattern; content:"|22 7d|"; http_client_body; distance:0; within:3; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,6daa7e95d172c2e54953adae7bdfaffc; classtype:trojan-activity; sid:2025578; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_16, performance_impact Moderate, updated_at 2018_05_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12035
893
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
894
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Unk.Stealer CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:"/check.php"; http_uri; isdataat:!1,relative; fast_pattern; content:"m="; http_client_body; depth:2; pcre:"/^m=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/Psi"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,b38a63aea75bcf06fed11067cc75cc7e; classtype:trojan-activity; sid:2025580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_16, performance_impact Moderate, updated_at 2018_05_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12036
895
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
896
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Karmen Ransomware CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:"data.php?id="; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=[A-Za-z0-9]{10,20}(?:&key=[A-Za-z0-9]{10,30})?$/Ui"; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?$/Hmi"; metadata: former_category TROJAN; reference:md5,05427ed1c477cc01910eb9adbf35068d; classtype:trojan-activity; sid:2024239; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_14, malware_family Karmen_Ransomware, performance_impact Moderate, updated_at 2018_05_17;)" from file /usr/local/etc/suricata/suricata_5
897
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
898
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Vibem.C CnC Activity"; flow:established,to_server; content:"|63 76 c4 52 99 1d 04 80 a9 1b 2d|"; depth:11; content:!"|00|"; metadata: former_category TROJAN; reference:md5,bef6faabe3d80037c18fa7b806f4488e; classtype:trojan-activity; sid:2025581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_18, updated_at 2018_05_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12039
899
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
900
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.XOR Checkin via HTTP"; flow:established,to_server; content:"MSIE 6.0|3b 20|Windows NT 5.2|3b 20|SV1|3b 20|TencentTraveler|20 3b 20|.NET CLR 1.1.4322"; http_user_agent; fast_pattern:21,20; metadata: former_category TROJAN; reference:md5,d818d056bbf7e227151d40c8bd539976; reference:url,blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf; classtype:trojan-activity; sid:2021336; rev:5; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2015_06_23, malware_family DDoS_XOR, performance_impact Low, updated_at 2018_05_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12040
901
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
902
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Aurora/OneKeyLocker Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?generate="; http_uri; fast_pattern; content:"/-"; http_uri; distance:0; content:"&hwid="; http_uri; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,31d65e315115c823f619a381576984f8; classtype:trojan-activity; sid:2025586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_30, malware_family Aurora, malware_family OneKeyLocker, performance_impact Moderate, updated_at 2018_05_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12042
903
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
904
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBase Keylogger Uploading Screenshots"; flow:established,to_server; content:"POST"; http_method;  content:"/image/upload.php"; http_uri; fast_pattern; content:"filename=|22|"; http_client_body; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.(?:jpg|png)\x22\x0d\x0a/PR"; http_header_names; content:!"User-Agent"; content:!"Referer"; content:"|0d 0a|Expect|0d 0a|"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021441; rev:3; metadata:created_at 2015_07_20, updated_at 2015_07_20;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12043
905
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
906
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 27784
907
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
908
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/surica
909
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
910
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/AutoIt.NU Miner Dropper CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/?id="; http_uri; depth:5; content:"&pt="; http_uri; distance:0; within:20; fast_pattern; pcre:"/^[a-f0-9]{32}$/Vi"; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Pi"; http_content_type; content:"application/x-www-form-urlencoded"; http_header_names; content:"Accept"; content:!"Accept-"; content:!"Cache"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,cd7a49513771efd9d4de873956ef8af5; classtype:trojan-activity; sid:2025598; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Dropper, signature_severity Major, created_at 2018_06_21, malware_family Autoit_NU, performance_impact Low, updated_a
911
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
912
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [eSentire] VBS Retrieving Malicious Payload"; flow:established,to_server; content:"HEAD"; http_method; content:".php1"; http_uri; isdataat:!1,relative; fast_pattern; content:"Microsoft BITS/"; http_user_agent; content:!"Referer|3a|"; http_header; pcre:"/\/[0-9]{10}.php1$/U"; metadata: former_category TROJAN; reference:md5,aa56a1de9b91446c66d53f12f797bef5; classtype:trojan-activity; sid:2025626; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_25, updated_at 2018_06_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12059
913
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
914
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Remcos RAT Checkin 23"; flow:established,to_server; dsize:<500; content:"|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|"; depth:11; fast_pattern; content:"|da b1|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,f4f2425e9735f92cc9f75711aa8cb210; classtype:trojan-activity; sid:2025637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_03, updated_at 2018_07_03;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12066
915
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
916
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Fareit/Pony Downloader Checkin 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a|Content-Encoding|3a 20|binary|0d 0a|"; http_header; fast_pattern; content:"|0d 0a|Accept-Encoding|3a 20|identity,|20 2a 3b|q=0|0d 0a|"; http_header; content:"|20|MSIE|20|"; http_user_agent; http_header_names; content:!"Referer"; http_protocol; content:"HTTP/1.0"; flowbits:set,ET.Fareit.chk; metadata: former_category TROJAN; reference:md5,99FAB94FD824737393F5184685E8EDF2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014411; rev:12; metadata:created_at 2012_03_22, updated_at 20
917
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
918
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Zeus P2P Variant Check-in"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"/update"; http_uri; fast_pattern; pcre:"/^[a-z0-9]+\.(?:biz|com|net|org)/W"; http_header_names; content:!"User-Agent"; metadata: former_category TROJAN; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018667; rev:4; metadata:created_at 2014_07_11, updated_at 2017_03_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12068
919
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
920
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN [eSentire] Unknown Banker CnC Checkin"; flow:to_server,established; dsize:<35; content:"|3c 7c|"; depth:2; content:"|7c 3e|OPERADOR|3c 7c 3e|"; fast_pattern; distance:0; metadata: former_category TROJAN; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:trojan-activity; sid:2025652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_11, malware_family Banking_Trojan, updated_at 2018_07_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12071
921
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
922
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Rostpay Downloader User-Agent"; flow:established,to_server; content:"Rostpay Downloader"; nocase; depth:18; isdataat:!1,relative; http_user_agent; metadata: former_category TROJAN; reference:md5,6887e8e2fb391a1ca84f192efd5c8331; classtype:trojan-activity; sid:2025697; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_16, updated_at 2018_07_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12072
923
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
924
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chewbacca outbound connection"; flow:to_server,established; urilen:4; dsize:<200; content:"/ip/"; depth:4; fast_pattern; http_uri; content:"Keep-Alive|3A 20|300|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/chewbacca-latest-malware-to-take-a-liking-to-tor/103220; reference:url,www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware; classtype:trojan-activity; sid:29440; rev:5;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26564
925
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
926
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN QRat.Java.RAT Checkin Response"; flow:established,to_client; content:"|7b 22 6d 61 73 6d 61 67 22 3a 22|"; within:48; fast_pattern; content:"|22 2c 22 6d 61 73 76 65 72 22 3a|"; distance:0; content:"|2c 22 6d 61 73 69 64 22 3a 22|"; distance:0; content:"|22 2c 22 6e 65 65 64 2d 6d 6f 72 65 22 3a|"; distance:0; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; distance:0; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-
927
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
928
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern; pcre:"/^(?:\?[0-9])?/UR"; pcre:"/\/wp-(?:content|admin|includes)\//U"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,adabe1b995e6633dee19fdd2fdc4957a; classtype:trojan-activity; sid:2021697; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Wordpress, signature_severity Major, created_at 2015_08_20, performance_impact Low, updated_at 2018_07_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12075
929
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
930
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN AZORult Variant.4 Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"|4a 2f fb|"; fast_pattern; http_client_body; content:"|2f fb|"; http_client_body; depth:11; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,0ac55b5056364cdac63aaf05f9d7f654; reference:url,twitter.com/James_inthe_box/status/1020522733984100352?s=03; classtype:trojan-activity; sid:2025885; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_23, malware_family AZORult, updated_at 2018_07_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12076
931
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
932
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN OilRig QUADAGENT CnC Domain in SNI"; flow:to_server,established; tls_sni; content:"www.cpuproc.com"; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025891; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family QuadAgent, performance_impact Low, updated_at 2018_07_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12077
933
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
934
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (OilRig QUADAGENT CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; tls_cert_subject; content:"CN=cpuproc.com"; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; metadata: former_category TROJAN; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025892; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family QuadAgent, performance_impact Low, updated_at 2018_07_25;)" from file /usr/local/etc/suricata/suricata_
935
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
936
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any 53 (msg:"ET TROJAN OilRig QUADAGENT DNS Tunneling"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|mail|06|"; distance:0; nocase; pcre:"/^\d{6}/Ri"; content:"|07|cpuproc|03|com|00|"; fast_pattern; distance:0; within:13; nocase; threshold: type limit, count 1, seconds 60, track by_src; metadata: former_category TROJAN; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025894; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family QuadAgent, performance_impact Low, updated_at 2018_07_25;)" from file /usr
937
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
938
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [eSentire] Remcos RAT Checkin 24"; flow:established,to_server; dsize:<380; content:"|e8 ee 51 c7 05 29 cd 17 31 7b fd|"; depth:11; fast_pattern; content:"|55 47|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,98202283d7752779abd092665e80af71; classtype:trojan-activity; sid:2025921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2018_07_31, malware_family Remcos, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12081
939
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
940
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/ks8d"; http_uri; depth:5; content:"akspbu.txt"; http_uri; isdataat:!1,relative; content:"Mozilla/4.0|20 28|compatible|3b|MSIE|20|6.0|3b|"; http_user_agent; content:"|81 b2 a8 97 7e a3 1b 91|"; http_client_body; depth:8; fast_pattern; isdataat:!1,relative; pcre:"/^\/ks8d(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)akspbu\.txt$/Ui"; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_B
941
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
942
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal RC4 Encrypted 8 Byte Static CnC Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:<100; content:"|81 b2 a8 97 7e a3 1b 91|"; http_client_body; depth:8; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata
943
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
944
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 4"; dns_query; content:"euiro8966.organiccrap.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025927; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12084
945
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
946
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 3"; dns_query; content:"kted56erhg.dynssl.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025926; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12085
947
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
948
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 2"; dns_query; content:"www.hosting.tempors.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025925; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12086
949
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
950
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Helminth variant outbound connection"; flow:to_server,established; content:"UIET9fWR"; fast_pattern:only; content:"User-Agent: Mozilla/5.0"; http_header; content:"|20|Trident/5.0|0D 0A|"; within:14; distance:39; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/632be0a3d8d298f2ded928a4ac27846904ed842ad08b355acab53132d31eaf24/analysis/; classtype:trojan-activity; sid:39176; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 27840
951
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
952
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 1"; dns_query; content:"jennifer998.lookin.at"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025924; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12087
953
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
954
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 5"; dns_query; content:"games.my-homeip.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12088
955
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
956
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Aurora Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?generate="; http_uri; fast_pattern; content:"/"; http_uri; distance:0; content:"&hwid="; http_uri; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,2409c058a86cd8743abb10a5735ef487; classtype:trojan-activity; sid:2025931; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_30, malware_family Aurora_Ransomware, performance_impact Moderate, updated_at 2018_08_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12089
957
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
958
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [eSentire] Remcos RAT Checkin 25"; flow:established,to_server; dsize:<380; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; fast_pattern; content:"|35 03|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,41c292b0cb2a4662381635a3316226f4; classtype:trojan-activity; sid:2025984; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_09, malware_family Remcos, updated_at 2018_08_09;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12090
959
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
960
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Associated with Lazarus Downloader (JEUSD)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|celasllc.com"; distance:1; within:13; fast_pattern; metadata: former_category TROJAN; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; reference:url,blogs.360.cn/blog/apt-c-26/; classtype:trojan-activity; sid:2025990; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Lazarus, signature_severity Major, created_at 2018_08_15, malware_family JEUSD, performance_impact Low, updated_at 2018_08_15;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12091
961
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
962
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Lazarus Downloader (JEUSD) CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a 20|form-data|3b| name=|22|upload|22 3b| filename=|22|temp.gif|22 0d 0a|"; http_client_body; fast_pattern:48,20; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,blogs.360.cn/blog/apt-c-26/; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; classtype:trojan-activity; sid:2025991; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Lazarus, signature_severity Critical, created_at 2018_08_15, malware_family JEUSD, performance_impact Low, updated_at 2018_08_15;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12092
963
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
964
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Arkei Stealer Client Data Upload"; flow:established,to_server;  content:"POST"; http_method; content:"form-data|3b 20|name=|22|hwid|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|os|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|platform|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|user|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|pcount|22|"; http_client_body; nocase; disCLOG???
(1-1/2)