1
|
tance:0; content:"form-data|3b 20|name=|22|cccount|22|"; http_client_body; nocase; distance:0; metadata: former_category TROJAN; reference:md5,72bcbfd1020d002d2e20e0707b8ef700; classtype:trojan-activity; sid:2025431; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment P
|
2
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
3
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 11"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; urilen:1; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; content:"63"; fast_pattern; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Referer|0d 0a|User-Agent"; metadata: former_category TROJAN; reference:md5,d110be58537aa8420a9c25f4879ca77b; classtype:trojan-activity; sid:2025993; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_15, malware_family Sharik, malware_family Smoke_Loader, malware_family SmokeLoader, updated_at 2
|
4
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
5
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Tinba (Banking Trojan) Check-in"; flow:established,to_server; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; http_user_agent; depth:64; fast_pattern; content:"|0d 0a 0d 0a|"; depth:2000; byte_extract:2,0,byte0,relative; byte_extract:2,0,byte1,relative; byte_test:2,=,byte1,6,relative; byte_test:2,!=,byte1,7,relative; byte_test:2,=,byte1,10,relative; byte_test:2,!=,byte1,11,relative; byte_test:2,!=,byte1,23,relative; byte_test:2,!=,byte0,25,relative; byte_test:2,!=,byte1,27,relative; byte_test:2,=,byte0,40,relative; byte_test:2,=,byte1,42,relative; byte_test:2,=,byte0,44,relative; byte_test:2,=,byte1,46,relative; byte_test:2,=,byte0,48,relative; byte_test:2,=,byte1,50,relative; content:!"|00 00|"; depth:30; http_client_body; content:"|00 00|"; offset:34; depth:2; http_clie
|
6
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
7
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 26"; flow:established,to_server; stream_size:server,=,1; content:"|5a 95 2a 22 4d 37 9e 51 83 55 8f|"; depth: 11; metadata: former_category TROJAN; reference:md5,8f8d778bea33bc542b58c0631cf9d7e0; classtype:trojan-activity; sid:2026004; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Remcos, signature_severity Major, created_at 2018_08_21, updated_at 2018_08_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12104
|
8
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
9
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26618
|
10
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
11
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)"; flow:established,from_server; content:"|55 04 0a|"; content:"|27|Agency Protocols Management of Internet"; distance:1; within:40; content:"|55 04 03|"; distance:0; content:"|0d|bestylish.com"; distance:1; within:14; fast_pattern; metadata: former_category TROJAN; reference:md5,ecda8c6613fb458102fcb6f70b1cd594; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022209; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Banking_Trojan, signature_severity Major, created_at 2015_12_02, malware_family Bancos, malware_family DarkTequila, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12106
|
12
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
13
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26624
|
14
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
15
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 26"; flow:established,to_server; dsize:<500; content:"|24 8a 91 18 92 bb 4b 55 39 bc ed|"; depth:11; fast_pattern; content:"|c5 de|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,81cecc440bd57a736ef6e473e77d5a1b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:trojan-activity; sid:2026016; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12108
|
16
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
17
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 27"; flow:established,to_server; dsize:<500; content:"|bf 9b b2 d8 b7 a9 86 78 26 d6 10|"; depth:11; fast_pattern; content:"|0e 24|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,5c52234cf35ab8d08b10fcc3c2a9d32b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:trojan-activity; sid:2026017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12109
|
18
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
19
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 28"; flow:established,to_server; dsize:<500; content:"|ea 7f 70 7a 80 7c 4a a9 1b 68 8e|"; depth:11; fast_pattern; content:"|81 9c|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,29a0d1bc5abfbbf0bdf15ffa762cac27; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.htm; classtype:trojan-activity; sid:2026018; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12110
|
20
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
21
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 29"; flow:established,to_server; dsize:<500; content:"|5e 0d 10 db 92 bf 73 6c 7d 6f 5d|"; depth:11; fast_pattern; content:"|67 04|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,5cb07299cedd69f096b09358754831e0; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:trojan-activity; sid:2026019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12111
|
22
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
23
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 30"; flow:established,to_server; dsize:<500; content:"|81 29 6b 48 7f c7 22 ec 9b 9e b6|"; depth:11; fast_pattern; content:"|d8 95|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,63d36de591491d04071b4dc0a39d5fab; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:trojan-activity; sid:2026020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12112
|
24
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
25
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN MSIL/BISKVIT DNS Lookup (bigboss .x24hr .com)"; dns_query; content:"bigboss.x24hr.com"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026021; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_23, malware_family BISKVIT, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12113
|
26
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
27
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN MSIL/BISKVIT DNS Lookup (secured-links .org)"; dns_query; content:"secured-links.org"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026022; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_23, malware_family BISKVIT, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12114
|
28
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
29
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET !139 (msg:"ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2"; flow:to_server,established; content:"|12 12|"; offset:2; depth:2; content:!"|12 12|"; within:2; content:"|12 12|"; distance:2; within:2; content:!"|12 12|"; within:2; content:"|12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12|"; pcre:"/[^\x12][^\x4e\x38\x39\x2f\x6e\x28\x29\x30\x2d\x2e\x2c\x3e\x31\x18][\x40-\x48\x4a-\x4d\x31-\x34\x3a-\x3c\x3f\x50-\x5f\x60-\x6c\x6f\x73-\x7f\x70\x71\x20-\x27\x2a\x2b]{1,14}\x12/R"; reference:md5,00ccc1f7741bb31b6022c6f319c921ee; classtype:trojan-activity; sid:2019202; rev:4; metadata:created_at 2014_09_22, updated_at 2014_09_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12116
|
30
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
31
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32.FakeEzQ.kr Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"MyAgent"; isdataat:!1,relative; http_user_agent; fast_pattern; http_header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,7afebc844a3313eb2a89b3028fbba7a6; reference:url,otx.alienvault.com/pulse/5b8844d6db17df1779153624; classtype:trojan-activity; sid:2026071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_31, updated_at 2018_08_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12118
|
32
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
33
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:100<>325; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"/index.php"; http_uri; pcre:"/^\/[a-z]{3,10}\.php\?[a-z]{3,10}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; content:!"desktopad.com"; http_header; content:!"DriverUpdate"; http_header; content:!"act=bkw9"; http_uri; nocase; content:!"mydlink.com"; http_header; content:!"remocam.com"; http_host; metadata: former_category TROJAN; reference:md5,cd2d9c7bd5de6d12718785f495ce1bb4; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019378; rev:13; metadata:created_at 2014_10_09, updated_at 2018_09_03;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/su
|
34
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
35
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ANDR.Trojan.FakeApp outbound connection"; flow:established, to_server; content:"/cp/server.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B| boundary=Aab03x"; http_header; content:"User-Agent: Dalvik"; http_header; file_data; content:"AaB03x"; content:"name=|22|phone"; distance:0; content:"name=|22|type"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,securityaffairs.co/wordpress/22465/cyber-crime/banking-trojan-hit-islamic-mobile.html; reference:url,www.virustotal.com/file/66911EE32FC4777BB9272F9BE9EB8970B39440768B612FBAB4AC01D8E23F9AA1/analysis/; classtype:trojan-activity; sid:29978; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26650
|
36
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
37
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/BanloadDownloader.XZY Retrieving Payload"; flow:to_server,established; content:"GET"; http_method; content:"/sosdoudou_V3/"; http_uri; fast_pattern; content:"WinHttp.WinHttpRequest"; http_user_agent; content:!"Accept-"; http_header; content:!"Referer|3a 20|"; http_header; metadata: former_category TROJAN; reference:md5,98376de10118892f0773617da137c2be; reference:md5,599ea45f5420f948e0836239eb3ce772; classtype:trojan-activity; sid:2024499; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_26, malware_family Banload, performance_impact Moderate, updated_at 2018_09_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12127
|
38
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
39
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Suspected Monero Miner CnC Channel TXT Lookup"; dns_query; content:".c2kgw8jt5869nspr4.com"; fast_pattern; threshold:type limit, track by_src, count 1, seconds 300; metadata: former_category TROJAN; reference:md5,2a2219f1dbb6039f52a5792a87cf760a; classtype:trojan-activity; sid:2026097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_05, malware_family CoinMiner, performance_impact Moderate, updated_at 2018_09_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12128
|
40
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
41
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Suspected Monero Miner CnC Channel Secondary Domain Lookup"; dns_query; content:"mylog.icu"; threshold:type limit, track by_src, count 1, seconds 300; metadata: former_category TROJAN; reference:md5,2a2219f1dbb6039f52a5792a87cf760a; classtype:trojan-activity; sid:2026098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_05, malware_family CoinMiner, performance_impact Moderate, updated_at 2018_09_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12129
|
42
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
43
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Aura Ransomware CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:"{KIARA}"; http_user_agent; fast_pattern; content:"id="; http_client_body; depth:3; content:"&guid="; http_client_body; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:trojan-activity; sid:2026099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_06, malware_family Aura, performance_impact Moderate, updated_at 2018_09_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12130
|
44
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
45
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Eredel Stealer CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?hwid="; http_uri; content:"&os="; http_uri; content:"&cookie="; http_uri; content:"&pswd="; http_uri; fast_pattern; content:"&telegram="; http_uri; content:"&version=v"; http_uri; http_header_names; content:!"Referer"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,4b5e27e843e1b26aedec66f9e87c9960; classtype:trojan-activity; sid:2025982; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_17, malware_family Eredel, performance_impact Moderate, updated_at 2018_08_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12131
|
46
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
47
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Win32/Ramnit Stage 0 Communicating with CnC"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"WAIT|20|"; depth:15; content:"CERT|20|"; fast_pattern; distance:0; within:20; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/RQi"; metadata: former_category TROJAN; reference:md5,20148e48668cb5e0b22d437ee0443cfe; reference:url,research.checkpoint.com/ramnits-network-proxy-servers/; classtype:trojan-activity; sid:2026113; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_14, malware_family Ramnit, performance_impact Low, updated_at 2018_09_14;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12133
|
48
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
49
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|5c|x57|5c|x53|5c|x63|5c|x72|5c|x69|5c|x70|5c|x74|5c|x2E|5c|x53|5c|x68|5c|x65|5c|x6C|5c|x6C"; fast_pattern; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026332; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, signature_severity Major, created_at 2018_09_20, malware_family Xbash, performance_impact Low, updated_at 2018_09_20;)" from file /usr/local/etc
|
50
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
51
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTML/Xbash Hex Encoded PowerShell Args Inbound - Stage 1"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|5c|x70|5c|x6F|5c|x77|5c|x65|5c|x72|5c|x73|5c|x68|5c|x65|5c|x6C|5c|x6C|5c|x2E|5c|x65|5c|x78|5c|x65"; content:"|5c|x2D|5c|x65|5c|x78|5c|x65|5c|x63|5c|x75|5c|x74|5c|x69|5c|x6F|5c|x6E|5c|x70|5c|x6F|5c|x6C|5c|x69|5c|x63|5c|x79|5c|x20|5c|x62|5c|x79|5c|x70|5c|x61|5c|x73|5c|x73"; distance:0; fast_pattern; content:"|5c|x2D|5c|x77|5c|x69|5c|x6E|5c|x64|5c|x6F|5c|x77|5c|x73|5c|x74|5c|x79|5c|x6C|5c|x65|5c|x20|5c|x68|5c|x69|5c|x64|5c|x64|5c|x65|5c|x6E"; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:20
|
52
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
53
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTML/Xbash Hex Encoded PS WebClient Object Inbound - Stage 1"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|5c|x73|5c|x79|5c|x73|5c|x74|5c|x65|5c|x6D|5c|x2E|5c|x6E|5c|x65|5c|x74|5c|x2E|5c|x77|5c|x65|5c|x62|5c|x63|5c|x6C|5c|x69|5c|x65|5c|x6E|5c|x74|5c|x29|5c|x2E|5c|x64|5c|x6F|5c|x77|5c|x6E|5c|x6C|5c|x6F|5c|x61|5c|x64|5c|x66|5c|x69|5c|x6C|5c|x65|5c|x28"; fast_pattern; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026333; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Coinminer, tag Worm, tag Destructive,
|
54
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
55
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Scarsi Variant CnC Activity"; flow:to_server,established; content:"/WP"; http_uri; content:".php"; distance:0; within:50; http_uri; isdataat:!1,relative; content:"Content-Length|3a 20|"; http_header; byte_test:1,>,0x30,0,relative; content:!"Referer|3a 20|"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|3b| Charset=UTF-8|0d 0a|"; http_header; fast_pattern:44,20; pcre:"/\/WP(?:Security|CoreLog)\/(?:data\/)?\w+\.php$/Ui"; pcre:"/^[\x20-\x25\x27-\x3c\x3e-\x7e]{25,}$/Psi"; metadata: former_category TROJAN; reference:md5,52c193a7994a6bb55ec85addc8987c10; classtype:trojan-activity; sid:2024758; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, performance_impact Low, updated
|
56
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
57
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MS_D0wnl0ad3r Screenshot Upload"; flow:to_server,established; content:"POST"; http_method; content:"boundary=MS_D0wnl0ad3r"; http_header; metadata: former_category TROJAN; reference:md5,f40248a592ed711d95eb8b48b31a1ed8; classtype:trojan-activity; sid:2026361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_24, malware_family Downloader, updated_at 2018_09_24;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12150
|
58
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
59
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Reaper (APT37) DNS Lookup (kmbr1 .nitesbr1 .org)"; dns_query; content:"kmbr1.nitesbr1.org"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:trojan-activity; sid:2026432; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT37, tag Reaper, signature_severity Major, created_at 2018_10_01, malware_family Final1stspy, malware_family DOGCALL, performance_impact Low, updated_at 2018_10_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12156
|
60
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
61
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Final1stspy CnC Checkin (Reaper/APT37 Stage 1 Payload)"; flow:established,to_server; content:"GET"; http_method; content:".php?MachineId="; http_uri; content:"&InfoSo="; http_uri; distance:0; content:"&Index="; http_uri; distance:0; content:"&Account="; http_uri; distance:0; content:"&List="; http_uri; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/RUi"; content:"Host|20|Process|20|Update"; http_user_agent; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:trojan-activit
|
62
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
63
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Win32/Remcos RAT Checkin 51"; flow:established,to_server;stream_size:server,=,1; content:"|4139 2f55 647c c126 8775 8f|"; depth:11; metadata: former_category TROJAN; reference:md5,4f3cc55c79b37a52d8f087dbf7093dcd; classtype:trojan-activity; sid:2026433; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_02, malware_family Remcos, updated_at 2018_10_02;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12158
|
64
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
65
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.YordanyanActiveAgent CnC Reporting"; flow:established,to_server; content:"GET"; http_method; content:"client?mac_address="; http_uri; content:"&agent_id="; http_uri; distance:0; content:"agent_file_version"; content:"cpprestsdk/"; http_user_agent; fast_pattern; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:trojan-activity; sid:2026435; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_04, malware_family ActiveAgent, updated_at 2018_10_04;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12159
|
66
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
67
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.YordanyanActiveAgent Generic CnC Pattern"; flow:established,to_server; content:"/rest/v"; http_uri; content:"/clients/client?"; http_uri; distance:0; content:"&agent_id="; http_uri; distance:0; fast_pattern; content:!"Mozilla"; http_user_agent; content:!"Referer"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:trojan-activity; sid:2026436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_04, malware_family ActiveAgent, updated_at 2018_10_04;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12160
|
68
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
69
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=www.windowsdriversupd.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:trojan-activity; sid:2026467; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_10, malware_family Gadwats, performance_impact Low, updated_at 2018_10_10;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12168
|
70
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
71
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=www.windowswsusonline.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:trojan-activity; sid:2026468; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_10, malware_family Gadwats, performance_impact Low, updated_at 2018_10_10;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12169
|
72
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
73
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [eSentire] Win32/Spy.Banker CnC Command (DOWNLOAD)"; flow:from_server,established; dsize:11; content:"DOWNLOAD1|0d 0a|"; depth:11; metadata: former_category TROJAN; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:trojan-activity; sid:2025651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_11, malware_family Banking_Trojan, updated_at 2018_10_10;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12172
|
74
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
75
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kraken Ransomware Start Activity 1"; flow:established,to_server; content:!"."; http_uri; content:!"&"; http_uri; content:!"?"; http_uri; content:"-"; offset:2; depth:1; http_user_agent; content:"|3a|Begin"; distance:0; http_user_agent; isdataat:!1,relative; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aBegin$/V"; http_header_names; content:!"Accept"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_11, malware_family Kraken_Ransomware, performance_impact Moderate, updated_at 2018_10_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at li
|
76
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
77
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kraken Ransomware End Activity"; flow:established,to_server; content:!"."; http_uri; content:!"&"; http_uri; content:!"?"; http_uri; content:"-"; offset:2; depth:1; http_user_agent; content:"|3a|End"; distance:0; http_user_agent; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aEnd(?:\x3a[0-9]{1,5})?$/V"; http_header_names; content:!"Accept"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026473; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_11, malware_family Kraken_Ransomware, performance_impact Moderate, updated_at 2018_10_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12175
|
78
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
79
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 69"; flow:established,to_server; content:"|e3 34 a1 ef b4 32 58 d0 f0 3d 66|"; depth:11; metadata: former_category TROJAN; reference:md5,f9dbf2c028d3ad58328c190a6adb3301; classtype:trojan-activity; sid:2026509; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12191
|
80
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
81
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 70"; flow:established,to_server; content:"|35 cd 13 07 49 3a 45 81 02 35 bb|"; depth:11; metadata: former_category TROJAN; reference:md5,8e99866b89e9349c21b34e6575f2412f; classtype:trojan-activity; sid:2026510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12192
|
82
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
83
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 71"; flow:established,to_server; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; metadata: former_category TROJAN; reference:md5,24bf188785e18db8fcb7dfa50363b3f5; classtype:trojan-activity; sid:2026511; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12193
|
84
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
85
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 72"; flow:established,to_server; content:"|eb e7 a2 ec 6e 3e cc a8 34 b5 91|"; depth:11; metadata: former_category TROJAN; reference:md5,98a010ad867f4c36730cc6a87c94528c; classtype:trojan-activity; sid:2026512; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12194
|
86
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
87
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 73"; flow:established,to_server; content:"|2e 11 6e fe 1c 00 92 21 3c ce 31|"; depth:11; metadata: former_category TROJAN; reference:md5,9e31ee4bb378d3cf6f80f9f30e9f810f; classtype:trojan-activity; sid:2026513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12195
|
88
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
89
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN XLS.Unk DDE rar Drop Attempt (.online)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:".online"; http_host; isdataat:!1,relative; fast_pattern; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; flowbits:set,ET.xls.dde.drop; metadata: former_category TROJAN; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_16, malware_family MalDocGeneric, malware_family Maldoc, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12196
|
90
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
91
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN XLS.Unk DDE rar Drop Attempt (.club)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:".club"; http_host; fast_pattern; isdataat:!1,relative; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; flowbits:set,ET.xls.dde.drop; metadata: former_category TROJAN; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_16, malware_family MalDocGeneric, malware_family Maldoc, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12197
|
92
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
93
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN XLS.Unk DDE rar Drop Fake 404 Response"; flow:established,to_client; content:"200"; http_stat_code; flowbits:isset,ET.xls.dde.drop; file_data; content:"<h1>404 Not Found</h1><span>The resource requested could not be found on this server!</span>"; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_16, malware_family MalDocGeneric, malware_family Maldoc, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12198
|
94
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
95
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN XLS.Unk DDE rar Drop Attempt (.live)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:".live|0d 0a|Conne"; http_header; fast_pattern; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; flowbits:set,ET.xls.dde.drop; metadata: former_category TROJAN; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026514; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_17, malware_family MalDocGeneric, malware_family Maldoc, updated_at 2018_10_17;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12199
|
96
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
97
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Locky CnC Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/imageload.cgi"; fast_pattern; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http_header; content:"www-form-urlencoded|0d 0a|"; http_header; pcre:"/^[A-Za-z]{1,10}=[^&]+(?:&[A-Za-z]{1,10}=[^&]+){10,}$/Ps"; metadata: former_category TROJAN; reference:md5,40ebefdec6870263827ce6425702e785; classtype:trojan-activity; sid:2026517; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Locky, signature_severity Major, created_at 2018_10_17, updated_at 2018_10_17;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12201
|
98
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
99
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/BlackCarat Response from CnC"; flow:established,from_server; dsize:13; content:"|72 50 bf 9e|"; offset:9; depth:4; fast_pattern; metadata: former_category TROJAN; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:trojan-activity; sid:2026524; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_18, malware_family CaratRAT, performance_impact Low, updated_at 2018_10_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12203
|
100
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
101
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zebrocy Backdoor CnC Activity"; flow:to_server,established; content:"POST"; http_method; content:".php?"; http_uri; content:"Mozilla v5.1 (Windows NT 6.1|3b 20|rv|3a|6.0.1) Gecko/20100101 Firefox/6.0.1"; http_user_agent; fast_pattern; content:"%0D%0AHost%20Name|3a|"; http_client_body; pcre:"/^(?:\d{1,3}\.)\d{1,3}$/W"; metadata: former_category TROJAN; reference:md5,961e79a33f432ea96d2c8bf9eb010006; classtype:trojan-activity; sid:2026527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Zebrocy, signature_severity Major, created_at 2018_10_19, updated_at 2018_10_19;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12204
|
102
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
103
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sidewinder Stage 2 VBS Downloader Reporting Successful Infection"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/"; http_uri; depth:9; content:"/true/true/done"; http_uri; distance:0; fast_pattern; isdataat:!1,relative; content:"WinHttp.WinHttpRequest."; http_user_agent; http_header_names; content:"Referer"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,dfad7d4a7ecb2eed6d69abfbfb5f94c9; reference:url,medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739; classtype:trojan-activity; sid:2026545; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag VBS, signature_severity Major, created_at 2018_10_24, malware_family Sidewinder, performance_impact Low, updated_at 20
|
104
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
105
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MICROPSIA CnC Domain Observed in SNI (samwinchester .club)"; flow:established,to_server; tls_sni; content:"samwinchester.club"; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026546; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12206
|
106
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
107
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MICROPSIA HTTP Failover CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/api/hazard/"; http_uri; depth:12; fast_pattern; content:"compatible|3b 20|Googlebot|2f|"; http_user_agent; http_content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; http_accept_enc; content:"UTF8"; depth:4; isdataat:!1,relative; threshold:type limit, count 1, seconds 30, track by_dst; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026547; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performa
|
108
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
109
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MICROPSIA HTTP Failover Response M1"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"common|20|soon"; depth:11; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026548; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12208
|
110
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
111
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MICROPSIA HTTP Failover Response M2"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"loub"; depth:4; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026549; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12209
|
112
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
113
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MICROPSIA Sending JPG Screenshot to CnC with .his Extension"; flow:established,to_server; content:"POST"; http_method; content:"compatible|3b 20|Googlebot|2f|"; http_user_agent; content:"name=|22|kerna|22 3b 20|filename"; http_client_body; fast_pattern; content:".his|22 0d 0a|"; http_client_body; distance:0; within:20; content:"|0d 0a 0d 0a ff d8 ff|"; http_client_body; distance:0; content:"JFIF"; http_client_body; distance:0; within:15; http_content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; http_accept_enc; content:"UTF8"; depth:4; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026550; rev:1; metadata:affected_product Windo
|
114
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
115
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MICROPSIA HTTP Failover Reporting Infected System Information and RAT Version"; flow:established,to_server; content:"POST"; http_method; content:"compatible|3b 20|Googlebot|2f|"; http_user_agent; content:"|3a|1.0.2|0d 0a 2d 2d 2d 2d 2d|"; http_client_body; fast_pattern; http_content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; http_accept_enc; content:"UTF8"; depth:4; isdataat:!1,relative; threshold:type limit, count 1, seconds 30, track by_dst; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026551; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major
|
116
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
117
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible APT28 DOC Uploader SSL/TLS Certificate Observed"; flow:established,to_client; tls_cert_serial; content:"03:04:FF:5D:C9:BB:AC:50:C1:7B:3E:4C:1C:68:26:15:F0:3E"; tls_cert_subject; content:"CN=mvtband.net"; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; metadata: former_category TROJAN; reference:md5,9b10685b774a783eabfecdb6119a8aa3; classtype:trojan-activity; sid:2026539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT28, signature_severity Major, created_at 2018_10_24, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12212
|
118
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
119
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible DarkTequila SSL/TLS Certificate Observed"; flow:established,to_client; tls_cert_serial; content:"00:ED"; tls_cert_subject; content:"C=US, ST=OH, O=International Security Depart, CN=the-ebooks-store.com/emailAddress=contact@infws.com"; tls_cert_issuer; content:"O=International Security Depart, emailAddress=contact@infws.com, L=Greater Cleveland, ST=OH, C=US, CN=International Security Depart Ca"; metadata: former_category TROJAN; reference:md5,9fbdc5eca123e81571e8966b9b4e4a1e; classtype:trojan-activity; sid:2026540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DarkTequila, signature_severity Major, created_at 2018_10_24, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12213
|
120
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
121
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Octopus Malware Initial Connectivity Check"; flow:established,to_server; content:"GET"; http_method; content:".php?check"; http_uri; fast_pattern; isdataat:!1,relative; pcre:"/^\/d[0-9]?\.php\?check$/Ui"; http_accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http_header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Octopus, signature_seve
|
122
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
123
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Octopus Malware CnC Server Request"; flow:established,to_server; content:"GET"; http_method; content:".php?servers"; http_uri; fast_pattern; isdataat:!1,relative; pcre:"/^\/d[0-9]?\.php\?servers$/Ui"; http_accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http_header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Octopus, signature_severity
|
124
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
125
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Octopus Malware CnC Server Connectivity Check"; flow:established,to_server; content:"GET"; http_method; content:".php?check="; http_uri; fast_pattern; pcre:"/^\/[a-z]\.php\?check=[a-f0-9]{32}$/Ui"; http_accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http_header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026543; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Octopus, signature_severity Ma
|
126
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
127
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Octopus Malware CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:".php?query="; http_uri; fast_pattern; content:"eyJpZCI6"; http_client_body; pcre:"/^\/[a-z]\.php\?query=[a-f0-9]{32}$/Ui"; http_accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http_content_type; content:"multipart/form-data|3b|"; http_protocol; content:"HTTP/1.0"; metadata: former_category TROJAN; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Octopus, signature_severity Major, created_at 2018_10_24,
|
128
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
129
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Sharik/Smoke Fake 404 Response with Payload Location"; flow:established,from_server; content:"404"; http_stat_code; file_data; content:"|00 00|Location|3a 20|"; depth:12; fast_pattern; metadata: former_category TROJAN; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:trojan-activity; sid:2026556; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Fake_404, signature_severity Major, created_at 2018_10_25, malware_family Sharik, malware_family SmokeLoader, performance_impact Low, updated_at 2018_10_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12218
|
130
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
131
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/KeyRedirEx Banker Requesting Redirect/Inject List"; flow:established,to_server; content:"GET"; http_method; content:"/red/info.php"; http_uri; depth:13; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026562; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_29, malware_family KeyRedirEx, performance_impact Low, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/surica
|
132
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
133
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MSIL/KeyRedirEx Banker Receiving Redirect/Inject List"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"REDIR|3b|"; depth:6; content:"|7c 2d 7c|http"; distance:0; within:50; fast_pattern; metadata: former_category TROJAN; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026563; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_29, malware_family KeyRedirEx, performance_impact Low, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12220
|
134
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
135
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MSIL/KeyRedirEx Banker Receiving Exit Instruction"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"EXIT|3b|"; depth:5; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_29, malware_family KeyRedirEx, performance_impact Low, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12221
|
136
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
137
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TrueBot/Silence.Downloader CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|C|3a 5c|"; http_client_body; content:".DAT|22 3b 0d 0a|"; http_client_body; distance:0; content:"|0d 0a|Host Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http_client_body; distance:0; content:"|0d 0a|OS Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http_client_body; distance:0; content:"|0d 0a|OS Version|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http_client_body; distance:0; http_header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:trojan-activity
|
138
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
139
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TrueBot/Silence.Downloader Keep-Alive"; flow:established,to_server; content:"GET"; http_method; content:".php?dns="; http_uri; fast_pattern; pcre:"/^[a-f0-9]{8}$/RUs"; http_header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:trojan-activity; sid:2026560; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_29, malware_family TrueBot, malware_family Silence_Downloader, performance_impact Moderate, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12223
|
140
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
141
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.BackNet Checkin"; flow:established,to_server; content:"POST"; http_method; content:"data=%7B%22host_key%22%3A%22"; http_client_body; depth:28; http_header_names; content:!"Referer"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,aebb382b54e1521ad1309f66d29a1d1c; classtype:trojan-activity; sid:2026572; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_02, malware_family Stealer, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12226
|
142
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
143
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Lordix Stealer Exfiltrating Data"; flow:established,to_server; content:"POST"; http_method; content:".php?hw="; http_uri; content:"&ps="; http_uri; distance:0; content:"&ck="; http_uri; distance:0; content:"&fl="; http_uri; distance:0; content:"log.txt"; http_client_body; content:"cookies/Chrome_Cookies.txt"; http_client_body; distance:0; fast_pattern; http_header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:trojan-activity; sid:2026571; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, tag Stealer, signature_severity Major, created_at 2018_11_02, malware_family Lordix, performance_impact Low, updated_at
|
144
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
145
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT33/CharmingKitten JS/HTA Stage 1 CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?anti="; http_uri; content:"&cliname="; http_uri; distance:0; fast_pattern; http_accept; content:"*/*"; isdataat:!1,relative; http_accept_enc; content:"gzip, deflate"; isdataat:!1,relative; http_header_names; content:"User-Agent"; content:!"Cache"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,e15b3d2c39888fe459dc2d9c8dec331d; classtype:trojan-activity; sid:2026575; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rul
|
146
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
147
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT33/CharmingKitten Shellcode Communicating with CnC"; flow:established,to_server; dsize:<150; content:"|16 03|"; depth:2; content:"|00|"; distance:1; within:1; content:"|01 00 00|"; distance:1; within:3; content:"|03|"; distance:1; within:1; content:"|5b e0 37|"; distance:1; within:3; fast_pattern; content:"|00|"; distance:0; content:"|00|"; distance:1; within:1; content:"|00|"; distance:1; within:1; threshold: type limit, count 1, seconds 30, track by_dst; metadata: former_category TROJAN; reference:md5,a60f127a06e5b3dcacd1ec346f7995c5; classtype:trojan-activity; sid:2026576; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33_CharmingKitten, tag Shellcode, signature_severity Major, created_at 2018_11_05, malware_family Shellcode, performan
|
148
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
149
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT33/CharmingKitten Retrieving New Payload (flowbit set)"; flow:established,to_server; content:"GET"; http_method; content:"/images/static/content/"; http_uri; depth:23; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Cache"; content:!"Accept"; content:!"Referer"; flowbits:set,ET.APT33CharmingKitten.1; metadata: former_category TROJAN; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:trojan-activity; sid:2026577; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_12_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12230
|
150
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
151
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT33/CharmingKitten Encrypted Payload Inbound"; flow:established,from_server; content:"200"; http_stat_code; content:"|0d 0a|CacheControl|3a 20|"; http_header; fast_pattern; file_data; pcre:"/^(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=|[A-Z0-9+\/]{4})$/i"; flowbits:isset,ET.APT33CharmingKitten.1; metadata: former_category TROJAN; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:trojan-activity; sid:2026578; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12231
|
152
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
153
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Perl/Shellbot.SM IRC CnC Checkin"; flow:established,to_server; content:"JOIN"; depth:4; content:"Procesor - model name"; distance:0; content:"Numar Procesoare"; distance:0; fast_pattern; content:"|3a|uid="; distance:0; content:"gid="; distance:0; content:"groups="; distance:0; metadata: former_category TROJAN; reference:md5,ca42fda581175fd85ba7dab8243204e4; classtype:trojan-activity; sid:2026579; rev:1; metadata:attack_target Client_and_Server, deployment Perimeter, tag Perl, signature_severity Major, created_at 2018_11_05, malware_family Shellbot_SM, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12232
|
154
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
155
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (MICROPSIA CnC Domain)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; tls_cert_subject; content:"CN=new.young-spencer.com"; fast_pattern; metadata: former_category TROJAN; reference:md5,738b3370230bd3168a97a7171d17ed64; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025918; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_27, malware_family MICROPSIA, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12233
|
156
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
157
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M1"; dns_query; content:"mynetwork.ddns.net"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:trojan-activity; sid:2026573; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12235
|
158
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
159
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M2"; dns_query; content:"mypsh.ddns.net"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:trojan-activity; sid:2026574; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12236
|
160
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
161
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaRAT CnC Init Activity"; flow:established,to_client; dsize:11; content:"AUT_packet_"; depth:11; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026580; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, malware_family JavaRAT, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12237
|
162
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
163
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaRAT CnC Checkin"; flow:established,to_server; dsize:<150; content:"aut_sep_"; depth:8; fast_pattern; content:"_sep_"; distance:0; content:"_packet_"; distance:0; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12238
|
164
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
165
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaRAT Keep-Alive (inbound)"; flow:established,to_client; dsize:11; content:"PNG_packet_"; depth:11; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026582; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12239
|
166
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
167
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaRAT Keep-Alive (outbound)"; flow:established,to_server; dsize:11; content:"PNG_packet_"; depth:11; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026583; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12240
|
168
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
169
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaRAT Sending Screen Size"; flow:established,to_server; dsize:<50; content:"sc.op_sep_"; depth:10; nocase; fast_pattern; content:"_packet_"; distance:0; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12241
|
170
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
171
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaRAT Sending Screenshot"; flow:established,to_server; dsize:>1000; content:"sc.cap_sep_"; depth:11; nocase; fast_pattern; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, malware_family JavaRAT, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12242
|
172
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
173
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 12"; flow:established,to_server; content:"POST"; http_method; urilen:<6; content:"/"; http_uri; isdataat:!1,relative; content:!"."; http_uri; content:!"&"; http_uri; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; content:"63"; fast_pattern; depth:2; isdataat:!1,relative; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Host|0d 0a|Referer|0d 0a|User-Agent"; metadata: former_category TROJAN; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:trojan-activity; sid:2026555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, cr
|
174
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
175
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaRAT Requesting Screenshot"; flow:established,to_client; dsize:<50; content:"SC.CAP_sep_"; depth:11; nocase; content:"_sep_"; distance:0; content:"_packet_"; distance:0; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026587; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, malware_family JavaRAT, performance_impact Moderate, updated_at 2018_11_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12244
|
176
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
177
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaRAT Requesting Screen Size"; flow:established,to_client; dsize:13; content:"SC.OP_packet_"; depth:13; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12245
|
178
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
179
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ArrobarLoader CnC Checkin M1"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:"4RR0B4R 4 X0T4 D4 TU4 M4E"; http_user_agent; fast_pattern; content:"0"; http_client_body; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,3d7436bcf635a7e56a785c9d26ed3767; classtype:trojan-activity; sid:2026528; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loader, signature_severity Major, created_at 2018_02_07, malware_family ArrobarLoader, performance_impact Low, updated_at 2018_11_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12246
|
180
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
181
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.Kraken.v2 HTTP Pattern"; flow:established,to_server; content:"Kraken web request agent/"; http_user_agent; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,e1aee9ef64d71e0c9bb8eee9742efdef; reference:url,securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/; classtype:trojan-activity; sid:2026588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2018_11_09, malware_family Ransomware, malware_family Kraken_Ransomware, updated_at 2018_11_09;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12247
|
182
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
183
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET !80 -> $EXTERNAL_NET [!25,!445,!1500] (msg:"ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin"; flow:established,to_server; dsize:>800; content:"|77 77|"; offset:2; depth:2; content:"|77|"; distance:1; within:1; content:"|77 77 77 77 77 77 77 77 77 77 77 77 77|"; distance:1; within:13; fast_pattern; metadata: former_category TROJAN; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:trojan-activity; sid:2026525; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_18, malware_family BlackCarat, performance_impact Low, updated_at 2018_11_12;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12249
|
184
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
185
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DarkGate CNC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"id="; http_client_body; depth:3; content:"&data="; http_client_body; distance:0; content:"&action="; http_client_body; distance:0; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|Synapse|29|"; http_user_agent; isdataat:!1,relative; fast_pattern; flowbits:set,ET.DarkGate.1; http_protocol; content:"HTTP/1.0"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026629; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_11_19, malware_family DarkGate, performance
|
186
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
187
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DarkGate CnC Requesting Data Exfiltration from Bot"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"getbotdata"; depth:10; fast_pattern; isdataat:!1,relative; flowbits:isset,ET.DarkGate.1; metadata: former_category TROJAN; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_11_19, malware_family DarkGate, performance_impact Low, updated_at 2018_11_19;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12263
|
188
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
189
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SC.Backdoor/TeleRAT Checkin"; flow:to_server,established; content:".php?a="; http_uri; content:"&b="; http_uri; distance:0; content:"&c="; http_uri; distance:0; content:"Windows|20|"; http_uri; distance:0; fast_pattern; content:"&d="; http_uri; distance:0; content:"&e="; http_uri; distance:0; http_header_names; content:!"User-Agent"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,a1bdb1889d960e424920e57366662a59; classtype:trojan-activity; sid:2026641; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_21, malware_family RAT, updated_at 2018_11_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12278
|
190
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
191
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN L0rdix Stealer CnC Sending Screenshot"; flow:established,to_server; content:"POST"; http_method; content:".php?h="; http_uri; fast_pattern; content:"&o="; http_uri; content:"&c="; http_uri; content:"&g="; http_uri; content:"&w="; http_uri; content:"&p="; http_uri; content:"&r="; http_uri; content:"&f="; http_uri; content:"&rm="; http_uri; content:"&d="; http_uri; content:"img="; http_client_body; depth:4; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,blog.ensilo.com/l0rdix-attack-tool; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:trojan-activity; sid:2026670; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_28, malware_family L0rdix, performance_impact
|
192
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
193
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN L0rdix Stealer CnC Data Exfil"; flow:established,to_server; content:"POST"; http_method; content:".php?hw="; http_uri; fast_pattern; content:"&ps="; http_uri; content:"&ck="; http_uri; content:"&fl="; http_uri; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,blog.ensilo.com/l0rdix-attack-tool; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:trojan-activity; sid:2026671; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_28, malware_family L0rdix, performance_impact Moderate, updated_at 2018_11_28;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line
|
194
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
195
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Erebus variant outbound connection"; flow:to_server,established; file_data; urilen:1; content:"h="; depth:2; http_client_body; content:"&v="; within:3; distance:8; http_client_body; content:"&k="; within:3; distance:3; fast_pattern; http_client_body; content:"Expect|3A| 100-continue|0D 0A 0D 0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert, service http; reference:url,virustotal.com/en/file/0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f/analysis/; classtype:trojan-activity; sid:43351; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28146
|
196
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
197
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN DNS Query for DNSpionage CnC Domain"; dns_query; content:".0ffice36o.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,c00c9f6ebf2979292d524acff19dd306; classtype:trojan-activity; sid:2026557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNSpionage, tag DNS_tunneling, signature_severity Major, created_at 2018_10_26, updated_at 2018_10_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12290
|
198
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
199
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Critroni outbound connection"; flow:to_server,established; dsize:174; urilen:1; content:"/"; http_uri; content:"Host|3A| ip.telize.com|0D 0A|Accept|3A| */*|0D 0A|User-Agent|3A| Mozilla/5.0 |28|Windows NT 6.1|3B| WOW64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/31.0.1650.63 Safari/537.36"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b3c92d7a9dead6011f3c99829c745c384dd776d88f57bbd60bc4f9d66641819b/analysis/; classtype:trojan-activity; sid:31718; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26912
|
200
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
201
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro outbound connection"; flow:to_server,established; dsize:<200; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/"; http_header; content:"ompatible|3B| MSIE 31|3B| "; within:20; distance:6; fast_pattern; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f5c716890a2a76785d53e8f9a5db2268501a30df807df4c4323967672efe452c/analysis/; classtype:trojan-activity; sid:31813; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26935
|
202
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
203
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IcedID WebSocket Request"; flow:established,to_server; content:"GET"; http_method; content:"/data2.php?"; http_uri; pcre:"/^[A-F0-9]{16}$/UR"; content:"Upgrade|3a 20|websocket|0d 0a|Connection|3a 20|Upgrade|0d 0a|"; http_header; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,b17a729efb71d1781405c6c00052c85e; classtype:trojan-activity; sid:2026673; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_29, malware_family IcedID, updated_at 2018_12_12;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12325
|
204
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
205
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS W32/Renos.Downloader User Agent zeroup"; flow:established,to_server; content:"User-Agent|3A 20|zeroup"; http_header; reference:url,www.f-secure.com/v-descs/trojan_w32_renos_h.shtml; reference:md5,35ba53f6aeb6b38c1107018f271189af; classtype:trojan-activity; sid:2014817; rev:2; metadata:created_at 2012_05_25, updated_at 2012_05_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12363
|
206
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
207
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (DownloadMR)"; flow:to_server,established; content:"DownloadMR"; nocase; depth:10; http_user_agent; reference:url,www.virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016903; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2013_05_21, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12374
|
208
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
209
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rehtesyk outbound connection"; flow:to_server,established; content:"User-Agent: Firefox|0D 0A|"; fast_pattern:only; content:"first="; depth:6; http_client_body; content:"&data="; within:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea/analysis/; classtype:trojan-activity; sid:32311; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27026
|
210
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
211
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Fake AV Downloader.Onestage/FakeAlert.ZR User-Agent (AV1)"; flow:established,to_server; content:"User-Agent|3a| AV1|0d 0a|"; http_header; metadata: former_category TROJAN; reference:md5,208e5551efce47ac6c95691715c12e46; reference:md5,735dff747d0c7ce74dde31547b2b5750; reference:md5,a84a144677a786c6855fd4899d024948; classtype:trojan-activity; sid:2009223; rev:9; metadata:created_at 2010_07_30, updated_at 2017_10_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12497
|
212
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
213
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28344
|
214
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
215
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27094
|
216
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
217
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27095
|
218
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
219
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)"; fast_pattern:only; http_header; content:"/"; depth:1; offset:9; http_uri; content:"/"; within:1; distance:8; http_uri; content:"Host:"; http_header; content:":8080"; within:30; http_header; content:"POST"; http_method; dsize:<480; pcre:"/^\/[a-f0-9]{8}\/[a-f0-9]{8}\/$/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/27c298c77e16bbc3f056653034c2d918418f877bb0193a9ca533b5527d830a94/analysis/; classtype:trojan-activity; sid:32770; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27110
|
220
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
221
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Aura Ransomware User-Agent"; flow:established,to_server; content:"{KIARA}"; http_user_agent; depth:7; isdataat:!1,relative; fast_pattern; metadata: former_category USER_AGENTS; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:trojan-activity; sid:2026100; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_06, malware_family Aura, performance_impact Moderate, updated_at 2018_09_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12575
|
222
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
223
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MSIL/Peppy User-Agent"; flow:established,to_server; content:"onedru/"; http_user_agent; depth:7; isdataat:!1,relative; fast_pattern; metadata: former_category USER_AGENTS; reference:md5,ebffb046d0e12b46ba5f27c0176b01c5; classtype:trojan-activity; sid:2026101; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_07, malware_family Peppy, performance_impact Moderate, updated_at 2018_09_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12576
|
224
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
225
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (IEhook)"; flow:established,to_server; content:"IEhook"; http_user_agent; depth:6; isdataat:!1,relative; fast_pattern; metadata: former_category USER_AGENTS; reference:md5,f0483493bcb352bd2f474b52f3b2f273; classtype:trojan-activity; sid:2026558; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Minor, created_at 2018_10_26, performance_impact Low, updated_at 2018_10_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12582
|
226
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
227
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt"; flow:to_server,established; file_data; content:"User-Agent"; nocase; http_header; content:"Rarog"; within:200; fast_pattern; nocase; http_header; pcre:"/User-Agent\s*:[^\r\n]*Rarog/iH"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46240; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28442
|
228
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
229
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|40 E8 D4 F1 FF 33|"; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12606
|
230
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
231
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/4.0/method/"; depth:12; nocase; http_uri; pcre:"/\/4\.0\/method\/(check|cores|installSuccess|modules|threads|blacklist)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46239; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28443
|
232
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
233
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/2.0/method/"; depth:12; nocase; http_uri; pcre:"/\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46238; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28444
|
234
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
235
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27171
|
236
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
237
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
238
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27199
|
239
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution"; flow:established,to_client; flowbits:isset,DXF.Ext.Access; content:"|0A 45 4E 44 53 45 43|"; content:!"|0a|"; within:2; byte_test:1,>,81,2,relative; reference:url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow; reference:url,www.exploit-db.com/exploits/14944/; reference:cve,2010-1681; reference:url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx; reference:bid,39836; classtype:attempted-user; sid:2012153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at l
|
240
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
241
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Android Webkit removeChild Use-After-Free Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById|28|"; nocase; content:"id.getAttributeNode|28|"; nocase; distance:0; content:"attribute.childNodes"; nocase; distance:0; content:"document.body.removeChild|28|"; nocase; distance:0; content:"attribute.removeChild|28|"; fast_pattern; nocase; distance:0; reference:bid,40642; reference:cve,2010-1119; classtype:attempted-user; sid:2012509; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_03_16, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12644
|
242
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
243
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Audition Malformed Session File Buffer Overflow Attempt"; flow:established,to_client; content:"COOLNESS"; content:"TRKM"; distance:0; content:"A|00|u|00|d|00|i|00|t|00|i|00|o|00|n|00|"; nocase; distance:0; content:"A|00|u|00|d|00|i|00|o|00 20 00|O|00|u|00|t|00|p|00|u|00|t|00|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.coresecurity.com/content/Adobe-Audition-malformed-SES-file; reference:bid,47838; reference:cve,2011-0615; classtype:attempted-user; sid:2012978; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_08, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at l
|
244
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
245
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox nsTreeSelection Element invalidateSelection Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById(|27|treeset|27|)"; nocase; content:"view.selection"; nocase; distance:0; content:"invalidateRange"; nocase; distance:0; reference:bid,41853; reference:cve,2010-2753; classtype:attempted-user; sid:2013144; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12663
|
246
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
247
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Outbound malicious vbscript attempt"; flow:to_server,established; file_data; content:"/ilha/"; fast_pattern; nocase; http_uri; content:"logs.php"; within:9; distance:2; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46792; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28527
|
248
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
249
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt"; flow:established,to_client; content:"util.printf|28 22 25|"; nocase; fast_pattern:only; pcre:"/util.printf\x28\x22\x25[^\x2C\x29]*f\x22\x2C/i"; reference:url,www.coresecurity.com/content/adobe-reader-buffer-overflow; reference:bid,30035; reference:cve,2008-2992; classtype:attempted-user; sid:2013152; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12665
|
250
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
251
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern:only; pcre:"/<<[^>]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_06_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12666
|
252
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
253
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt"; flow:to_client,established; content:"PDF-"; depth:300; content:"this.media.newPlayer|28|null"; nocase; distance:0; content:"util.printd"; nocase; within:150; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb; reference:url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html; reference:bid,37331; reference:cve,2009-4324; classtype:attempted-user; sid:2010495; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata
|
254
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
255
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Overflow Attempt"; flowbits:isset,OLE.CompoundFile; flow:established,to_client; content:"rtf"; nocase; content:"|7B 5C|sp|7B 5C|sn pFragments|7D 7B 5C|sv"; nocase; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013280; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_15, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12669
|
256
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
257
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|D2 60 38 40 BA 03 14 0E|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:bid,40586; reference:cve,2010-1297; classtype:attempted-user; sid:2013281; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_15, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12670
|
258
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
259
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|"; reference:bid,44504; reference:cve,2010-3654; classtype:attempted-user; sid:2013282; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_15, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12671
|
260
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
261
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"|2e|location|2e|reload|28 29|"; content:"implementation=|22 23|default|23|time"; nocase; content:"contenteditable=|22|true|22|"; nocase; distance:0; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013252; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_11, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12672
|
262
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
263
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading Arbitrary Code Execution Attempt"; flow:established,to_server; content:"/mfc71"; http_uri; nocase; pcre:"/mfc71[a-z]{2,3}\x2Edll/Ui"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=23601; reference:url,www.microsoft.com/technet/security/bulletin/MS11-055.mspx; reference:bid,42681; reference:cve,2010-3148; classtype:attempted-user; sid:2013322; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_27, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12673
|
264
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
265
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader 9.4 this.printSeps Memory Corruption Attempt"; flow:established,to_client; content:".printSeps"; nocase; pcre:"/(this|doc)\x2EprintSeps/i"; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2011910; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_11_08, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12674
|
266
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
267
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt"; flow:established,to_client; content:"QueryInterface|28|Components.interfaces.nsIChannelEventSink|29|"; nocase; content:"onChannelRedirect|28|null"; nocase; distance:0; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; reference:bid,47635; reference:cve,2011-0065; classtype:attempted-user; sid:2013417; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_08_17, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12676
|
268
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
269
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer Overflow Attempt"; flow:established,to_client; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|5C|sp"; nocase; content:"|5C|sn"; nocase; within:80; content:"pFragments"; nocase; within:80; content:"|5C|sv"; nocase; within:80; isdataat:100,relative; content:!"|0A|"; distance:1; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013250; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_11, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line
|
270
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
271
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; pcre:"/<<[^>]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_01_14, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12679
|
272
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
273
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt"; flow:established,to_client; content:"document.getElementById|28 27|tableid|27 29|.cloneNode"; nocase; content:"cells.urns"; nocase; distance:0; content:"cells.item"; nocase; distance:0; reference:url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:bid,37894; reference:cve,2010-0248; classtype:attempted-user; sid:2014463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_04_04, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at li
|
274
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
275
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow"; flow:to_client,established; flowbits:isset,NtDll.ImageBase.Module.Called; content:"ZwProtectVirtualMemory|22|"; content:"strDup|28|"; distance:0; content:"<object|20|"; distance:0; content:"application|2f|x|2d|java|2d|applet"; within:35; content:"|3c|param|20|name"; distance:0; content:"|22|launchjnlp|22|"; within:20; content:"|3c|param|20|name"; distance:0; content:"|22|docbase|22|"; within:20; content:"|3c|fieldset|3e 3c|legend|3e|"; distance:0; content:"object"; within:10; content:"|2e|innerHTML"; distance:0; reference:url,www.exploit-db.com/exploits/15241/; reference:cve,2010-3552; reference:bid,44023; classtype:attempted-user; sid:2012100; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_En
|
276
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
277
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Known in Wild Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"TTu0d0fu0d0eKKJJu0d0du0d0dLL1043416UU"; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013251; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2011_07_11, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12753
|
278
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
279
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code Execution Attempt"; flow:established,to_client; content:"|66 74 79 70 6D 70 34|"; content:"|01 6D 70 34 32 69 73 6F 6D|"; distance:0; content:"|63 70 72 74 00 FF FF FF|"; distance:0; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; reference:bid,52034; reference:cve,2012-0754; classtype:attempted-user; sid:2014335; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2012_03_08, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12756
|
280
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
281
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.AAEH variant outbound connection"; flow:to_server,established; urilen:<15; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| SV1)"; fast_pattern:only; content:"Host: "; nocase; http_header; content:"|3A|"; within:16; http_header; content:!"Referer: "; nocase; http_header; content:!"Accept"; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0ccade380fd3a9ef7635e5c4e54b82c4ccd434c0bc3bbf76af3a99d744a1c5e7/analysis/; classtype:trojan-activity; sid:34246; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27341
|
282
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
283
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banking download attempt initiated"; flow:to_client; file_data; content:"pgs99.online"; content:"painelhost.uol.com.br"; fast_pattern:only; content:!"User-Agent:"; nocase; http_header; content:!"Referer:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/91781126feeae4d1a783f3103dd5ed0f8fc4f2f8e6f51125d1bfc06683b01c39; classtype:trojan-activity; sid:48356; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28751
|
284
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
285
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 28780
|
286
|
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
287
|
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt"; flow:to_server,established; uricontent:"/cgi-bin/|3B|"; nocase; pcre:"/\x2Fcgi\x2Dbin\x2F\x3B.+[a-z]/Ui"; reference:url,isc.sans.org/diary.html?storyid=6853; reference:url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/; reference:url,doc.emergingthreats.net/2009678; reference:url,www.dd-wrt.com/phpBB2/viewtopic.php?t=55173; reference:bid,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:2009678; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12905
|
288
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
289
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Panskeg outbound connection"; flow:to_server,established; file_data; dsize:10; content:"|79 40 1F F2 03 3C 20 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/81c6fa11d46bf173932b067c32a852f048ba51873210c3e24ac367c95e799e42/analysis/; classtype:trojan-activity; sid:36610; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27590
|
290
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
291
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&syspath="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"&macid="; nocase; http_client_body; content:"&os1="; distance:0; nocase; http_client_body; content:"&os2="; distance:0; nocase; http_client_body; content:"&syspath="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36630; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27594
|
292
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
293
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&vs="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"v="; nocase; http_client_body; content:"&id="; distance:0; nocase; http_client_body; content:"&uid="; distance:0; nocase; http_client_body; content:"&vs="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36629; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27595
|
294
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
295
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC Win.Trojan.Trochulis variant outbound connection"; flow:to_server,established; file_data; content:"|BF BF AF AF 7E 00 00 00|"; fast_pattern:only; dsize:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/da6905d96cc860b443deb5f27271a2cfb2ce17f067a59ca7f0fd12c1d70c4372/analysis/; classtype:trojan-activity; sid:37370; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27664
|
296
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
297
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27738
|
298
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
299
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/surica
|
300
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
301
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Helminth variant outbound connection"; flow:to_server,established; content:"UIET9fWR"; fast_pattern:only; content:"User-Agent: Mozilla/5.0"; http_header; content:"|20|Trident/5.0|0D 0A|"; within:14; distance:39; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/632be0a3d8d298f2ded928a4ac27846904ed842ad08b355acab53132d31eaf24/analysis/; classtype:trojan-activity; sid:39176; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 27794
|
302
|
Dec 13 01:25:08 charon suricata[33142]: [100139] <Notice> -- rule reload complete
|
303
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
304
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29239
|
305
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
306
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29240
|
307
|
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
308
|
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 1"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|09a0aa1091460d23e5a68550826b359b|22|"; distance:0; fast_pattern; metadata: former_category WEB_SERVER; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026337; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag WebShell, signature_severity Major, created_at 2018_09_20, malware_family SJavaWebManage, performance_impact Low, updated_at 2018_09_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 13303
|
309
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
|
310
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45444; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29269
|
311
|
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
312
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
|
313
|
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 2"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|098f6bcd4621d373cade4e832627b4f6|22|"; distance:0; fast_pattern; metadata: former_category WEB_SERVER; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026338; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag WebShell, signature_severity Major, created_at 2018_09_20, malware_family SJavaWebManage, performance_impact Low, updated_at 2018_09_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 13304
|
314
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45443; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29270
|
315
|
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
316
|
Dec 13 01:25:08 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Access"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"|22|os.name|22|"; distance:0; content:"|22|/bin/sh|22|"; distance:0; content:"getRuntime|28 29|.exec|28|"; fast_pattern; metadata: former_category WEB_SERVER; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026336; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag WebShell, signature_severity Major, created_at 2018_09_20, malware_family SJavaWebManage, performance_impact Low, updated_at 2018_09_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 13305
|
317
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
318
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Erebus variant outbound connection"; flow:to_server,established; file_data; urilen:1; content:"h="; depth:2; http_client_body; content:"&v="; within:3; distance:8; http_client_body; content:"&k="; within:3; distance:3; fast_pattern; http_client_body; content:"Expect|3A| 100-continue|0D 0A 0D 0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert, service http; reference:url,virustotal.com/en/file/0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f/analysis/; classtype:trojan-activity; sid:43351; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28100
|
319
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
320
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28298
|
321
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
|
322
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00 00 00 00 00|"; depth:6; offset:4; content:"|00 00 29|"; within:3; distance:2; content:"|FE|"; within:1; distance:8; byte_test:2,>,4,-3,relative; byte_math:bytes 2,offset -3,oper -,rvalue 4,result rdlen_minus_four,relative; byte_test:2,>,rdlen_minus_four,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14496; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44482; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29803
|
323
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
324
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt"; flow:to_server,established; file_data; content:"User-Agent"; nocase; http_header; content:"Rarog"; within:200; fast_pattern; nocase; http_header; pcre:"/User-Agent\s*:[^\r\n]*Rarog/iH"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46240; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28396
|
325
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
326
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/4.0/method/"; depth:12; nocase; http_uri; pcre:"/\/4\.0\/method\/(check|cores|installSuccess|modules|threads|blacklist)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46239; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28397
|
327
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
328
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/2.0/method/"; depth:12; nocase; http_uri; pcre:"/\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46238; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28398
|
329
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
330
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server,established,only_stream; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20395; rev:5;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29869
|
331
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
332
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19389; rev:8;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29870
|
333
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
334
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29871
|
335
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
336
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 29872
|
337
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
338
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Outbound malicious vbscript attempt"; flow:to_server,established; file_data; content:"/ilha/"; fast_pattern; nocase; http_uri; content:"logs.php"; within:9; distance:2; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46792; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28481
|
339
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
340
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banking download attempt initiated"; flow:to_client; file_data; content:"pgs99.online"; content:"painelhost.uol.com.br"; fast_pattern:only; content:!"User-Agent:"; nocase; http_header; content:!"Referer:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/91781126feeae4d1a783f3103dd5ed0f8fc4f2f8e6f51125d1bfc06683b01c39; classtype:trojan-activity; sid:48356; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28705
|
341
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
342
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 28734
|
343
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
344
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow"; flow:to_server,established; content:"APSCOOKIE"; fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|"; nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6909; reference:url,fortiguard.com/advisory/FG-IR-16-023; classtype:attempted-admin; sid:40241; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30208
|
345
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
|
346
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44502; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30339
|
347
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
|
348
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44501; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30340
|
349
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
|
350
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|00 00 00 07|"; within:4; distance:5; fast_pattern; content:"|00 00 00 01|"; within:4; distance:4; byte_math:bytes 4,offset 0,oper +,rvalue 8,result sub_len_plus_eight,relative; byte_test:4,!=,sub_len_plus_eight,-8,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-0171; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2; classtype:attempted-dos; sid:46468; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30389
|
351
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14
|
352
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30413
|
353
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,1,2,relative,bitmask 0x01
|
354
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba tree connect andx memory corruption attempt"; flow:to_server,established; content:"|FF|SMB|75|"; fast_pattern:only; content:"|04 75 00|"; byte_test:1,=,1,2,relative,bitmask 0x01; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14746; classtype:attempted-user; sid:45255; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30414
|
355
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
356
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMemcachedAdmin path traversal attempt"; flow:to_server,established; content:"live_stats_id"; fast_pattern:only; content:"live_stats_id"; http_cookie; content:"="; within:1; distance:32; http_cookie; content:"../"; distance:0; http_cookie; metadata:policy security-ips drop, service http; reference:cve,2014-8731; reference:url,securityfocus.com/archive/1/533968; classtype:web-application-attack; sid:32611; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30513
|
357
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
358
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34056; rev:3;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30558
|
359
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
360
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34055; rev:3;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30559
|
361
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
362
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29193
|
363
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
364
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29194
|
365
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
|
366
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45444; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29223
|
367
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
|
368
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45443; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29224
|
369
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
|
370
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt"; flow:to_server,established; content:"/borderpost/imp/compose.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_raw_cookie; content:"%3B"; distance:0; nocase; http_raw_cookie; pcre:"/sid=[^\x3b]*?%3B/Ki"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:attempted-admin; sid:35573; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30683
|
371
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
372
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36102; rev:3;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30709
|
373
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
374
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36101; rev:3;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 30710
|
375
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
|
376
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00 00 00 00 00|"; depth:6; offset:4; content:"|00 00 29|"; within:3; distance:2; content:"|FE|"; within:1; distance:8; byte_test:2,>,4,-3,relative; byte_math:bytes 2,offset -3,oper -,rvalue 4,result rdlen_minus_four,relative; byte_test:2,>,rdlen_minus_four,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14496; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44482; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29757
|
377
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
378
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server,established,only_stream; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20395; rev:5;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29823
|
379
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
380
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19389; rev:8;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29824
|
381
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
382
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29825
|
383
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
384
|
Dec 13 01:25:08 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 29826
|
385
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
386
|
Dec 13 01:25:08 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera multipart boundary stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; nocase; http_uri; content:"usrBeatHeart"; fast_pattern:only; content:"Boundary="; nocase; http_raw_header; isdataat:256,relative; content:!"|0A|"; within:256; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2830; reference:url,www.talosintelligence.com/reports/TALOS-2017-0331/; classtype:web-application-attack; sid:42437; rev:3;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 31221
|
387
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
388
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow"; flow:to_server,established; content:"APSCOOKIE"; fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|"; nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6909; reference:url,fortiguard.com/advisory/FG-IR-16-023; classtype:attempted-admin; sid:40241; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30162
|
389
|
Dec 13 01:25:09 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
390
|
Dec 13 01:25:09 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_pattern:only; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 31369
|
391
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
|
392
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44502; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30293
|
393
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
|
394
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44501; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30294
|
395
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
|
396
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|00 00 00 07|"; within:4; distance:5; fast_pattern; content:"|00 00 00 01|"; within:4; distance:4; byte_math:bytes 4,offset 0,oper +,rvalue 8,result sub_len_plus_eight,relative; byte_test:4,!=,sub_len_plus_eight,-8,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-0171; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2; classtype:attempted-dos; sid:46468; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30343
|
397
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14
|
398
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30367
|
399
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,1,2,relative,bitmask 0x01
|
400
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba tree connect andx memory corruption attempt"; flow:to_server,established; content:"|FF|SMB|75|"; fast_pattern:only; content:"|04 75 00|"; byte_test:1,=,1,2,relative,bitmask 0x01; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14746; classtype:attempted-user; sid:45255; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30368
|
401
|
Dec 13 01:25:09 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
|
402
|
Dec 13 01:25:09 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 31542
|
403
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
404
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMemcachedAdmin path traversal attempt"; flow:to_server,established; content:"live_stats_id"; fast_pattern:only; content:"live_stats_id"; http_cookie; content:"="; within:1; distance:32; http_cookie; content:"../"; distance:0; http_cookie; metadata:policy security-ips drop, service http; reference:cve,2014-8731; reference:url,securityfocus.com/archive/1/533968; classtype:web-application-attack; sid:32611; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30467
|
405
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
406
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34056; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30512
|
407
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
408
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34055; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30513
|
409
|
Dec 13 01:25:09 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
410
|
Dec 13 01:25:09 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/cacti/utilities.php"; nocase; uricontent:"tail_lines="; nocase; uricontent:"message_type="; nocase; uricontent:"filter="; nocase; pcre:"/filter\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,42575; reference:cve,2010-2544; reference:cve,2010-2545; classtype:web-application-attack; sid:2011423; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 14871
|
411
|
Dec 13 01:25:09 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
412
|
Dec 13 01:25:09 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt"; flow:to_server,established; content:"query=--open-files-in-pager"; fast_pattern:only; content:"/tree/"; http_uri; content:"/search"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:47599; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 31634
|
413
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
|
414
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt"; flow:to_server,established; content:"/borderpost/imp/compose.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_raw_cookie; content:"%3B"; distance:0; nocase; http_raw_cookie; pcre:"/sid=[^\x3b]*?%3B/Ki"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:attempted-admin; sid:35573; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30637
|
415
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
416
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36102; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30663
|
417
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
418
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36101; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 30664
|
419
|
Dec 13 01:25:09 charon suricata[27331]: [100669] <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210042, gid 1: unknown rule
|
420
|
Dec 13 01:25:09 charon suricata[27331]: [100669] <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210044, gid 1: unknown rule
|
421
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
422
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera multipart boundary stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; nocase; http_uri; content:"usrBeatHeart"; fast_pattern:only; content:"Boundary="; nocase; http_raw_header; isdataat:256,relative; content:!"|0A|"; within:256; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2830; reference:url,www.talosintelligence.com/reports/TALOS-2017-0331/; classtype:web-application-attack; sid:42437; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 31175
|
423
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
424
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_pattern:only; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 31323
|
425
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
|
426
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 31496
|
427
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
428
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt"; flow:to_server,established; content:"query=--open-files-in-pager"; fast_pattern:only; content:"/tree/"; http_uri; content:"/search"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:47599; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 31588
|
429
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210042, gid 1: unknown rule
|
430
|
Dec 13 01:25:09 charon suricata[31827]: [100148] <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210044, gid 1: unknown rule
|
431
|
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
432
|
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SPECIFIC_APPS Oracle Fusion Middleware BPEL Console Cross Site Scripting"; flow:established,to_server; content:"/BPELConsole/default/processLog.jsp"; nocase; depth:50; content:"processName="; nocase; within:100; pcre:"/processName\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:bid,43954; reference:cve,2010-3581; classtype:attempted-admin; sid:2011860; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2010_10_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17191
|
433
|
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
434
|
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt"; flow:established,to_server; content:"awstats.cgi"; nocase; http_uri; content:"config="; nocase; http_uri; content:"pluginmode=rawlog"; nocase; http_uri; content:"configdir=|5C 5C|"; nocase; http_uri; fast_pattern; reference:bid,45123; reference:cve,2010-4367; classtype:web-application-attack; sid:2012393; rev:2; metadata:created_at 2011_02_28, updated_at 2011_02_28;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17248
|
435
|
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
436
|
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; content:"stconf.nsf/WebMessage"; nocase; http_uri; content:"OpenView"; nocase; http_uri; content:"messageString="; nocase; http_uri; pcre:"/messageString\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012394; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17249
|
437
|
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
438
|
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; content:"stconf.nsf"; nocase; http_uri; content:"unescape"; nocase; fast_pattern; http_uri; pcre:"/stconf.nsf.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D).+unescape/Ui"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012395; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_02_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17250
|
439
|
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
440
|
Dec 13 01:25:10 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Communications Manager xmldirectorylist.jsp SQL Injection Attempt"; flow:established,to_server; content:"/ccmcip/xmldirectorylist.jsp?f=vsr|27 7C 7C|"; nocase; http_uri; pcre:"/f\x3Dvsr\x27\x7C\x7C.+(or|and|select|delete|union|delete|update|insert)/Ui"; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a0080b79904.shtml; reference:bid,47607; reference:cve,2011-1609; classtype:web-application-attack; sid:2012760; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2011_05_02, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17448
|
441
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
442
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter XSS Attempt"; flow:established,to_server; content:"/cgi-bin/config.cgi"; nocase; http_uri; content:"type=command&expand="; nocase; http_uri; pcre:"/expand\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,48087; classtype:web-application-attack; sid:2012919; rev:2; metadata:created_at 2011_06_02, updated_at 2011_06_02;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17486
|
443
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
444
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS HP Insight Diagnostics Online Edition search.php XSS Attempt"; flow:established,to_server; content:"/hpdiags/frontend2/help/search.php?query="; http_uri; nocase; pcre:"/query\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,45420; reference:cve,2010-4111; classtype:web-application-attack; sid:2012976; rev:2; metadata:created_at 2011_06_08, updated_at 2011_06_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17496
|
445
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
446
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/nagios/cgi-bin/config.cgi"; nocase; http_uri; content:"type=command&expand="; fast_pattern; http_uri; nocase; pcre:"/expand\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,48087; reference:cve,2011-2179; classtype:web-application-attack; sid:2013095; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17518
|
447
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
448
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET 4848 (msg:"ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt"; flow:established,to_server; content:"TRACE"; http_method; content:".jsf"; nocase; http_uri; reference:url,www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass; reference:bid,47818; reference:cve,2011-1511; classtype:attempted-recon; sid:2012977; rev:3; metadata:created_at 2011_06_08, updated_at 2011_06_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 17979
|
449
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
450
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Sort Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/sessions?path="; nocase; http_uri; content:"sort="; nocase; http_uri; pcre:"/sort\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013117; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_24, updated_at 2017_05_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 18008
|
451
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
452
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/sessions?path="; nocase; http_uri; content:"orderby="; nocase; http_uri; pcre:"/orderby\x3D.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013118; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag XSS, tag Cross_Site_Scripting, signature_severity Major, created_at 2011_06_24, updated_at 2017_05_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 18009
|
453
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
454
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud wg.txt Checkin"; flow:established,to_server; content:"/wg.txt"; http_uri; reference:md5,a89f7289d5cce821a194542e90026082; reference:md5,fd56ce176889d4fbe588760a1da6462b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; classtype:trojan-activity; sid:2014402; rev:2; metadata:created_at 2012_03_19, updated_at 2012_03_19;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 18112
|
455
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
456
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Njw0rm CnC Beacon"; flow:established,to_server; content:"lv0njxq80"; depth:9; content:"njxq80"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-brother-from-the-same-mother.html; reference:md5,4c60493b14c666c56db163203e819272; reference:md5,b0e1d20accd9a2ed29cdacb803e4a89d; classtype:trojan-activity; sid:2017404; rev:3; metadata:created_at 2013_08_30, updated_at 2013_08_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 18113
|
457
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
458
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> any $HTTP_PORTS (msg:"BROWSER-IE Microsoft Internet Explorer XSS filter bypass attempt"; flow:to_server,established; content:"%253C"; fast_pattern:only; content:"%253C"; nocase; http_raw_uri; content:"%253E"; distance:4; nocase; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2014-6365; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-080; classtype:web-application-attack; sid:32710; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 18562
|
459
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
460
|
Dec 13 01:25:11 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated"; flow:to_client,established; dsize:<2056; file_data; content:"CollectGarbage"; fast_pattern:only; content:"createElement"; nocase; content:"cloneNode"; within:128; nocase; content:"clearAttributes"; within:128; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2009-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-002; classtype:attempted-user; sid:16339; rev:13;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 18949
|
461
|
Dec 13 01:25:12 charon suricata[27331]: [100669] <Notice> -- rule reload complete
|
462
|
Dec 13 01:25:12 charon suricata[35382]: [100163] <Warning> -- [ERRCODE: SC_ERR_RUNMODE(187)] - Can't use 'replace' keyword in non IPS mode: drop tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,6503,6504] (msg:"CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt"; flow:established,to_server; content:"|05 00 0B|"; content:"NTLMSSP|00 01 00 00 00|"; distance:0; content:"|0A 06 00 00|"; within:4; distance:-20; replace:"|0A 02 00 00|"; metadata:policy max-detect-ips drop; classtype:protocol-command-decode; sid:18469; rev:7;)
|
463
|
Dec 13 01:25:13 charon suricata[31827]: [100148] <Notice> -- rule reload complete
|
464
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
465
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; dsize:<1201; byte_extract:4,1,file_length,relative; isdataat:!file_length,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4138; reference:cve,2017-2933; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39309; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23108
|
466
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
467
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; dsize:<1201; byte_extract:4,1,file_length,relative; isdataat:!file_length,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4138; reference:cve,2017-2933; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39308; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23109
|
468
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
469
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|127.0.0.1"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|127.0.0.1"; distance:0; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39543; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23176
|
470
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
471
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|localhost"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|localhost"; distance:0; nocase; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39540; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23179
|
472
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,7,6,relative,bitmask 0xF0
|
473
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; byte_test:1,=,7,6,relative,bitmask 0xF0; content:"|00 00 FF E2|"; within:4; distance:11; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4936; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46261; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23474
|
474
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,7,6,relative,bitmask 0xF0
|
475
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; byte_test:1,=,7,6,relative,bitmask 0xF0; content:"|00 00 FF E2|"; within:4; distance:11; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4936; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46260; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23475
|
476
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
477
|
Dec 13 01:25:13 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|92 86|"; http_client_body; byte_extract:4,6,offset,relative,big; content:"|0D 0A 0D 0A|"; http_client_body; content:"JIS|00 00 00 00 00|"; within:8; distance:offset; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40244; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 23720
|
478
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
|
479
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45822; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26148
|
480
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
|
481
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45821; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26149
|
482
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
|
483
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45820; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26150
|
484
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
|
485
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45819; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26151
|
486
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,1,4,relative,little,bitmask 0x01
|
487
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt"; flow:to_server; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_test:1,=,1,4,relative,little,bitmask 0x01; byte_test:2,>,250,24,relative,little; byte_jump:2,38,relative,little,from_beginning; content:"PK|03 04|"; within:4; byte_test:2,<,10,22,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-1000035; classtype:attempted-user; sid:47587; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26279
|
488
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,1,4,relative,little,bitmask 0x01
|
489
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt"; flow:to_client; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_test:1,=,1,4,relative,little,bitmask 0x01; byte_test:2,>,250,24,relative,little; byte_jump:2,38,relative,little,from_beginning; content:"PK|03 04|"; within:4; byte_test:2,<,10,22,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1000035; classtype:attempted-user; sid:47586; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26280
|
490
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,4,1,relative,bitmask 0x7f
|
491
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"|08 40|"; within:2; distance:12; byte_test:1,=,4,1,relative,bitmask 0x7f; byte_extract:4,2,regionSize,relative,little; byte_test:4,>,regionSize,8,little,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12762; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47683; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26285
|
492
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,4,1,relative,bitmask 0x7f
|
493
|
Dec 13 01:25:14 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"|08 40|"; within:2; distance:12; byte_test:1,=,4,1,relative,bitmask 0x7f; byte_extract:4,2,regionSize,relative,little; byte_test:4,>,regionSize,8,little,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12762; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47682; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 26286
|
494
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
495
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27235
|
496
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
497
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27236
|
498
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
499
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27237
|
500
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
501
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27238
|
502
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
503
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27239
|
504
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
505
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt"; flow:to_client,established; file_data; content:"Content-"; nocase; http_header; content:"rfc822"; within:50; nocase; http_header; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:41714; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27436
|
506
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
507
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27635
|
508
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
509
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt"; flow:to_server,established; file_data; content:"User-Agent"; nocase; http_header; content:"Rarog"; within:200; fast_pattern; nocase; http_header; pcre:"/User-Agent\s*:[^\r\n]*Rarog/iH"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46240; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27753
|
510
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
511
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/4.0/method/"; depth:12; nocase; http_uri; pcre:"/\/4\.0\/method\/(check|cores|installSuccess|modules|threads|blacklist)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46239; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27754
|
512
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
513
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/2.0/method/"; depth:12; nocase; http_uri; pcre:"/\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46238; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27755
|
514
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
515
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Outbound malicious vbscript attempt"; flow:to_server,established; file_data; content:"/ilha/"; fast_pattern; nocase; http_uri; content:"logs.php"; within:9; distance:2; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46792; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 27820
|
516
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
517
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banking download attempt initiated"; flow:to_client; file_data; content:"pgs99.online"; content:"painelhost.uol.com.br"; fast_pattern:only; content:!"User-Agent:"; nocase; http_header; content:!"Referer:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/91781126feeae4d1a783f3103dd5ed0f8fc4f2f8e6f51125d1bfc06683b01c39; classtype:trojan-activity; sid:48356; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28047
|
518
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
519
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:16; dsize:29; content:"|05 00 00 03 10 00 00 00|"; depth:8; content:"|10 00|"; within:2; distance:14; byte_extract:1,0,memoryAddr,relative,multiplier 257; byte_test:2,=,memoryAddr,0,relative; byte_test:2,=,memoryAddr,1,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2006-6076; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:36877; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28172
|
520
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
521
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28220
|
522
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
523
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28221
|
524
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
|
525
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45444; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28250
|
526
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
|
527
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45443; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28251
|
528
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
|
529
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Certification service XSS attempt"; flow:to_server,established; content:"certfnsh|2E|asp"; nocase; http_uri; content:"TargetStoreFlagsObserve"; nocase; http_client_body; pcre:"/^=[^\s\x26]*[\x3C\x3E\x22\x27\x28\x29]/R"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-051; classtype:attempted-user; sid:19186; rev:10;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 28444
|
530
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
|
531
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER CA ARCserve Axis2 default credential login attempt"; flow:to_server,established; content:"/axis2-admin/login"; fast_pattern:only; http_uri; content:"userName=admin"; nocase; http_client_body; content:"password="; nocase; http_client_body; pcre:"/^(admin|axis2)/iR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45625; reference:cve,2010-0219; classtype:default-login-attempt; sid:18985; rev:11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29027
|
532
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
|
533
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00 00 00 00 00|"; depth:6; offset:4; content:"|00 00 29|"; within:3; distance:2; content:"|FE|"; within:1; distance:8; byte_test:2,>,4,-3,relative; byte_math:bytes 2,offset -3,oper -,rvalue 4,result rdlen_minus_four,relative; byte_test:2,>,rdlen_minus_four,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14496; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44482; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29147
|
534
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
535
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server,established,only_stream; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20395; rev:5;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29337
|
536
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
537
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19389; rev:8;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29338
|
538
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
539
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq buffer overflow attempt"; flow:to_server; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3a\s+[^\r\n]{25}/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,13504; reference:bugtraq,15711; reference:bugtraq,18906; reference:bugtraq,36015; reference:cve,2005-1461; reference:cve,2005-4050; reference:cve,2006-3524; reference:cve,2009-2726; reference:nessus,18986; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:11971; rev:7;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29339
|
540
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
541
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"|0D 0A 0D 0A|"; content:!"Contact"; nocase; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21101; rev:7;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29344
|
542
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
543
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt"; flow:to_server,established; sip_method:invite; content:"Remote-Party-Id"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:20425; rev:9;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29345
|
544
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
545
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt"; flow:to_server,established; content:"a|3D|rtpmap|3A|"; fast_pattern:only; sip_method:invite,bye; pcre:"/(^a\x3Drtpmap\x3A[^\n]*\r\n){31}/Psmi"; metadata:policy max-detect-ips drop; reference:cve,2008-1289; classtype:misc-attack; sid:20392; rev:9;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29346
|
546
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
547
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt"; flow:to_server; content:"a|3D|rtpmap|3A|"; fast_pattern:only; sip_method:invite,bye; pcre:"/(^a\x3Drtpmap\x3A[^\n]*\r\n){31}/Psmi"; metadata:policy max-detect-ips drop; reference:cve,2008-1289; classtype:misc-attack; sid:20391; rev:9;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29347
|
548
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
549
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Attribute header rtpmap field invalid payload type"; flow:to_server,established; content:"a=rtpmap|3A|"; nocase; byte_test:9,>,256,0,relative,string; metadata:policy max-detect-ips drop; reference:bugtraq,28308; reference:cve,2008-1289; reference:url,www.asterisk.org/node/48466; classtype:attempted-user; sid:20390; rev:8;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29348
|
550
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
551
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Remote-Party-ID header hexadecimal characters in IP address field"; flow:to_server,established; content:"Remote-Party-ID|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\s+[^\r\n]+\x40[^\r\n]*?[\x80-\xFF]/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/en/US/products/products_security_response09186a00808075ad.html; classtype:attempted-admin; sid:20381; rev:7;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29349
|
552
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
553
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq buffer overflow attempt"; flow:to_server,established; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^CSeq\x3a\s+[^\r\n]{25}/smi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,13504; reference:bugtraq,15711; reference:bugtraq,18906; reference:bugtraq,36015; reference:cve,2005-1461; reference:cve,2005-4050; reference:cve,2006-3524; reference:cve,2009-2726; reference:nessus,18986; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:16351; rev:11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29352
|
554
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
555
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Attribute header rtpmap field invalid payload type"; flow:to_server; content:"a=rtpmap|3A|"; nocase; byte_test:9,>,256,0,relative,string; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,28308; reference:cve,2008-1289; reference:url,www.asterisk.org/node/48466; classtype:attempted-user; sid:13693; rev:12;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29353
|
556
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
557
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Remote-Party-ID header hexadecimal characters in IP address field"; flow:to_server; content:"Remote-Party-ID|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\s+[^\r\n]+\x40[^\r\n]*?[\x80-\xFF]/Hsmi"; metadata:policy max-detect-ips drop; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/en/US/products/products_security_response09186a00808075ad.html; classtype:attempted-admin; sid:13664; rev:9;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29354
|
558
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
559
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt"; flow:to_server; sip_method:invite; content:"Remote-Party-Id"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/Hsmi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:11970; rev:13;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29355
|
560
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
561
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29356
|
562
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
|
563
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29357
|
564
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
565
|
Dec 13 01:25:15 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts CookieInterceptor classloader access attempt"; flow:to_server,established; content:"ClassLoader"; fast_pattern:only; content:"class"; nocase; http_cookie; content:"ClassLoader"; distance:0; nocase; http_cookie; pcre:"/class([\x2e\x5b]|%2e|%5b)([\x22\x27]|%22|%27)?ClassLoader/Ci"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,67081; reference:cve,2014-0113; reference:url,cwiki.apache.org/confluence/display/WW/S2-021; classtype:attempted-admin; sid:30944; rev:4;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 29405
|
566
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
567
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow"; flow:to_server,established; content:"APSCOOKIE"; fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|"; nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6909; reference:url,fortiguard.com/advisory/FG-IR-16-023; classtype:attempted-admin; sid:40241; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30346
|
568
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
|
569
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44502; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30474
|
570
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
|
571
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44501; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30475
|
572
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
|
573
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|00 00 00 07|"; within:4; distance:5; fast_pattern; content:"|00 00 00 01|"; within:4; distance:4; byte_math:bytes 4,offset 0,oper +,rvalue 8,result sub_len_plus_eight,relative; byte_test:4,!=,sub_len_plus_eight,-8,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-0171; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2; classtype:attempted-dos; sid:46468; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30547
|
574
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
|
575
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MSN MSNP2P SLP message integer overflow attempt"; flow:to_client,established; content:"MSG"; content:"|0A|P2P-Dest|3A|"; within:200; nocase; content:"|0D 0A 0D 0A|"; within:100; content:!"|00 00 00 00|"; within:4; distance:8; content:!"|00 00 00 00|"; within:4; distance:24; byte_extract:4,24,message_len,relative,little; byte_math:bytes 4, offset -20, oper +, rvalue message_len, result cumulative_size, relative, endian little; byte_test:4,>,cumulative_size,-20,relative,little; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29956; reference:cve,2008-2927; reference:url,pidgin.im/news/security/?id=25; classtype:attempted-user; sid:46784; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30550
|
576
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14
|
577
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30587
|
578
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,1,2,relative,bitmask 0x01
|
579
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba tree connect andx memory corruption attempt"; flow:to_server,established; content:"|FF|SMB|75|"; fast_pattern:only; content:"|04 75 00|"; byte_test:1,=,1,2,relative,bitmask 0x01; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14746; classtype:attempted-user; sid:45255; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30588
|
580
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
581
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Airlive IP Camera directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/admin"; fast_pattern:only; content:"/cgi-bin/admin"; http_raw_uri; content:"filePath"; distance:0; nocase; http_raw_uri; content:"../"; distance:0; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,60549; reference:cve,2013-3541; classtype:web-application-attack; sid:29595; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30692
|
582
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
583
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt"; flow:to_server,established; content:"/agentUpload"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, service http; reference:bugtraq,69482; reference:cve,2014-6037; classtype:web-application-attack; sid:31838; rev:5;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30720
|
584
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
585
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt"; flow:to_server,established; content:"/agentUpload"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, service http; reference:bugtraq,69482; reference:cve,2014-6037; classtype:web-application-attack; sid:32044; rev:4;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30725
|
586
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
587
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34056; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30748
|
588
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
589
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34055; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30749
|
590
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
|
591
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell iManager ClassName handling overflow attempt"; flow:to_server,established; content:"/nps/servlet/webacc"; nocase; http_uri; content:"ClassName="; fast_pattern; nocase; http_client_body; pcre:"/^[^\x26]{512}/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40480; reference:cve,2010-1929; classtype:attempted-admin; sid:18796; rev:9;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30903
|
592
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
|
593
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovet_demandpoll.exe format string execution attempt"; flow:to_server,established; content:"/OvCgi/webappmon.exe"; fast_pattern:only; http_uri; content:"sel="; http_client_body; pcre:"/^[^\x26]*?\x25/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40065; reference:cve,2010-1550; classtype:attempted-admin; sid:18795; rev:11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 30904
|
594
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
|
595
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt"; flow:to_server,established; content:"/borderpost/imp/compose.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_raw_cookie; content:"%3B"; distance:0; nocase; http_raw_cookie; pcre:"/sid=[^\x3b]*?%3B/Ki"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:attempted-admin; sid:35573; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31059
|
596
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
597
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36102; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31096
|
598
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
599
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36101; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31097
|
600
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
|
601
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP ZipArchive getFromIndex and getFromName integer overflow attempt"; flow:to_server,established; content:".php"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; content:"|00 00|"; within:2; distance:16; byte_test:4,>=,0x00FFFFFF,0,relative,little; metadata:policy max-detect-ips drop, service http; reference:cve,2016-3078; reference:url,bugs.php.net/bug.php?id=71923; classtype:attempted-admin; sid:41383; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31360
|
602
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
603
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Squid ESI processing buffer overflow attempt"; flow:to_client,established; file_data; content:"Surrogate-Control:"; fast_pattern; http_header; content:"ESI/1.0"; within:100; nocase; http_header; content:"Content-Type:"; nocase; http_header; content:"text/"; within:50; nocase; http_header; content:"<"; isdataat:2000,relative; content:!">"; within:2000; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4054; reference:url,www.squid-cache.org/Advisories/SQUID-2016_6.txt; classtype:attempted-user; sid:43268; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31599
|
604
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
605
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera multipart boundary stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; nocase; http_uri; content:"usrBeatHeart"; fast_pattern:only; content:"Boundary="; nocase; http_raw_header; isdataat:256,relative; content:!"|0A|"; within:256; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2830; reference:url,www.talosintelligence.com/reports/TALOS-2017-0331/; classtype:web-application-attack; sid:42437; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31658
|
606
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
607
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX recording interface file upload code execution attempt"; flow:to_server,established; content:"config.php"; fast_pattern:only; content:"Content-Disposition"; nocase; http_client_body; content:"name="; distance:0; http_client_body; content:"../"; distance:0; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43454; reference:cve,2010-3490; classtype:web-application-attack; sid:45226; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31804
|
608
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
609
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_pattern:only; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 31813
|
610
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
|
611
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 32006
|
612
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
613
|
Dec 13 01:25:16 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt"; flow:to_server,established; content:"query=--open-files-in-pager"; fast_pattern:only; content:"/tree/"; http_uri; content:"/search"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:47599; rev:1;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 32112
|
614
|
Dec 13 01:25:17 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
615
|
Dec 13 01:25:17 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_server,established; file_data; content:"POST"; http_method; content:"|00 09 00 00|"; depth:5; offset:1; fast_pattern; content:!"|00|"; depth:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:43364; rev:3;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/flowbit-required.rules at line 2230
|
616
|
Dec 13 01:25:17 charon suricata[35382]: [100163] <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210042, gid 1: unknown rule
|
617
|
Dec 13 01:25:17 charon suricata[35382]: [100163] <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210044, gid 1: unknown rule
|
618
|
Dec 13 01:25:20 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Unable to find the sm in any of the sm lists
|
619
|
Dec 13 01:25:20 charon suricata[35382]: [100163] <Notice> -- rule reload complete
|
620
|
Dec 13 01:35:27 charon charon.m.browsepage.com nginx: 2018/12/13 01:35:27 [error] 53294#100242: send() failed (54: Connection reset by peer)
|
621
|
Dec 13 01:35:42 charon php-fpm[99033]: /status_logs.php: Successful login for user 'admin' from: 10.1.100.2 (Local Database)
|
622
|
Dec 13 01:40:49 charon check_reload_status: Syncing firewall
|
623
|
Dec 13 01:40:49 charon check_reload_status: Reloading filter
|
624
|
Dec 13 01:40:54 charon check_reload_status: Syncing firewall
|
625
|
Dec 13 01:41:20 charon check_reload_status: Syncing firewall
|
626
|
:!"Referer"; content:!"Accept"; reference:md5,7943a103d7b79f87843655e6b2f8e80c; classtype:trojan-activity; sid:2020181; rev:8; metadata:created_at 2015_01_14, updated_at 2015_01_14;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11783
|
627
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
628
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Generic gate[.].php GET with minimal headers"; flow:established,to_server; content:"GET"; http_method; content:"/gate.php"; http_uri; nocase; fast_pattern; http_header_names; content:!"Referer"; content:!"Accept"; reference:md5,ad4045887298439f5a21700bdbc7a311; classtype:trojan-activity; sid:2022818; rev:3; metadata:created_at 2016_05_18, updated_at 2016_05_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11787
|
629
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
630
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 2"; flow:to_server,established; content:"GET"; http_method; content:".jpg?resid="; http_uri; fast_pattern; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:trojan-activity; sid:2021200; rev:3; metadata:created_at 2015_06_08, updated_at 2015_06_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11792
|
631
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
632
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Jadtree Downloader rar"; flow:established,to_server; content:".rar"; nocase; http_uri; isdataat:!1,relative; pcre:"/^\d{4}$/V"; reference:md5,13cbc8d458c6dd30e94f46b00f8bda00; classtype:trojan-activity; sid:2018046; rev:3; metadata:created_at 2014_01_30, updated_at 2014_01_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11793
|
633
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
634
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FakeAV checkin"; flow:established,to_server; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; http_user_agent; fast_pattern; http_header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:!"Accept"; reference:md5,dd4d18c07e93c34d082dab57a38f1b86; reference:md5,5a864ccfeee9c0c893cfdc35dd8820a6; classtype:trojan-activity; sid:2016089; rev:5; metadata:created_at 2012_12_21, updated_at 2012_12_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11794
|
635
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
636
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Win32/Hupigon ip.txt with a Non-Mozilla UA"; flow:established,to_server; content:"/ip.txt"; http_uri; nocase; isdataat:!1,relative; fast_pattern; content:!"Mozilla"; http_user_agent; content:!"%E5%A4%A7%E4%BC%97%E7%82%B9%E8%AF%84"; http_header; reference:md5,4d23395fcbab1dabef9afe6af81df558; classtype:trojan-activity; sid:2016950; rev:4; metadata:created_at 2013_05_31, updated_at 2013_05_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11796
|
637
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
638
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Atraps Receiving Config via Image File (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|FF D9 23|"; distance:0; content:"$|3a|1|3a|$"; distance:0; fast_pattern; pcre:"/^[A-Za-z0-9+/=]+\x24\x3a\d+\x3a\x24$/R"; metadata: former_category TROJAN; reference:md5,3dce01df285b3570738051672664068d; classtype:trojan-activity; sid:2025070; rev:3; metadata:created_at 2016_04_06, updated_at 2017_11_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11798
|
639
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
640
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Zemot Requesting PE"; flow:established,to_server; content:"GET"; http_method; content:"ho"; http_uri; content:"ping/mod_"; within:10; http_uri; fast_pattern; content:"/"; http_uri; distance:0; isdataat:!1,relative; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,08aab7cdbfc2446fbca2a2f350df4ea2; classtype:trojan-activity; sid:2019759; rev:5; metadata:created_at 2014_11_20, updated_at 2014_11_20;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11800
|
641
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
642
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Scieron Retrieving Information"; flow:established,to_server; content:"GET"; http_method; urilen:7; content:"/ip.txt"; http_uri; fast_pattern; http_header_names; content:!"Accept"; content:!"Referer"; flowbits:set,ET.Trojan.Scieron.Ret; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020296; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11803
|
643
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
644
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gulpix/PlugX Client Request"; flow:established,to_server; content:"POST"; http_method; content:"1|3a 20|"; http_header; content:"2|3a 20|"; http_header; distance:0; content:"3|3a 20|"; http_header; distance:0; pcre:"/^(?P<vname>[^\r\n\x3a]+)(?P<n1>[0-4])\x3a\x20\d+\r\n(?P=vname)(?P<n2>((?!(?P=n1))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?P<n3>((?!((?P=n1)|(?P=n2)))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?:(?!((?P=n1)|(?P=n2)))[0-4])\x3a\x20\d+\r\n/Hm"; http_header_names; content:!"Referer"; reference:md5,663d7774b6727a070b558676cee9fe43; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html; classtype:trojan-activity; sid:2018169; rev:5; metadata:created_at 2014_02_21, updated_at 2014_02_21;)" from file /usr/local
|
645
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
646
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KINS/ZeusVM Variant Retrieving Config"; flow:established,to_server; content:"GET"; http_method; content:"/config"; http_uri; fast_pattern; content:".jpg"; http_uri; distance:0; isdataat:!1,relative; content:"Cache-Control|3a 20|no-cache"; http_header; pcre:"/\/config[^\x2e\x2f]*?\.jpg$/U"; pcre:"/(?:\x20MSIE\x20|rv\x3a11)/V"; http_header_names; content:!"Accept-"; content:!"Referer"; http_connection; content:"close"; nocase; metadata: former_category TROJAN; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021528; rev:5; metadata:created_at 2015_07_23, updated_at 2017_10_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11806
|
647
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
648
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2016-01-28"; flow:to_server,established; urilen:>82; content:"GET"; http_method; content:"/counter/?id="; http_uri; nocase; content: "&rnd="; http_uri; nocase; pcre:"/\/counter\/\?id=[A-Z0-9_-]{60,}&rnd=\d{1,}$/iU"; flowbits:set,ET.nemucod.exerequest; http_header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,d5c5cc9cae2e9a7a2d3a77efcb526e4c; classtype:trojan-activity; sid:2022483; rev:6; metadata:created_at 2016_02_02, updated_at 2016_11_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11807
|
649
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
650
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Kelihos.F EXE Download Common Structure 2"; flow:established,to_server; content:"od"; offset:2; depth:2; nocase; http_uri; content:".exe"; nocase; http_uri; isdataat:!1,relative; fast_pattern; pcre:"/^\/[mp]od[12]\/[^\/]+?\.exe$/Ui"; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent"; reference:md5,9db28205c8dd40efcf7f61e155a96de5; classtype:trojan-activity; sid:2018395; rev:5; metadata:created_at 2014_04_16, updated_at 2014_04_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11810
|
651
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
|
652
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
653
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Koobface variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/cap/?a=get&i="; nocase; http_uri; pcre:"/\d+&/miR"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16484; rev:9;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26166
|
654
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 6"; flow:to_server,established; content:"POST"; http_method; content:".asp?cookie="; http_uri; fast_pattern; content:"&type="; http_uri; content:"&vid="; http_uri; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:trojan-activity; sid:2021569; rev:3; metadata:created_at 2015_07_31, updated_at 2015_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11811
|
655
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
656
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon"; flow:established,to_server; urilen:31; content:"/b/eve/"; http_uri; depth:7; fast_pattern; pcre:"/^[a-f0-9]{24}$/URi"; metadata: former_category TROJAN; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:trojan-activity; sid:2018096; rev:3; metadata:created_at 2014_02_10, updated_at 2017_11_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11812
|
657
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
658
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WORM_VOBFUS Checkin Generic"; flow:established,to_server; content:"GET"; http_method; urilen:5; content:"/1/?"; http_uri; fast_pattern; depth:4; isdataat:!2,relative; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; http_user_agent; http_header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2015976; rev:3; metadata:created_at 2012_12_03, updated_at 2012_12_03;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11814
|
659
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
660
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN HTTPBrowser/Pisloader Covert DNS CnC Channel TXT Lookup"; content:"|01 00 00 01 00 00 00 00 00 00 11|"; depth:11; offset:2; fast_pattern; pcre:"/^[A-Z0-9]{17}/R"; content:"|00 00 10|"; distance:0; threshold:type limit, track by_src, count 1, seconds 300; content:!"|03|prs|0a|proofpoint|03|com|00|"; reference:md5,985eba97e12c3e5bce9221631fb66d68; reference:url,researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/; classtype:trojan-activity; sid:2022842; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_05_31, performance_impact Low, updated_at 2016_07_14;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11817
|
661
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
662
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Ransomware Locky .onion Payment Domain"; dns_query; content:"6dtxgqam4crv6rr6"; nocase; depth:16; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022548; rev:2; metadata:created_at 2016_02_18, updated_at 2016_02_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11819
|
663
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
664
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Locky CnC Beacon"; flow:established,to_server; urilen:9; content:"POST"; http_method; content:"/main.php"; http_uri; fast_pattern; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/Ps"; http_header_names; content:!"Referer"; http_content_len; byte_test:0,<,110,0,string,dec; byte_test:0,>=,100,0,string,dec; http_connection; content:"Keep-Alive"; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022538; rev:6; metadata:created_at 2016_02_17, updated_at 2016_02_17;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11820
|
665
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
666
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; http_header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; fast_pattern; content:!"Referer"; content:"Accept"; http_accept; pcre:"/^(?!m(?:ultipart|essage|odel)|a(?:pplication|udio|ccept)|(?:exampl|imag)e|video|text|\*)/i"; reference:md5,35a6de1e8dbea19bc44cf49ae0cae59e; classtype:trojan-activity; sid:2022502; rev:4; metadata:created_at 2016_02_10, updated_at 2016_02_10;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11821
|
667
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
668
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2016-02-01"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; isdataat:!1,relative; nocase; pcre:"/\/[0-9]{2}\.exe$/iU"; http_header_names; content:!"Referer"; flowbits:set,ET.nemucod.exerequest; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,8bdc81393a4fcfaf6d1b8dc01486f2f0; classtype:trojan-activity; sid:2022482; rev:3; metadata:created_at 2016_02_02, updated_at 2016_02_02;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11822
|
669
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
670
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET TROJAN W32/Dridex POST CnC Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Mozilla/5.0 (Windows NT 6.1|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko"; http_user_agent; fast_pattern; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/W"; http_connection; content:"Close"; isdataat:!1,relative; http_content_type; content:"octet/binary"; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,d37256439d5ab7f25561cc390d8aa1ea; classtype:trojan-activity; sid:2019891; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2014_12_08, malware_family Dridex, performance_impact Moderate, updated_at 2017_05_17;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11824
|
671
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
672
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad"; flow:established,to_server; content:"/gate.php"; nocase; http_uri; fast_pattern; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/W"; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022986; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_26, malware_family Zeus, performance_impact Low, updated_at 2016_07_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11827
|
673
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
674
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Locky CnC Beacon 2"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/userinfo.php"; http_uri; fast_pattern; pcre:"/[\x80-\xff]/P"; http_content_type; content:"www-form-urlencoded"; isdataat:!1,relative; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; content:!"Accept"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:trojan-activity; sid:2022769; rev:3; metadata:created_at 2016_04_27, updated_at 2016_04_27;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11829
|
675
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
676
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3)"; dns_query; content:"epmhyca5ol6plmx3"; nocase; depth:16; metadata: former_category TROJAN; reference:md5,a6061196c9df9364d48c01bea83d6cb7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~EccKrypt-D/detailed-analysis.aspx; classtype:trojan-activity; sid:2020882; rev:3; metadata:created_at 2015_04_08, updated_at 2017_03_28;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11831
|
677
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
678
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o)"; dns_query; content:"7tno4hib47vlep5o"; nocase; depth:16; metadata: former_category TROJAN; reference:md5,9377710d4787d1a9ee1c724dce8bf13a; classtype:trojan-activity; sid:2024106; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2015_02_09, updated_at 2017_03_28;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11833
|
679
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
680
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any any (msg:"ET TROJAN MewsSpy.AE Onion Domain (cxkefbwo7qcmlelb in DNS Lookup)"; dns_query; content:"cxkefbwo7qcmlelb"; nocase; depth:16; metadata: former_category TROJAN; reference:md5,e69b3a5b8fccd8607e08dd6d34ae99a9; classtype:trojan-activity; sid:2025121; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2017_12_05, performance_impact Low, updated_at 2017_12_05;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11837
|
681
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
682
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njRAT/Bladabindi Variant (Lime) CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|ll"; within:6; content:"TGltZV8"; distance:0; within:30; fast_pattern; pcre:"/^[0-9]{2,3}\x00\x6c\x6c(?P<var>[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e][\x20-\x7e]+?[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?P=var)[^\r\n]+(?P=var)$/s"; metadata: former_category TROJAN; reference:md5,ce37b5b473377810bc76e0491533b4e7; classtype:trojan-activity; sid:2025136; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_06, malware_family njrat, performance_impact Moderate, updated_at 2017_12_06;)" from file /usr/local/etc/suricata/surica
|
683
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
684
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18 2015"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/U"; content:"office"; http_user_agent; nocase; fast_pattern; pcre:"/ms-?office/V"; content:!".money-media.com"; http_host; content:!"ad.payclick.it"; http_host; content:!"sellercore.com"; http_host; metadata: former_category TROJAN; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:7; metadata:created_at 2015_08_18, updated_at 2017_12_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11839
|
685
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
686
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 8"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; isdataat:!1,relative; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; http_user_agent; isdataat:!1,relative; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; byte_test:0,<,100,0,string,dec; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|"; depth:51; fast_pattern; metadata: former_category TROJAN; reference:md5,5b0e06e3e896d541264a03abef5f30c7; classtype:trojan-activity; sid:2025142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, depl
|
687
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
688
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat C1 (no alert)"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.Netwire.HB; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018281; rev:4; metadata:created_at 2014_03_14, updated_at 2014_03_14;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11843
|
689
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
690
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN GratefulPOS Covert DNS CnC Initial Checkin"; dns_query; content:".grp"; within:12; content:"ping.adm."; distance:0; within:15; fast_pattern; isdataat:30,relative; pcre:"/^[a-f0-9]{8}\.grp[0-9]*\.ping\.adm\.(?:[a-f0-9]+\.){2,}/"; metadata: former_category TROJAN; reference:md5,67a53bd24ee8499fed79c8c368e05f7a; reference:url,community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season; classtype:trojan-activity; sid:2025144; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_11, malware_family Grateful_POS, performance_impact Moderate, updated_at 2017_12_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line
|
691
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
692
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Randrew.A CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".aspx?A="; http_uri; fast_pattern; pcre:"/^[A-Z0-9\-]{30,42}$/RU"; content:"Accept-Language|3a 20|zh-TW"; http_header; http_header_names; content:"Referer|3a 20|"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,BFB3C542AD815436EC3F2FD71582AD08B7E7301C; classtype:trojan-activity; sid:2025145; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_11, malware_family Randrew_A, performance_impact Low, updated_at 2017_12_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11845
|
693
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
694
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:trojan-activity; sid:2018283; rev:5; metadata:created_at 2014_03_14, updated_at 2014_03_14;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11846
|
695
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
696
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Downloader.Small.BIL CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?a=Te"; http_uri; fast_pattern; isdataat:!1,relative; pcre:"/^Host\x3a\x20[^\r\n]+\r\nConnection\x3a\x20[^\r\n]+\r\n(?:\r\n)?$/Hi"; http_header_names; content:!"User-Agent"; content:!"Referer"; content:!"Cache"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,4C669A60719FC1051FB336CB25B209FD; classtype:trojan-activity; sid:2025147; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_13, malware_family Downloader_Small_BIL, performance_impact Low, updated_at 2017_12_13;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11847
|
697
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
698
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bot.Sezin CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?machine_id="; http_uri; fast_pattern; content:"&x64"; http_uri; distance:0; content:"&version="; http_uri; distance:0; content:"&video_card="; http_uri; distance:0; content:"&cpu="; http_uri; distance:0; content:"&junk="; http_uri; distance:0; http_header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,73611bd5d1d0ad865cd26b003aa525b4; classtype:trojan-activity; sid:2025148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_13, malware_family Bot_Sezin, performance_impact Low, updated_at 2017_12_13;)" from file /usr/local/etc/suricata/suric
|
699
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
700
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 7"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; depth:1; content:"/"; http_uri; distance:0; isdataat:!1,relative; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; content:"63"; fast_pattern; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_05, updated_at 2017_12_05;)" from file /usr
|
701
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
702
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.YesMaster CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"x-user-agent|3a 20|YesMaster|0d 0a|"; http_header; fast_pattern; http_header_names; content:"|0d 0a|x-user-agent|0d 0a|"; content:"|0d 0a|x-whoami|0d 0a|"; content:"|0d 0a|x-pwd|0d 0a|"; content:"|0d 0a|x-hostname|0d 0a|"; content:"|0d 0a|x-isadm|0d 0a|"; content:"|0d 0a|x-is64Env|0d 0a|"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,4941501aca63cb8bdc86dadeffc9c29c; classtype:trojan-activity; sid:2025157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_20, malware_family YesMaster, performance_impact Moderate, updated_at 2017_12_20;)" from file /usr/local/etc/suricata/suricat
|
703
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
704
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WooSIP Downloader CnC CreateFolderOnServer"; flow:established,to_server; content:"GET"; http_method; content:"/process_ad.php?sDir="; http_uri; nocase; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; metadata: former_category TROJAN; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:trojan-activity; sid:2025165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11853
|
705
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
706
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WooSIP Downloader CnC DeleteFileOnServer"; flow:established,to_server; content:"GET"; http_method; content:"/process_ad.php?fileDel="; http_uri; nocase; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; metadata: former_category TROJAN; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:trojan-activity; sid:2025166; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11854
|
707
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
708
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WooSIP Downloader CnC WriteMetadataOnServer"; flow:established,to_server; content:"GET"; http_method; content:"/write_meta.php?sDir="; http_uri; nocase; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; metadata: former_category TROJAN; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:trojan-activity; sid:2025167; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11855
|
709
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
710
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Smurf2 CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Mozilla/5.0"; http_user_agent; content:"teststr="; depth:8; nocase; http_client_body; fast_pattern; content:"&testval="; nocase; distance:0; http_client_body; http_accept; content:"??"; metadata: former_category TROJAN; reference:md5,e2d136bb63edc092d2f3d26885b239d9; classtype:trojan-activity; sid:2025168; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11856
|
711
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
712
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin M1"; flow:established,to_server; http_request_line; content:"GET|20|/api/up.php|20|HTTP/1.1"; fast_pattern; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(?:Connection\r\n)?\r\n$/R"; content:!"Content-Type"; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:trojan-activity; sid:2025170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, performance_impact Moderate, updated_at 2017_12_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11860
|
713
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
714
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:"/update.php"; http_uri; isdataat:!1,relative; fast_pattern; content:"data="; http_client_body; depth:5; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/PRsi"; http_header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:trojan-activity; sid:2025171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, performance_impact Moderate, updated_at 2017_12_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rul
|
715
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
716
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26243
|
717
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
718
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Agent.qweydh CnC Activity"; flow:established,to_server; content:".php?mac="; http_uri; fast_pattern; pcre:"/^[0-9A-F]{12}$/RU"; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(?:Connection\r\n)?\r\n$/R"; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:trojan-activity; sid:2025172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, performance_impact Moderate, updated_at 2017_12_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11862
|
719
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
720
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Zeus Panda CnC Domain (in DNS Lookup)"; dns_query; content:"pprulispikosqcsiwef.info"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,20adfac68ced5225c9021bc051e66d18; classtype:trojan-activity; sid:2025177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_29, malware_family Zeus_Panda, performance_impact Moderate, updated_at 2017_12_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11863
|
721
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
722
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 9"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; urilen:1; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; content:"63"; fast_pattern; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025178; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_29, updated_at 2017_12_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.ru
|
723
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
724
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MedusaHTTP CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; http_user_agent; fast_pattern; isdataat:!1,relative; content:"xyz="; http_client_body; depth:4; content:"|7c|"; http_client_body; distance:0; content:"|7c|"; http_client_body; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,d463ee91a2d7b8482554c23bb7d9aa3d; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:trojan-activity; sid:2025187; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2
|
725
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
726
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 20000: -> $HOME_NET 1024: (msg:"ET TROJAN Sourtoff Receiving Simda Payload"; flow:established,from_server; flowbits:isset,ET.TROJAN.Sourtoff; dsize:1300<>1500; content:"|0a c0|"; depth:2; metadata: former_category TROJAN; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019313; rev:3; metadata:created_at 2014_09_29, updated_at 2018_01_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11893
|
727
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
728
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bitter RAT HTTP CnC Beacon M2"; flow:established,to_server; content:"GET"; http_method; content:".php?TIe="; http_uri; fast_pattern; pcre:"/^[a-zA-Z0-9\x21\x2a\x2f\x2e\x3b\x3a\x5b\x5d]+$/RU";content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; threshold: type both, count 5, seconds 120, track by_src; metadata: former_category TROJAN; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/10/malspam-delivers-bitter-rat-07-01-2018; reference:md5,cc58dd8592555ff6275196e62af3242e; classtype:trojan-activity; sid:2025198; rev:2; metadata:created_at 2018_01_11, updated_at 2018_01_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11894
|
729
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
730
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Mami CnC Checkin"; flow:established,to_server; content:"User-Agent|3a 20 0d 0a|"; http_header; fast_pattern; content:"r="; http_client_body; depth:2; content:"&rc="; distance:0; http_client_body; http_request_line; content:"POST|20|/|20|HTTP/1.1"; depth:15; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,objective-see.com/blog/blog_0x26.html; reference:md5,8482fc5dbc6e00da151bea3eba61e360; classtype:trojan-activity; sid:2025199; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_14, malware_family Mami, performance_impact Moderate, updated_at 2018_01_14;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11895
|
731
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
732
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> [82.163.143.135,82.163.142.137] any (msg:"ET TROJAN OSX/Mami Possible DNS Query to Evil DNS Server"; threshold:type limit, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,8482fc5dbc6e00da151bea3eba61e360; reference:url,objective-see.com/blog/blog_0x26.html; classtype:trojan-activity; sid:2025200; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, malware_family Mami, performance_impact Moderate, updated_at 2018_01_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11896
|
733
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
734
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Observed Evrial Domain (cryptoclipper .ru in TLS SNI)"; flow:established,to_server; tls_sni; content:"cryptoclipper.ru"; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025201; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, malware_family Evrial, performance_impact Moderate, updated_at 2018_01_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11897
|
735
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
736
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Trojan.Downloader VBA Script obfuscation (binary_getter)"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"(Chr((((asc(Mid("; depth:300; content:",1,1))-65))*25+(asc(Mid("; within:100; content:",2,1))-65)-"; within:100; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,bad07f85a7baaeaa8aeb72997712aa98; classtype:trojan-activity; sid:2025202; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, updated_at 2018_01_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11898
|
737
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
738
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MoneroPay Ransomware Payment Activity"; flow:established,to_server; content:"GET"; http_method; content:"/paid?id="; http_uri; fast_pattern; pcre:"/^[a-f0-9]{16}$/RU"; http_header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; content:!"Connection"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,14ea53020b4d0cb5acbea0bf2207f3f6; classtype:trojan-activity; sid:2025204; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, malware_family Ransomware, performance_impact Moderate, updated_at 2018_01_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11899
|
739
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
740
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Adwind SSL Certificate Observed"; flow:established,from_server; tls_cert_serial; content: "70:FE:E3:2F"; fast_pattern; tls_cert_issuer; content:"hgfyuilijhk"; metadata: former_category TROJAN; reference:md5,f2bf38a25919e24f0c96d9ec30e4e8d4; classtype:trojan-activity; sid:2025209; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, malware_family Adwind, malware_family Qarallex, performance_impact Low, updated_at 2018_01_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11901
|
741
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
742
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Formbook 0.3 Checkin"; flow:to_server,established; content:"POST"; http_method; content:"Mozilla"; http_user_agent; depth:7; content:"dat="; depth:4; http_client_body; nocase; fast_pattern; pcre:"/^[a-z0-9_\/+-]{1000}/PRi"; metadata: former_category TROJAN; reference:md5,6886a2ebbde724f156a8f8dc17a6639c; classtype:trojan-activity; sid:2024436; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_29, malware_family Password_Stealer, updated_at 2017_11_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11905
|
743
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
744
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Rodecap/Travle/PYLOT CnC Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; fast_pattern:5,20; http_header; content:"l"; http_client_body; depth:1; content:"=OTl"; within:8; http_client_body; content:"&e"; http_client_body; distance:0; content:"="; http_client_body; within:6; content:"&m"; http_client_body; distance:0; content:"="; http_client_body; within:6; metadata: former_category TROJAN; reference:md5,ba6dcea82f59799d86111fa28ae95641; reference:url,securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455; classtype:trojan-activity; sid:2025234; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Clien
|
745
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
746
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/SamMiner CnC Checkin M1"; flow:established,to_server; content:"GET"; http_method; content:".php?act=hi&uid="; http_uri; fast_pattern; content:"&ver="; http_uri; content:"&dotnetver="; http_uri; content:"&onwork="; http_uri; http_header_names; content:!"Referer"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:trojan-activity; sid:2025235; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_22, performance_impact Moderate, updated_at 2018_01_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11909
|
747
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
748
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/SamMiner CnC Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php?act=info&uid="; http_uri; fast_pattern; content:"&ver="; http_uri; content:"info="; depth:5; http_client_body; http_header_names; content:!"Referer"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:trojan-activity; sid:2025237; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_22, performance_impact Moderate, updated_at 2018_01_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11910
|
749
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
750
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Brazilian Banker CnC Activity"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Embarcadero URI Client/1.0"; http_user_agent; content:"AS100="; fast_pattern; http_client_body; content:"AS200="; distance:0; http_client_body; metadata: former_category TROJAN; reference:md5,94cd521945da6ab73bc7a1462283d22a; classtype:trojan-activity; sid:2025241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_01_22, malware_family Banking_Trojan, performance_impact Low, updated_at 2018_01_22;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11911
|
751
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
752
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ELF/TooEasy Miner CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?p="; http_uri; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|msg|22|"; http_client_body; content:"|0d 0a|Downloading files|0d 0a|"; http_client_body; fast_pattern; content:"curl/"; http_user_agent; depth:5; http_header_names; content:!"Accept-"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,dc62dd14321dfa9f14c094a7b1e20979; classtype:trojan-activity; sid:2025251; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_25, performance_impact Moderate, updated_at 2018_01_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11912
|
753
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
754
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/GandCrab Ransomware CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:".php?token="; http_uri; fast_pattern; pcre:"/^[0-9]{2,6}$/RU"; content:"data="; http_client_body; depth:5; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/RPs"; http_content_len; byte_test:0,>,200,0,string,dec; http_header_names; content:!"Referer"; content:!"Accept"; content:!"Cookie"; metadata: former_category TROJAN; reference:md5,aedf80c426fb649bb258e430a3830d85; classtype:trojan-activity; sid:2025254; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_26, malware_family GandCrab, performance_impact Moderate, updated_at 2018_01_26;)" from file /usr/local/etc/
|
755
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
756
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed Evrial Domain (cryptoclipper .ru in DNS Lookup)"; dns_query; content:"cryptoclipper.ru"; isdataat:!1,relative; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025256; rev:2; metadata:created_at 2018_01_29, updated_at 2018_01_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11915
|
757
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
758
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Observed Evrial Domain (projectevrial .ru in TLS SNI)"; flow:established,to_server; tls_sni; content:"projectevrial.ru"; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025257; rev:2; metadata:created_at 2018_01_29, updated_at 2018_01_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11916
|
759
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
760
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Evrial Stealer CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:"/upload.php?user="; http_uri; fast_pattern; content:"&hwid="; http_uri; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; http_client_body; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,485069677e997ff6ce193be7258c783f; classtype:trojan-activity; sid:2025266; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_29, malware_family Evrial, performance_impact Moderate, updated_at 2018_01_29;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11917
|
761
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
762
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Kuriyama Loader Checkin"; flow: established, to_server; content:"?hwid="; http_uri; content:"&group="; http_uri; fast_pattern; content:"&os="; http_uri; content:"&cpu="; http_uri; content:"GET"; http_method; content:!"Referer|3a|"; http_header; threshold: type both, track by_src, count 2, seconds 60; metadata: former_category TROJAN; reference:url,darkwebs.ws/threads/41806/; reference:md5,e18c73ec38cbdd0bb0c66f360183e6d9; classtype:trojan-activity; sid:2025253; rev:4; metadata:created_at 2018_01_26, updated_at 2018_01_28;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11918
|
763
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
764
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check"; flow:established,to_server; content:"GET"; http_method; content:"/kb/"; http_uri; depth:4; fast_pattern; pcre:"/^\d{4,8}$/UR"; content:!"Microsoft Outlook"; http_user_agent; http_header_names; content:!"Referer"; content:"User-Agent"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025120; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_05, updated_at 2018_01_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11919
|
765
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
766
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-Dropper.Delf Checkin"; flow:established,to_server; content:"/autoupdate/versaoatual.txt"; fast_pattern; content:"Mozilla/3.0 (compatible|3b| Indy Library)"; http_user_agent; metadata: former_category TROJAN; reference:md5,52765b346c12d55e255a669bb8cfebb8; classtype:trojan-activity; sid:2025283; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_01, malware_family Dropper, performance_impact Low, updated_at 2018_02_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11921
|
767
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
768
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Elise Style IP Check"; flow:to_server,established; urilen:16; content:"/myip?format=txt"; http_uri; content:"api.ipaddress.com"; http_host; fast_pattern; content:"Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/4.0|3b| SLCC2|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.5.30729|3b| .NET CLR 3.0.30729|3b| Media Center PC 6.0|3b| .NET4.0C|3b| .NET4.0E)"; http_user_agent; http_header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:trojan-activity; sid:2025289; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perime
|
769
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
770
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Elise CnC Beacon 2 M2"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[a-z]{3,6}\/[a-z]{3,6}\.[a-z]{3}$/U"; content:"=|3b 20|"; http_cookie; content:"=|3b 20|"; http_cookie; distance:0; content:"=|3b|"; http_cookie; distance:0; isdataat:!1,relative; http_header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|Cookie|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:trojan-activity; sid:2025291; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deploy
|
771
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
772
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed ExecPS/Cobolt Domain (getfreshnews .com in DNS Lookup)"; dns_query; content:"getfreshnews.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,5d4d3ba6823a07f070f5a42cbcc7a5c8; classtype:trojan-activity; sid:2025304; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, performance_impact Moderate, updated_at 2018_02_02;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11926
|
773
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
774
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/SPARS/ARS Stealer Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?action="; http_uri; content:"&hwid="; http_uri; distance:0; content:"&access="; fast_pattern; http_uri; distance:0; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,76516b465b3589547a9c7c7d955238d8; classtype:trojan-activity; sid:2025344; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_12, malware_family Ars_Stealer, performance_impact Moderate, updated_at 2018_02_12;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11932
|
775
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
776
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Evrial Stealer Retrieving CnC Information"; flow:established,to_server; content:"GET"; http_method; content:"/Project-Evrial-C2-DOMAIN-"; http_uri; fast_pattern; nocase; http_header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; metadata: former_category TROJAN; reference:md5,540c736b7e11287805ddd4f3a9d37934; classtype:trojan-activity; sid:2025346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_13, malware_family Evrial, performance_impact Moderate, updated_at 2018_02_13;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11933
|
777
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
778
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Agent.BIC Variant CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?response="; http_uri; content:"&cpu="; http_uri; distance:0; content:"&gpu="; http_uri; distance:0; content:"&ram="; http_uri; distance:0; content:"&name="; http_uri; distance:0; content:"&os="; http_uri; distance:0; http_header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,C6C781F0ED065476A4297C2AC96A6D83; classtype:trojan-activity; sid:2025359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_15, malware_family Agent_BIC, performance_impact Low, updated_at 2018_02_15;)" from file /usr/local/etc/suricata/suricata_55
|
779
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
780
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Win32/Backdoor.Small.ao CnC Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:8; content:"/waiting"; http_uri; fast_pattern; content:"BC_Vic_"; http_user_agent; depth:7; content:"BC_SPL"; http_user_agent; distance:0; isdataat:!1,relative; threshold: type limit, track by_dst, seconds 30, count 1; http_header_names; content:"Expect"; content:!"Referer"; content:!"Accept"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c; classtype:trojan-activity; sid:2025370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_19, malware_family Backdoor_Small, performance_impact Low, updated_at 2018_02_19;)" from file /usr/local/etc/suricata/suricat
|
781
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
782
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Evrial Stealer CnC Activity M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|report - "; http_client_body; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; http_client_body; distance:19; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,ecd56f1f42f932865e98fd319301e1a5; classtype:trojan-activity; sid:2025375; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_21, malware_family Evrial, performance_impact Moderate, updated_at 2018_02_21;)" from file /usr/loca
|
783
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
784
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MalDoc Retrieving Malicious Payload (Possibly Ursnif)"; flow:established,to_server; content:".bin"; http_uri; isdataat:!1,relative; content:"Microsoft BITS/"; http_user_agent; depth:15; fast_pattern; content:!"microsoft.com"; http_host; content:!"pdfcomplete.com"; http_host; content:!"mymitchell.com"; http_host; content:!"azureedge.net"; http_host; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,dbba37d4aec066a525f9cf3d9bdb27d8; classtype:trojan-activity; sid:2024420; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Microsoft_Word, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_23, performance_impact Moderate, updated_at 2018_02_22;)" fro
|
785
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
786
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN [PTsecurity] QRat.Java.RAT (state_alive)"; flow:established,to_server; content:"|00 11 7b 22 73 74 61 74 65 22 3a 22 61 6c 69 76 65 22 7d|"; depth:19; isdataat:!1,relative; threshold: type both, track by_src, count 10, seconds 30; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025391; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Qrat, signature_severity Major, created_at 2018_02_26, malware_family QRat, updated_at 2018_03_06;)" from file /usr/local/etc/suricata/suricata_55516_em7
|
787
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
788
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin"; flow:established,to_server; content:"|00 00 00 69 64 3d|"; depth:10; content:"|26 6f 73 3d|"; distance:0; within:30; content:"|26 70 72 69 76 3d|"; distance:0; within:20; content:"|26 63 72 65 64 3d|"; distance:0; within:20; content:"|26 70 63 6e 61 6d 65 3d|"; distance:0; content:"|26 61 76 6e 61 6d 65 3d|"; distance:0; content:"|26 62 75 69 6c 64 5f 74 69 6d 65 3d|"; distance:0; fast_pattern; content:"|26 63 61 72 64 3d|"; distance:0; metadata: former_category TROJAN; reference:md5,32485b8cedc5b79aa1bf2d7ceae0ef31; classtype:trojan-activity; sid:2025408; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_01, malware_family FlawedAmmyy, performance_impact Moderate, update
|
789
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
790
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Bancos Variant CnC)"; flow:established,to_client; tls_cert_subject; content:"CN=www.instrumentshigh.com.br"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,f8b2e89717f77633c7d112c98f2d22ab; classtype:trojan-activity; sid:2025433; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2018_03_14, malware_family Bancos, performance_impact Moderate, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11955
|
791
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
792
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Oracle America)"; tls_cert_issuer; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; fast_pattern; tls_cert_subject; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; metadata: former_category TROJAN; reference:md5,a0bbfdb2d4dbfb2f3c182bd394099803; classtype:trojan-activity; sid:2025413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)" from file /u
|
793
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
794
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Yahoo)"; tls_cert_issuer; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; fast_pattern; tls_cert_subject; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; metadata: former_category TROJAN; reference:md5,ce413a29e6cde5701a26e7e4e02ecc66; classtype:trojan-activity; sid:2025412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)" from file /usr/local/etc/suricata/suricata_55516_
|
795
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
796
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Google)"; tls_cert_issuer; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; fast_pattern; tls_cert_subject; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; metadata: former_category TROJAN; reference:md5,8c7722acb2f7400df1027fa6741e37d5; classtype:trojan-activity; sid:2025414; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line
|
797
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
798
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Oracle canada)"; tls_cert_issuer; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; fast_pattern; tls_cert_subject; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; metadata: former_category TROJAN; reference:md5,f71d168b5b987d9fde792098ca5cca19; classtype:trojan-activity; sid:2025415; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)" from file /usr/lo
|
799
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
800
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Arkei Stealer IP Lookup"; flow:established,to_server; content:"POST"; http_method; content:"Arkei/"; http_user_agent; depth:6; fast_pattern; content:"ip-api.com"; http_host; metadata: former_category TROJAN; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Stealer, signature_severity Major, created_at 2018_03_13, malware_family Arkei, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11960
|
801
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
802
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Arkei Stealer Config Download Request"; flow:established,to_server; content:"POST"; http_method; content:"/grubConfig"; http_uri; content:"Arkei/"; http_user_agent; depth:6; fast_pattern; metadata: former_category TROJAN; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Stealer, signature_severity Major, created_at 2018_03_13, malware_family Arkei, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11961
|
803
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
804
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Panskeg outbound connection"; flow:to_server,established; file_data; dsize:10; content:"|79 40 1F F2 03 3C 20 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/81c6fa11d46bf173932b067c32a852f048ba51873210c3e24ac367c95e799e42/analysis/; classtype:trojan-activity; sid:36610; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 27636
|
805
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
806
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Cobalt Group SSL Certificate Detected"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|dns-verifon.com"; distance:1; within:16; metadata: former_category TROJAN; reference:md5,26406f5cc72e13c798485f80ad3cbbdb; classtype:trojan-activity; sid:2025438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_26, malware_family Cobalt_Group, performance_impact Low, updated_at 2018_03_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11966
|
807
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
808
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26381
|
809
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
810
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&syspath="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"&macid="; nocase; http_client_body; content:"&os1="; distance:0; nocase; http_client_body; content:"&os2="; distance:0; nocase; http_client_body; content:"&syspath="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36630; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 27640
|
811
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
812
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Banker.AAQD Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"valor="; depth:6; http_client_body; content:"verde"; http_client_body; content:"branco"; http_client_body; content:"vermelho"; fast_pattern:only; http_client_body; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,759db11b07f3a370338f2e0a28eb1def; reference:url,www.virusradar.com/en/Win32_Spy.Banker.AAQD/description; classtype:trojan-activity; sid:2018516; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2014_04_24, performance_impact Low, updated_at 2018_03_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11967
|
813
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
814
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&vs="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"v="; nocase; http_client_body; content:"&id="; distance:0; nocase; http_client_body; content:"&uid="; distance:0; nocase; http_client_body; content:"&vs="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36629; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 27641
|
815
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
816
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check M2"; flow:established,to_server; content:"GET"; http_method; content:"/vstudio"; http_uri; fast_pattern; urilen:8; content:"msdn.microsoft.com"; http_host; http_header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025439; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_27, malware_family Smoke_Loader, updated_at 2018_03_27;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11968
|
817
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
818
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check M3"; flow:established,to_server; content:"GET"; http_method; content:"/visualstudio/"; http_uri; fast_pattern; urilen:14; content:"www.microsoft.com"; http_host; http_header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025440; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_27, malware_family Smoke_Loader, updated_at 2018_03_27;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11969
|
819
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
820
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 10"; flow:established,to_server; content:"POST"; http_method; pcre:"/\/\d+\/$/U"; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_content_len; content:"63"; fast_pattern; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|User-Agent"; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025441; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_27, malware_family Smoke_Loader, performance_impact Moderate, updated_at 2018_03_27;)
|
821
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
822
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed GandCrab Ransomware Domain (chlenaverasiskihe .sex in DNS Lookup)"; dns_query; content:"chlenaverasiskihe.sex"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025454; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family GandCrab, performance_impact Moderate, updated_at 2018_04_02;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11972
|
823
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
824
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Quant Loader Download Request"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; http_uri; fast_pattern; content:"&c="; distance:0; nocase; http_uri; content:"&mk="; distance:0; nocase; http_uri; content:"&il="; distance:0; nocase; http_uri; content:"&vr="; distance:0; nocase; http_uri; content:"&bt="; distance:0; nocase; http_uri; content:!"Referer"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,23646295E98BD8FA022299374E4F76E0; classtype:trojan-activity; sid:2024452; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_10, performance_impact Moderate, updated_at 2018_04_04;)" from file
|
825
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
826
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26400
|
827
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
828
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26401
|
829
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
830
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Sending Data to CnC"; flow:established,to_server; content:"POST"; http_method; content:".js"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; fast_pattern; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; metadata: former_category TROJAN; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025464; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, malware_family OceanLotus,
|
831
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
832
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC"; flow:established,to_server; content:"GET"; http_method; content:".css"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; content:"|0d 0a|Cookie|3a 20|m_pixel_ratio="; fast_pattern; pcre:"/^m_pixel_ratio=[a-f0-9]{32}\x3b$/C"; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; threshold:type limit, count 1, seconds 30, track by_src; metadata: former_category TROJAN; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025465; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, crea
|
833
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
834
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/DanijBot User-Agent"; flow:established,to_server; content:"Botnet by Danij"; http_user_agent; fast_pattern; depth:15; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_06, malware_family DanijBot, performance_impact Moderate, updated_at 2018_04_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11983
|
835
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
836
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/DanijBot CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?hwid="; http_uri; content:"&bit="; http_uri; content:"&info=Windows|3a 20|"; http_uri; content:"Botnet by Danij"; http_user_agent; fast_pattern; depth:15; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025470; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_06, malware_family DanijBot, performance_impact Moderate, updated_at 2018_04_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11984
|
837
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
838
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/DanijBot CnC Task Status"; flow:established,to_server; content:"GET"; http_method; content:"?hwid="; http_uri; content:"&taskId="; http_uri; distance:0; content:"Botnet by Danij"; http_user_agent; fast_pattern; depth:15; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_06, malware_family DanijBot, performance_impact Moderate, updated_at 2018_04_06;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11985
|
839
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
840
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN QRat.Java.RAT Post-Checkin Request"; flow:established,to_server; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; depth:10; offset:2; fast_pattern; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|2c 22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025393; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Qrat, signature_severity Major, create
|
841
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
842
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pontoeb CnC"; flow:established,to_server; content:"N0PE"; depth:4; http_user_agent; fast_pattern; content:"mode="; depth:5; http_client_body; metadata: former_category TROJAN; reference:md5,1a44b59105e584bac969408f9617133f; reference:url,urlhaus.abuse.ch/url/4452/; classtype:trojan-activity; sid:2025484; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2018_04_11, malware_family Pontoeb, performance_impact Low, updated_at 2018_04_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11987
|
843
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
844
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26422
|
845
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
846
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Iron/Maktub Locker Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"{|22|encry|22 3a 22|"; http_client_body; depth:10; fast_pattern; content:"|22|randk|22 3a 22|"; http_client_body; distance:0; content:"|22|guid|22 3a 22|"; http_client_body; distance:0; content:"|22|start|22 3a 22|"; http_client_body; distance:0; content:"|22|market|22 3a 22|"; http_client_body; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,1e60050db59e3d977d2a928fff3d34a6; reference:url,bartblaze.blogspot.com/2018/04/maktub-ransomware-possibly-rebranded-as.html; classtype:trojan-activity; sid:2025486; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 20
|
847
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
848
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (CoreBot C2)"; flow:established,from_server; tls_cert_subject; content:"CN=ok.investments"; fast_pattern; nocase; reference:md5,75368c9240a3c238aa3b5518906a3cdb; classtype:trojan-activity; sid:2025485; rev:3; metadata:created_at 2018_04_11, updated_at 2018_04_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11989
|
849
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
850
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN LokiBot Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Key|3a 20|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20/Hi"; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,5ba6cf36f57697a1eb5ac8deaa377b4b; classtype:trojan-activity; sid:2025381; rev:4; metadata:created_at 2015_11_23, updated_at 2018_04_13;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 11991
|
851
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
852
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN LokiBot Fake 404 Response"; flow:established,from_server; flowbits:isset,ET.LokiBot; content:"404"; http_stat_code; file_data; content:"|08 00 00 00 00 00 00 00|File not found."; depth:23; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CA427D578AFA51B262272C78D1C04AB9; classtype:trojan-activity; sid:2025483; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_10, malware_family lokibot, performance_impact Low, updated_at 2018_04_13;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12001
|
853
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
854
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC Win.Trojan.Trochulis variant outbound connection"; flow:to_server,established; file_data; content:"|BF BF AF AF 7E 00 00 00|"; fast_pattern:only; dsize:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/da6905d96cc860b443deb5f27271a2cfb2ce17f067a59ca7f0fd12c1d70c4372/analysis/; classtype:trojan-activity; sid:37370; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 27710
|
855
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
856
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Quant Loader Download Response M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"exe=http://"; within:30; nocase; fast_pattern; content:"|2e|exe|3b|"; distance:0; nocase; metadata: former_category TROJAN; reference:md5,aa0b114a64683d89f62d26a088e164f6; classtype:trojan-activity; sid:2024206; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_17, performance_impact Moderate, updated_at 2017_04_17;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12009
|
857
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
858
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN HawkEye Keylogger FTP"; flow:established,to_server; content:"STOR HawkEye"; nocase; pcre:"/^(?:_|Keylogger)/Ri"; reference:md5,85f3b302afa0989a91053af6092f3882; classtype:trojan-activity; sid:2020410; rev:4; metadata:created_at 2015_02_11, updated_at 2015_02_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12012
|
859
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
860
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/G1 Stealer/GravityRAT Requesting Payload"; flow:established,to_server; content:"GET"; http_method; content:"?Value=13&idPayload="; http_uri; fast_pattern; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025539; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12013
|
861
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
862
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/G2 Stealer/GravityRAT CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?Value="; http_uri; content:"UserCode="; http_uri; distance:0; content:"MacId="; http_uri; distance:0; content:"HitDate="; http_uri; distance:0; content:"FingerPrint="; http_uri; distance:0; fast_pattern; content:"CurrentIp="; http_uri; http_header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; content:!"Connection"; metadata: former_category TROJAN; reference:md5,6899c2219764bac56007ce80021bfcbf; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_2
|
863
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
864
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/GX Stealer/GravityRAT Uploading File"; flow:established,to_server; content:"POST"; http_method; content:".php?VALUE=2&Type="; http_uri; fast_pattern; content:"&SIGNATUREHASH="; http_uri; distance:0; http_header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,ec629f648434fc3d17e9561532d038c8; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12015
|
865
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
866
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/G1 Stealer/GravityRAT Uploading File"; flow:established,to_server; content:"GET"; http_method; content:"?Value=11&FileName="; http_uri; fast_pattern; content:"&FileSize="; http_uri; distance:0; content:"&Macid="; http_uri; distance:0; content:"&UserCode="; http_uri; distance:0; metadata: former_category TROJAN; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12016
|
867
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
868
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely GandCrab Ransomware Domain in HTTP Host M1"; content:".bit"; http_host; isdataat:!1,relative; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/W"; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025547; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_30, malware_family GandCrab, updated_at 2018_04_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12020
|
869
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
870
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely GandCrab Ransomware Domain in HTTP Host M2"; content:".coin"; http_host; isdataat:!1,relative; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/W"; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025548; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_30, malware_family GandCrab, updated_at 2018_04_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12021
|
871
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
872
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)"; dns_query; content:"ransomware.bit"; nocase; isdataat:!1,relative; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family GandCrab, performance_impact Moderate, updated_at 2018_04_02;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12022
|
873
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
874
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup)"; dns_query; content:"zonealarm.bit"; nocase; isdataat:!1,relative; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025453; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family GandCrab, performance_impact Moderate, updated_at 2018_05_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12023
|
875
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
876
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup)"; dns_query; content:"carder.bit"; isdataat:!1,relative; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,9faf6dedd3e0cd018d2e45bc8855bd4a; classtype:trojan-activity; sid:2025546; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_30, malware_family GandCrab, updated_at 2018_05_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12024
|
877
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
878
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN RedLeaves HOGFISH APT Implant CnC"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; http_uri; nocase; isdataat:!1,relative; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|.NET4.0C|3b 20|.NET4.0E)"; http_user_agent; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_accept; content:"*/*"; http_connection; content:"Keep-Alive"; http_content_len; byte_test:0,<,110,0,string,dec; http_header_names; content:!"Referer"; content:!"Accept-Encoding"; content:!"Content-Type"; metadata: former_category TROJAN; reference:md5,2d9ac00470a104b9841d851ddf33cad7; reference:md5,627b903657b28f3a2e388393103722c8; reference:url,www.accenture.com/t20180423T05
|
879
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
880
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN BKransomware Domain (3whyfziey2vr41yq in DNS Lookup)"; dns_query; content:"3whyfziey2vr41yq";depth:16; metadata: former_category TROJAN; reference:md5,892da86e60236c5aaf26e5025af02513; classtype:trojan-activity; sid:2025559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_07, malware_family Ransomware, updated_at 2018_05_07;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12027
|
881
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
882
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/GandCrab Ransomware CnC Activity M2"; flow:established,to_server; content:"POST"; http_method; pcre:"/^\/[a-z]{3,20}(?:\?[a-z]{3,20}=[a-z]{0,10}&[a-z]{3,20}=[a-z]{0,10})?$/U"; pcre:"/\.(?:bit|coin|sex|com|gandcrab\d*)$/W";content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http_user_agent; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Psi"; http_content_len; byte_test:0,>,4000,0,string,dec; http_header_names; content:"|0d 0a|Host|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:67; fast_pattern; content:!"Accept"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,8b7d3093c477b2e99effde5065affbd5; classtype:trojan-activity; sid:2025455; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attac
|
883
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
884
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Iron Ransomware Domain (y5mogzal2w25p6bn .ml in DNS Lookup)"; dns_query; content:"y5mogzal2w25p6bn.ml"; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,5f1ab58f0639b5e43fca508eb0d4f97e; classtype:trojan-activity; sid:2025567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_08, malware_family Ransomware, updated_at 2018_05_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12029
|
885
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
886
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Patchwork.Backdoor CnC Check-in M2"; flow:established,to_server; content:"POST"; http_method; content:".php?b="; http_uri; nocase; pcre:"/^[A-F0-9]{30}$/URi"; http_content_len; content:"0"; metadata: former_category TROJAN; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:trojan-activity; sid:2025164; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2018_05_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12032
|
887
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
888
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Patchwork.Backdoor Communicating with CnC"; flow:established,to_server; content:"POST"; http_method; content:".php?cx="; http_uri; nocase; fast_pattern; content:"&b="; http_uri; nocase; distance:0; content:">="; http_uri; nocase; distance:0; content:"&tx="; http_uri; nocase; distance:0; pcre:"/\.php\?cx=[A-F0-9]+&b=[A-F0-9]+>=[A-F0-9]+&tx=[A-F0-9]+$/Ui"; http_content_len; content:"0"; metadata: former_category TROJAN; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:trojan-activity; sid:2025163; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2018_05_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12033
|
889
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
890
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN InfoBot Sending Machine Details"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"infobot"; http_user_agent; depth:7; isdataat:!1,relative; content:"|7b 22|bits|22 3a 20 22|"; http_client_body; depth:10; content:"|22|cpun|22 3a 20 22|"; http_client_body; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,3549c3af4417a344b5cbf53dbe7ab36c; classtype:trojan-activity; sid:2025577; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_16, performance_impact Moderate, updated_at 2018_05_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12034
|
891
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
892
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN InfoBot Sending LAN Details"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"|7b 22 4c 61 6e 43 6e 74 22 3a 20 22|"; http_client_body; depth:12; fast_pattern; content:"|22 7d|"; http_client_body; distance:0; within:3; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,6daa7e95d172c2e54953adae7bdfaffc; classtype:trojan-activity; sid:2025578; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_16, performance_impact Moderate, updated_at 2018_05_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12035
|
893
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
894
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Unk.Stealer CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:"/check.php"; http_uri; isdataat:!1,relative; fast_pattern; content:"m="; http_client_body; depth:2; pcre:"/^m=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/Psi"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,b38a63aea75bcf06fed11067cc75cc7e; classtype:trojan-activity; sid:2025580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_16, performance_impact Moderate, updated_at 2018_05_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12036
|
895
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
896
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Karmen Ransomware CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:"data.php?id="; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=[A-Za-z0-9]{10,20}(?:&key=[A-Za-z0-9]{10,30})?$/Ui"; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?$/Hmi"; metadata: former_category TROJAN; reference:md5,05427ed1c477cc01910eb9adbf35068d; classtype:trojan-activity; sid:2024239; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_14, malware_family Karmen_Ransomware, performance_impact Moderate, updated_at 2018_05_17;)" from file /usr/local/etc/suricata/suricata_5
|
897
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
898
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Vibem.C CnC Activity"; flow:established,to_server; content:"|63 76 c4 52 99 1d 04 80 a9 1b 2d|"; depth:11; content:!"|00|"; metadata: former_category TROJAN; reference:md5,bef6faabe3d80037c18fa7b806f4488e; classtype:trojan-activity; sid:2025581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_18, updated_at 2018_05_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12039
|
899
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
900
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.XOR Checkin via HTTP"; flow:established,to_server; content:"MSIE 6.0|3b 20|Windows NT 5.2|3b 20|SV1|3b 20|TencentTraveler|20 3b 20|.NET CLR 1.1.4322"; http_user_agent; fast_pattern:21,20; metadata: former_category TROJAN; reference:md5,d818d056bbf7e227151d40c8bd539976; reference:url,blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf; classtype:trojan-activity; sid:2021336; rev:5; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2015_06_23, malware_family DDoS_XOR, performance_impact Low, updated_at 2018_05_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12040
|
901
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
902
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Aurora/OneKeyLocker Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?generate="; http_uri; fast_pattern; content:"/-"; http_uri; distance:0; content:"&hwid="; http_uri; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,31d65e315115c823f619a381576984f8; classtype:trojan-activity; sid:2025586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_30, malware_family Aurora, malware_family OneKeyLocker, performance_impact Moderate, updated_at 2018_05_30;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12042
|
903
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
904
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBase Keylogger Uploading Screenshots"; flow:established,to_server; content:"POST"; http_method; content:"/image/upload.php"; http_uri; fast_pattern; content:"filename=|22|"; http_client_body; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.(?:jpg|png)\x22\x0d\x0a/PR"; http_header_names; content:!"User-Agent"; content:!"Referer"; content:"|0d 0a|Expect|0d 0a|"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021441; rev:3; metadata:created_at 2015_07_20, updated_at 2015_07_20;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12043
|
905
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
|
906
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 27784
|
907
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
908
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/surica
|
909
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
910
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/AutoIt.NU Miner Dropper CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/?id="; http_uri; depth:5; content:"&pt="; http_uri; distance:0; within:20; fast_pattern; pcre:"/^[a-f0-9]{32}$/Vi"; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Pi"; http_content_type; content:"application/x-www-form-urlencoded"; http_header_names; content:"Accept"; content:!"Accept-"; content:!"Cache"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,cd7a49513771efd9d4de873956ef8af5; classtype:trojan-activity; sid:2025598; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Dropper, signature_severity Major, created_at 2018_06_21, malware_family Autoit_NU, performance_impact Low, updated_a
|
911
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
912
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [eSentire] VBS Retrieving Malicious Payload"; flow:established,to_server; content:"HEAD"; http_method; content:".php1"; http_uri; isdataat:!1,relative; fast_pattern; content:"Microsoft BITS/"; http_user_agent; content:!"Referer|3a|"; http_header; pcre:"/\/[0-9]{10}.php1$/U"; metadata: former_category TROJAN; reference:md5,aa56a1de9b91446c66d53f12f797bef5; classtype:trojan-activity; sid:2025626; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_25, updated_at 2018_06_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12059
|
913
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
914
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Remcos RAT Checkin 23"; flow:established,to_server; dsize:<500; content:"|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|"; depth:11; fast_pattern; content:"|da b1|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,f4f2425e9735f92cc9f75711aa8cb210; classtype:trojan-activity; sid:2025637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_03, updated_at 2018_07_03;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12066
|
915
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
916
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Fareit/Pony Downloader Checkin 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a|Content-Encoding|3a 20|binary|0d 0a|"; http_header; fast_pattern; content:"|0d 0a|Accept-Encoding|3a 20|identity,|20 2a 3b|q=0|0d 0a|"; http_header; content:"|20|MSIE|20|"; http_user_agent; http_header_names; content:!"Referer"; http_protocol; content:"HTTP/1.0"; flowbits:set,ET.Fareit.chk; metadata: former_category TROJAN; reference:md5,99FAB94FD824737393F5184685E8EDF2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014411; rev:12; metadata:created_at 2012_03_22, updated_at 20
|
917
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
918
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Zeus P2P Variant Check-in"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"/update"; http_uri; fast_pattern; pcre:"/^[a-z0-9]+\.(?:biz|com|net|org)/W"; http_header_names; content:!"User-Agent"; metadata: former_category TROJAN; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018667; rev:4; metadata:created_at 2014_07_11, updated_at 2017_03_08;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12068
|
919
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
920
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN [eSentire] Unknown Banker CnC Checkin"; flow:to_server,established; dsize:<35; content:"|3c 7c|"; depth:2; content:"|7c 3e|OPERADOR|3c 7c 3e|"; fast_pattern; distance:0; metadata: former_category TROJAN; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:trojan-activity; sid:2025652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_11, malware_family Banking_Trojan, updated_at 2018_07_11;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12071
|
921
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
922
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Rostpay Downloader User-Agent"; flow:established,to_server; content:"Rostpay Downloader"; nocase; depth:18; isdataat:!1,relative; http_user_agent; metadata: former_category TROJAN; reference:md5,6887e8e2fb391a1ca84f192efd5c8331; classtype:trojan-activity; sid:2025697; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_16, updated_at 2018_07_16;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12072
|
923
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
|
924
|
Dec 13 01:25:07 charon suricata[31827]: [100148] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chewbacca outbound connection"; flow:to_server,established; urilen:4; dsize:<200; content:"/ip/"; depth:4; fast_pattern; http_uri; content:"Keep-Alive|3A 20|300|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/chewbacca-latest-malware-to-take-a-liking-to-tor/103220; reference:url,www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware; classtype:trojan-activity; sid:29440; rev:5;)" from file /usr/local/etc/suricata/suricata_52473_em5/rules/suricata.rules at line 26564
|
925
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
926
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN QRat.Java.RAT Checkin Response"; flow:established,to_client; content:"|7b 22 6d 61 73 6d 61 67 22 3a 22|"; within:48; fast_pattern; content:"|22 2c 22 6d 61 73 76 65 72 22 3a|"; distance:0; content:"|2c 22 6d 61 73 69 64 22 3a 22|"; distance:0; content:"|22 2c 22 6e 65 65 64 2d 6d 6f 72 65 22 3a|"; distance:0; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; distance:0; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-
|
927
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
928
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern; pcre:"/^(?:\?[0-9])?/UR"; pcre:"/\/wp-(?:content|admin|includes)\//U"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,adabe1b995e6633dee19fdd2fdc4957a; classtype:trojan-activity; sid:2021697; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Wordpress, signature_severity Major, created_at 2015_08_20, performance_impact Low, updated_at 2018_07_18;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12075
|
929
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
930
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN AZORult Variant.4 Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"|4a 2f fb|"; fast_pattern; http_client_body; content:"|2f fb|"; http_client_body; depth:11; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,0ac55b5056364cdac63aaf05f9d7f654; reference:url,twitter.com/James_inthe_box/status/1020522733984100352?s=03; classtype:trojan-activity; sid:2025885; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_23, malware_family AZORult, updated_at 2018_07_23;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12076
|
931
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
932
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN OilRig QUADAGENT CnC Domain in SNI"; flow:to_server,established; tls_sni; content:"www.cpuproc.com"; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025891; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family QuadAgent, performance_impact Low, updated_at 2018_07_25;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12077
|
933
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
934
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (OilRig QUADAGENT CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; tls_cert_subject; content:"CN=cpuproc.com"; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; metadata: former_category TROJAN; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025892; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family QuadAgent, performance_impact Low, updated_at 2018_07_25;)" from file /usr/local/etc/suricata/suricata_
|
935
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
936
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any 53 (msg:"ET TROJAN OilRig QUADAGENT DNS Tunneling"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|mail|06|"; distance:0; nocase; pcre:"/^\d{6}/Ri"; content:"|07|cpuproc|03|com|00|"; fast_pattern; distance:0; within:13; nocase; threshold: type limit, count 1, seconds 60, track by_src; metadata: former_category TROJAN; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025894; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family QuadAgent, performance_impact Low, updated_at 2018_07_25;)" from file /usr
|
937
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
938
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [eSentire] Remcos RAT Checkin 24"; flow:established,to_server; dsize:<380; content:"|e8 ee 51 c7 05 29 cd 17 31 7b fd|"; depth:11; fast_pattern; content:"|55 47|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,98202283d7752779abd092665e80af71; classtype:trojan-activity; sid:2025921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2018_07_31, malware_family Remcos, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12081
|
939
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
940
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/ks8d"; http_uri; depth:5; content:"akspbu.txt"; http_uri; isdataat:!1,relative; content:"Mozilla/4.0|20 28|compatible|3b|MSIE|20|6.0|3b|"; http_user_agent; content:"|81 b2 a8 97 7e a3 1b 91|"; http_client_body; depth:8; fast_pattern; isdataat:!1,relative; pcre:"/^\/ks8d(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)akspbu\.txt$/Ui"; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_B
|
941
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
942
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal RC4 Encrypted 8 Byte Static CnC Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:<100; content:"|81 b2 a8 97 7e a3 1b 91|"; http_client_body; depth:8; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata
|
943
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
944
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 4"; dns_query; content:"euiro8966.organiccrap.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025927; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12084
|
945
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
946
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 3"; dns_query; content:"kted56erhg.dynssl.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025926; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12085
|
947
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
948
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 2"; dns_query; content:"www.hosting.tempors.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025925; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12086
|
949
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
|
950
|
Dec 13 01:25:07 charon suricata[27331]: [100669] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Helminth variant outbound connection"; flow:to_server,established; content:"UIET9fWR"; fast_pattern:only; content:"User-Agent: Mozilla/5.0"; http_header; content:"|20|Trident/5.0|0D 0A|"; within:14; distance:39; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/632be0a3d8d298f2ded928a4ac27846904ed842ad08b355acab53132d31eaf24/analysis/; classtype:trojan-activity; sid:39176; rev:1;)" from file /usr/local/etc/suricata/suricata_62604_em1/rules/suricata.rules at line 27840
|
951
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
952
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 1"; dns_query; content:"jennifer998.lookin.at"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025924; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12087
|
953
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
954
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 5"; dns_query; content:"games.my-homeip.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12088
|
955
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
956
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Aurora Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?generate="; http_uri; fast_pattern; content:"/"; http_uri; distance:0; content:"&hwid="; http_uri; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,2409c058a86cd8743abb10a5735ef487; classtype:trojan-activity; sid:2025931; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_30, malware_family Aurora_Ransomware, performance_impact Moderate, updated_at 2018_08_01;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12089
|
957
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
958
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [eSentire] Remcos RAT Checkin 25"; flow:established,to_server; dsize:<380; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; fast_pattern; content:"|35 03|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,41c292b0cb2a4662381635a3316226f4; classtype:trojan-activity; sid:2025984; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_09, malware_family Remcos, updated_at 2018_08_09;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12090
|
959
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
960
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Associated with Lazarus Downloader (JEUSD)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|celasllc.com"; distance:1; within:13; fast_pattern; metadata: former_category TROJAN; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; reference:url,blogs.360.cn/blog/apt-c-26/; classtype:trojan-activity; sid:2025990; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Lazarus, signature_severity Major, created_at 2018_08_15, malware_family JEUSD, performance_impact Low, updated_at 2018_08_15;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12091
|
961
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
962
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Lazarus Downloader (JEUSD) CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a 20|form-data|3b| name=|22|upload|22 3b| filename=|22|temp.gif|22 0d 0a|"; http_client_body; fast_pattern:48,20; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,blogs.360.cn/blog/apt-c-26/; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; classtype:trojan-activity; sid:2025991; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Lazarus, signature_severity Critical, created_at 2018_08_15, malware_family JEUSD, performance_impact Low, updated_at 2018_08_15;)" from file /usr/local/etc/suricata/suricata_55516_em7/rules/suricata.rules at line 12092
|
963
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
|
964
|
Dec 13 01:25:07 charon suricata[35382]: [100163] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Arkei Stealer Client Data Upload"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|hwid|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|os|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|platform|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|user|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|pcount|22|"; http_client_body; nocase; disCLOG ? ??
|