12/12/2018 -- 16:31:47 - <Notice> -- This is Suricata version 4.0.6 RELEASE
12/12/2018 -- 16:31:47 - <Info> -- CPUs/cores online: 4
12/12/2018 -- 16:31:47 - <Info> -- Netmap: Setting IPS mode
12/12/2018 -- 16:31:47 - <Info> -- HTTP memcap: 67108864
12/12/2018 -- 16:31:47 - <Notice> -- using flow hash instead of active packets
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Novell iPrint ActiveX GetDriverSettings Remote Code Execution Attempt"; flow:established,to_client; content:"36723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; content:"GetDriverSettings2"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-256/; reference:url,www.vupen.com/english/advisories/2010/3023; reference:bid,44966; reference:cve,2010-4321; classtype:attempted-user; sid:2012206; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_20, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 170
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 172
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Cisco.AnyConnect.VPNWeb.1 Arbitrary Program Execution Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Cisco.AnyConnect.VPNWeb.1"; nocase; distance:0; content:"url"; nocase; distance:0; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012930; rev:3; metadata:created_at 2011_06_03, updated_at 2011_06_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 177
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Easewe FTP OCX ActiveX Control EaseWeFtp.ocx Remote Code Execution Attempt"; flow:established,to_client; content:"31AE647D-11D1-4E6A-BE2D-90157640019A"; nocase; fast_pattern:only; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31AE647D-11D1-4E6A-BE2D-90157640019A.+(Execute|Run|CreateLocalFile|CreateLocalFolder|DeleteLocalFile)/smi"; reference:bid,48393; classtype:attempted-user; sid:2013119; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_06_24, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 178
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "bid". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:bid,51396; reference:cve,2011-4786; classtype:attempted-user; sid:2014132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_01_18, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 306
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"|61 1a 02 b7 00 02 00 00 00 12|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:4; metadata:created_at 2012_06_08, updated_at 2012_06_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 750
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 887
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS winlogon.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/winlogon.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winlogon\.exe$/Ui"; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:13; metadata:created_at 2013_04_01, updated_at 2013_04_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 962
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS services.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/services.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/services\.exe$/Ui"; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:13; metadata:created_at 2013_04_01, updated_at 2013_04_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 963
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS smss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/smss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/smss\.exe$/Ui"; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 964
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS csrss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/csrss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/csrss\.exe$/Ui"; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 965
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS rundll32.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/rundll32.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/rundll32\.exe$/Ui";  reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 966
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS lsass.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/lsass.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lsass\.exe$/Ui"; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:13; metadata:created_at 2013_04_01, updated_at 2013_04_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 967
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS explorer.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/explorer.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/explorer\.exe$/Ui"; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:13; metadata:created_at 2013_04_01, updated_at 2013_04_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 968
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible FortDisco Wordpress Brute-force Site list download 10+ wp-login.php"; flow:established,to_client; file_data; content:"/wp-login.php|0d 0a|"; nocase; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017310; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_08_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1167
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS .PIF File Inside of Zip"; flow:established,from_server; file_data; content:"PK"; within:2; content:".pif"; nocase; fast_pattern; within:500; reference:md5,2e760350a5c692bd94c7c6d1233af72c; classtype:trojan-activity; sid:2018125; rev:5; metadata:created_at 2014_02_12, updated_at 2014_02_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1326
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Gamut Spambot Checkin"; flow:established,to_server; content:"file=SenderClient.conf"; http_uri; nocase; fast_pattern:only; pcre:"/file=SenderClient.conf$/Ui"; content:!"Referer|3a 20|"; flowbits:set,ETGamut; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:trojan-activity; sid:2018245; rev:2; metadata:created_at 2014_03_11, updated_at 2014_03_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1334
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Gamut Spambot Checkin Response"; flow:established,from_server; file_data; content:"count_threads|09 09 09 3d 09|"; depth:18; fast_pattern; content:"|0a|efficiency_limit|09 09 3d 09|"; distance:1; within:22; flowbits:isset,ETGamut; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:trojan-activity; sid:2018246; rev:2; metadata:created_at 2014_03_11, updated_at 2014_03_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1335
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Gamut Spambot Checkin 2"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/?8080"; http_uri; fast_pattern:only; content:"name=|22|action|22 0d 0a 0d 0a|"; http_client_body; pcre:"/^(?:Get(?:Subscription(?:EmailsBlock|Content)|PTR|IP)|Port25(?:Close|Open))\x0d\x0a/RP"; content:"name=|22|location|22 0d 0a 0d 0a|"; distance:0; http_client_body; pcre:"/^(?:winload(?:32)?|cmms)\x0d\x0a/RP"; content:!"Referer|3a 20|"; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:trojan-activity; sid:2018257; rev:2; metadata:created_at 2014_03_12, updated_at 2014_03_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1336
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (Outgoing)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; http_user_agent; depth:35; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018353; rev:4; metadata:created_at 2014_04_03, updated_at 2014_04_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1362
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (incoming)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; depth:35; http_user_agent; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018354; rev:4; metadata:created_at 2014_04_03, updated_at 2014_04_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1363
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http any any -> any 80 (msg:"ET CURRENT_EVENTS Win32.RBrute http server request"; flow:to_server,established; content:"BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-2.1 VendorID/831"; http_user_agent; fast_pattern:only; nocase; flowbits:set,ET.Rbrute.incoming; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018355; rev:3; metadata:created_at 2014_04_03, updated_at 2014_04_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1364
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http any 80 -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute http response"; flow:to_client,established; file_data; content:"<html>kenji oke</html>|0d 0a|"; depth:24; flowbits:isset,ET.Rbrute.incoming; reference:md5,055a9be75e469f8817c9311390a449f6; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018356; rev:3; metadata:created_at 2014_04_03, updated_at 2014_04_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1365
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans)"; flow:established,to_client; content:"|55 04 03|"; byte_test:1,>,11,1,relative; byte_test:1,<,14,1,relative; content:"ssl"; distance:2; within:3; pcre:"/^\d{1,2}/R"; content:".ovh.net"; within:8; reference:url,help.ovh.co.uk/SslOnHosting; reference:md5,63079a2471fc18323f355ec28f36303c; reference:md5,20b1c30ef1f5dae656529b277e5b73fb; classtype:bad-unknown; sid:2018364; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_04_04, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1369
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client;  file_data; content:".exe?"; fast_pattern:only; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\/[a-zA-Z0-9\/\-\_]{60,}\/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+(&h=\d+)?[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; reference:md5,9a17d72f6234a1dc930ffe6b1681504c; classtype:trojan-activity; sid:2016498; rev:9; metadata:created_at 2013_02_25, updated_at 2013_02_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1382
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible W32/Zbot.InfoStealer SSL Cert Parallels.com"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:"|16 03 01|"; distance:0; content:"|52 14 cb 90|"; distance:0; content:"|12|info@parallels.com"; distance:0; reference:md5,19e17898e99af83e5fff9c3bad553bb2; classtype:trojan-activity; sid:2018418; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_04_24, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1389
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS EXE Download from Google Common Data Storage with no Referer"; flow:established,to_server; content:".exe"; fast_pattern:only; http_uri; content:"Host|3a| commondatastorage.googleapis.com|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,9fcbc6def809520e77dd7af984f82fd5; reference:md5,71e752dd4c4df15a910c17eadb8b15ba; classtype:trojan-activity; sid:2018556; rev:2; metadata:created_at 2014_06_11, updated_at 2014_06_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1401
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 20 2014 D1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 89 aa ac b6 40 58 a5 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,70bb2e450fe927ee32884cda6fe948b5; classtype:trojan-activity; sid:2018973; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_20, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1420
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9c c5 8b 5d c7 8a 96 b7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0d5ad9759753cb4639cd405eddbe2a16; classtype:trojan-activity; sid:2019104; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_03, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1424
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 95 9f e1 a6 33 7b d9|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edefcbba2944872f31454fcb98802488; classtype:trojan-activity; sid:2019173; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_15, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1427
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 8c bf 77 7c 33 77 06|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5dd6e69b1e9049f295e314b523679d98; classtype:trojan-activity; sid:2019178; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_16, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1428
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 66 93 12 61 52 ba b4|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|Zatusim.com"; distance:1; within:12; reference:md5,2f52d3921613b2fe06c9eb9051d45e60; classtype:trojan-activity; sid:2019186; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_16, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1429
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Androm SSL Cert Sept 18 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; distance:0; content:"|09 00 bf 91 db e3 f1 fb 7c cc|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,ca2f3e2568ac5c01ecf2747f778e13a1; classtype:trojan-activity; sid:2019196; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_18, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1435
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 19 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f8 69 16 89 bb bc f3 d7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1da03b89c25c9f8999edb8c1abb0c4ed; classtype:trojan-activity; sid:2019200; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_19, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1436
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 95 78 dc d3 77 1b bc 30|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bf019054fced52ff03ed8d371dfd371d; classtype:trojan-activity; sid:2019213; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1439
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Spy.Zbot.ACB SSL Cert Sept 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 56 02 06 27 f8 97 08|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,2ceda25b44378583dfb6df64b92ac654; classtype:trojan-activity; sid:2019227; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_24, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1442
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb c0 73 38 d6 b1 99 a5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0fa515ad9fd1031b7a7891a46f72f122; classtype:trojan-activity; sid:2019275; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_26, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1444
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 86 50 03 11 16 99 16|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,75a2e3c9f8783dfc953f6aeb8a9eda2f; classtype:trojan-activity; sid:2019276; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_26, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1445
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackEnergy Possible SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 88 91 e8 ca 54 bb 7d 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|5.79.80.166"; distance:1; within:12; reference:md5,1821351d67a3dce1045be09e88461fe9; classtype:trojan-activity; sid:2019282; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_26, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1446
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 04 eb 4f 91 0a 85 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,a3dd0964ee346db49192836569b41203; classtype:trojan-activity; sid:2019319; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1449
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba c8 fb e2 d7 61 26 81|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27ec921595f9e05e7e8933e71d336fa7; classtype:trojan-activity; sid:2019320; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1450
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 02 84 39 97 d9 ef df|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27b8d15950022f53ca4ca7004932cf2b; classtype:trojan-activity; sid:2019342; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_03, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1455
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Zbot SSL Cert Oct 9 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be cf d6 29 b3 79 8f e2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,3a9f4fc34e121fc2e5c0d7775091714c; classtype:trojan-activity; sid:2019382; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_09, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1469
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 2e c1 9c b6 e5 96 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,05823d6ec6d2a483f94ae1794a06c1a6; classtype:trojan-activity; sid:2019413; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_15, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1480
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 29 c6 1c 85 a5 85 33|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,38f4f489bd7e59ed91dc6ff95f37999f; classtype:trojan-activity; sid:2019419; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_15, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1481
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Zbot SSL Cert Oct 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 a0 9e 7c 8c 25 3a d0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,ae773f234152fb5df1ab35116dbb82bd; classtype:trojan-activity; sid:2019470; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_17, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1482
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Zbot SSL Cert Oct 21 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca 38 a4 ec ec c1 f1 9a|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1fedcd44951c3dfb861fa83ddcec2b84; classtype:trojan-activity; sid:2019485; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_21, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1487
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca f1 2e 3e cb c1 4a c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f4c26252042b9d520cd832b8b4a66de0; classtype:trojan-activity; sid:2019493; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1488
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8c 54 a8 06 20 b6 93 90|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1754d4765a05e4637d2dcdbd1c28eaf1; classtype:trojan-activity; sid:2019494; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1489
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d6 cd df 4e c0 3c fc 13|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5159780c47b8df01d5eb00d858b4d35a; classtype:trojan-activity; sid:2019495; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1490
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 be 1b e1 6a 4d bf 01|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f66bf24aa5516e335873c758d007ed3c; classtype:trojan-activity; sid:2019496; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1491
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba 53 8e c8 a2 a1 6c 17|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019520; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_27, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1493
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe d5 e3 3b b2 f8 4e f4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019521; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_27, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1494
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 81 01 15 1a 78 7f e9 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,2841fb14060f579e46a301baf234a1e7; classtype:trojan-activity; sid:2019522; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_27, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1495
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 10 4b 4c 47 43 e9 4b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bd3fd9f55900e2c63d5f4977053e8f68; classtype:trojan-activity; sid:2019523; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_27, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1496
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Trustezeb.J SSL Cert Oct 30 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|17|bestofthebestrussia.com"; distance:1; within:24; reference:md5,2d8211ad47b36893b6e1b3fdceb00012; classtype:trojan-activity; sid:2019605; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1501
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32.Zbot.umpz SSL Cert Nov 4 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|16|boogermanshoptools.net"; distance:1; within:33; reference:md5,c6796076a24f35119ebe441725ec9da7; classtype:trojan-activity; sid:2019639; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_04, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1506
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 05 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 49 68 e1 31 97 48 3f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c078788d86c653f428fc3a62dd030ede; classtype:trojan-activity; sid:2019651; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_05, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1509
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Trustezeb.E SSL Cert Nov 05 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|easy-access.me"; distance:1; within:15; reference:md5,b648562ee817b3635fa7725afe28577c; classtype:trojan-activity; sid:2019652; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_05, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1510
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Zbot SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 9e 51 1d eb 97 c1 ea|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|08|Sometown"; distance:1; within:9; reference:md5,37f927437de627777c5b571fc46fb218; classtype:trojan-activity; sid:2019698; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_11, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1518
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 12 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 48 5c e9 94 c7 59 03|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,31536d977dfc0e158d8f7a365c0543ec; classtype:trojan-activity; sid:2019705; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1524
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 9e 89 2a 06 f4 80 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,b7214b7ff246175e7b6bbe2db600f98e; classtype:trojan-activity; sid:2019719; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_17, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1525
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Gootkit SSL Cert Dec 10 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 a9 3c 29 28 ec b0 b1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,c05453a18b6dc45bc258a377d2161b1c; classtype:trojan-activity; sid:2019907; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_10, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1549
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Spy.Zbot.ACB SSL Cert Dec 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe 69 db 33 70 71 2c 70|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,d271218da70d0bceb69c477e7d13dcc8; classtype:trojan-activity; sid:2019936; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_15, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1551
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Zbot SSL Cert Dec 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cc c9 0f 16 44 47 71 3d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,417a42f5e244ce2f340f16fa2fed0412; classtype:trojan-activity; sid:2019955; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_16, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1553
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:47 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2014-6332 Arrays with Offset Dec 23"; flow:established,from_server; file_data; content:"For i=LBound("; pcre:"/^\s*?(?P<v1>[^\x29\s]+)\s*?\x29\s*?To Ubound\x28(?P=v1)\s*?\x29\s*?(?:dim\s*?)?(?P<v2>[^\s\x3d]+)\s*?\x3d\s*?(?P=v2)\+Cstr\x28\s*?Chr\x28(?P=v1)\x28i\x29[\+\-]\d+\x29\x29.+?Execute\s*?(?P=v2)/Rsi"; reference:md5,d2d3c212f430bff2b5f075fa083de047; reference:cve,2014-6332; classtype:trojan-activity; sid:2020067; rev:3; metadata:created_at 2014_12_23, updated_at 2014_12_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1558
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBA Office Document Dridex Binary Download User-Agent"; flow:established,to_server; content:"User-Agent|3A| KAII"; http_header; fast_pattern:only; reference:md5,cb2903c89d60947fa4badec41e065d71; classtype:trojan-activity; sid:2020758; rev:2; metadata:created_at 2015_03_26, updated_at 2015_03_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1629
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBA Office Document Dridex Binary Download User-Agent 2"; flow:established,to_server; content:"User-Agent|3A| MisterZALALU"; http_header; fast_pattern:4,20; reference:md5,2f53b7669482c2d9216a74050630fbb7; classtype:trojan-activity; sid:2020806; rev:2; metadata:created_at 2015_03_31, updated_at 2015_03_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1630
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<15; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; pcre:"/^\/\d+\/\d+\.exe$/U"; content:"Host|3a|"; depth:5; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n)?(?:\r\n)?$/Hmi"; reference:md5,2cea5182d71b768e8b669cacdea39825; classtype:trojan-activity; sid:2020941; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1653
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|aa|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type limit,track by_src,count 3,seconds 60; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021326; rev:2; metadata:created_at 2015_06_23, updated_at 2015_06_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1726
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns1.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns1|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021327; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1727
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns2.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns2|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021328; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1728
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns3.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns3|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021329; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1729
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns4.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns4|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021330; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1730
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (gh.dsaj2a1.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|gh|07|dsaj2a1|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021331; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1731
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (navert0p.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|navert0p|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021332; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1732
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (wangzongfacai.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|wangzongfacai|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021333; rev:1; metadata:created_at 2015_06_23, updated_at 2015_06_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1733
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (gggatat456.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gggatat456|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021409; rev:1; metadata:created_at 2015_07_13, updated_at 2015_07_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1750
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (xxxatat456.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|xxxatat456|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021410; rev:1; metadata:created_at 2015_07_13, updated_at 2015_07_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1751
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Tsunami DDoS Attack Participation (s-p-o-o-f-e-d.h-o-s-t.name)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|s-p-o-o-f-e-d|07|h-o-s-t|04|name"; fast_pattern; nocase; distance:0; threshold:type limit,track by_src,count 3,seconds 60; reference:md5,c01991d55133d0057c9b721bb141a5d9; classtype:trojan-activity; sid:2021691; rev:1; metadata:created_at 2015_08_19, updated_at 2015_08_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1782
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|55 04 08|"; distance:0; byte_test:1,>,9,1,relative; byte_test:1,<,121,1,relative; pcre:"/^.{2}[A-Z]{10,120}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021736; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_31, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1797
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<state>[A-Z][a-z]+).*?\x55\x04\x07.{2}(?P=state)\x0a/Rsi"; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; fast_pattern; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021735; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_08_31, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1798
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Sept 14 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 03|"; pcre:"/^.{2}[A-Z]?[a-z]+ [A-Z]?[a-z]+/Rs"; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; pcre:"/^.{2}[A-Z]?[a-z]+\.[A-Z]?[a-z]+@gmail\.com[01]/Rs"; content:"@gmail.com"; fast_pattern:only; reference:md5,f22cad1a3985a5183a76324b448e06f2; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021773; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2015_09_14, malware_family Upatre, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1813
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Oct 12 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 43 41 31|"; distance:0; fast_pattern; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com[01]/R"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021948; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, signature_severity Critical, created_at 2015_10_13, malware_family Upatre, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1822
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 2 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; content:"|55 04 0a|"; pcre:"/^.(?P<orgname>.[^01]+).*?\x55\x04\x0b.(?P=orgname)/Rsi"; content:!"Beam Propulsion"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021743; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_02, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1842
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential W32/Dridex Alphanumeric Download Pattern"; flow:established,to_server; urilen:9<>47; content:"GET"; http_method; content:".exe"; http_uri; offset:6; fast_pattern; content:!"Referer|3A|"; http_header; content:"Accept|3a|"; http_header; pcre:"/^\/(?=[a-z\d]{0,18}(?:[a-z]\d|\d[a-z]|~[a-z])[a-z\d]{0,18}(?:\/[a-z\d]{0,18}(?:[a-z]\d|\d[a-z])[a-z\d]{0,18}){1,2}\.exe$)(?=[a-f\d\x2f\x7e]{0,40}[g-z])[a-z0-9~]{2,20}(?:\/[a-z0-9]{2,20}){1,2}\.exe$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?:MSIE|rv\x3a11\.0)/Hmi"; reference:md5,03c5bfb5c0c7a936ad62ebe03019edd0; classtype:trojan-activity; sid:2021607; rev:6; metadata:created_at 2015_08_10, updated_at 2015_08_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1865
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 28 2016"; flow:established,to_server; content:"HEAD"; http_method; content:"User-Agent|3a 20|Microsoft BITS/7.5|0d 0a|"; http_header; fast_pattern:12,20; content:".exe"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+(?:xyz|pw)\r?$/Hmi"; reference:md5,d599a63fac0640c21272099f39020fac; classtype:trojan-activity; sid:2022686; rev:4; metadata:created_at 2016_03_30, updated_at 2016_03_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1968
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE May 2016 (Mozilla compatible)"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"Mozilla/4.0|20|(compatible|3b|)"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/Ui"; reference:md5,f29a3564b386e7899f45ed5155d16a96; classtype:trojan-activity; sid:2022830; rev:2; metadata:created_at 2016_05_19, updated_at 2016_05_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 1998
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS EXE Download from specific file share site (used in recent maldoc campaign)"; flow:to_server,established; content:".exe"; http_uri; content:"Host|3a 20|a.pomf.cat|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,c321f38862a24dc8a72a251616b3afdf; classtype:trojan-activity; sid:2022884; rev:2; metadata:created_at 2016_06_09, updated_at 2016_06_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2006
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"/~"; http_uri; depth:2;  content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r$/Hm"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:2; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2015
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)"; flow:established,to_server; content:".dll"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022941; rev:2; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2016
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:2; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2017
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Maldoc Downloading EXE Jul 26 2016"; flow:established,to_server;content:!".exe"; http_uri; nocase; pcre:"/\/(?:[a-z0-9]+_){4,}[a-z0-9]+(?:\/[a-f0-9]+)*?\/[a-f0-9]+\.(?![Ee][Xx][Ee])[a-z0-9]+$/U"; content:"|3a 20|Microsoft BITS"; http_header; fast_pattern:only; content:!".microsoft.com|0d 0a|"; http_header; nocase; reference:md5,82fb5101847e734dd9b36f51f1fc73e3; classtype:trojan-activity; sid:2022983; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_26, malware_family MalDocGeneric, performance_impact Low, updated_at 2016_08_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2035
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious Proxifier DL (non-browser observed in maldoc campaigns)"; flow:established,to_server; content:"/distr/Proxifier"; http_uri; nocase; depth:16; fast_pattern; content:!"User-Agent|3a|"; http_header; nocase; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:!"Cookie|3a|"; content:"proxifier.com|0d 0a|"; http_header; nocase; reference:md5,2a0728a6edab6921520a93e10a86d4b2; classtype:trojan-activity; sid:2023138; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_08_26, performance_impact Low, updated_at 2016_08_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2059
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/Dridex Binary Download Mar 23 2016"; flow:to_server,established; content:"GET"; http_method; content:"/dana/home.php"; http_uri; fast_pattern; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"MSIE 7.0"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/\/home\.php$/U"; reference:md5,2f32bf996e093d5a4107d6daa6c51ec4; classtype:trojan-activity; sid:2022650; rev:3; metadata:created_at 2016_03_24, updated_at 2016_10_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2118
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Tor Module Download"; flow:established,to_server; content:"/tor/"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; pcre:"/\/tor\/[^\x2f\x2e]+(?:32|64)\.dll$/Ui"; reference:md5,dacbf4c26c5642c29e69e336e0f111f7; classtype:trojan-activity; sid:2023471; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2129
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Pony DLL Download"; flow:established,to_server; content:"/pm"; http_uri; content:".dll"; http_uri; fast_pattern:only; pcre:"/\/pm\d?\.dll$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022939; rev:3; metadata:affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2016_07_01, malware_family MalDocGeneric, performance_impact Low, updated_at 2017_01_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2149
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious JS.Nemucod to PS Dropping PE Nov 14 M2"; flow:to_server,established; content:"GET"; http_method; content:".php?f="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_header; pcre:"/^\/\w+\.php\?f=[a-z]?\d{1,3}(?:\.(?:dat|gif))?$/U"; reference:md5,551c440d76be5ab9932d8f3e8f65726e; classtype:trojan-activity; sid:2023754; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_28, performance_impact Low, updated_at 2017_01_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2211
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN March 2017"; flow:established,to_server; content:"GET"; http_method; content:"?showforum="; http_uri; fast_pattern:only; pcre:"/\?showforum=$/Ui"; content:!".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; metadata: former_category CURRENT_EVENTS; reference:md5,ad575f6795526f2ee5e730f76a3b5346; classtype:trojan-activity; sid:2024109; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_29, performance_impact Moderate, updated_at 2017_03_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2279
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MalDoc Retrieving Payload March 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"/mang.bbk"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/mang\.bbk$/Ui"; metadata: former_category CURRENT_EVENTS; reference:md5,33018afc5ef9818eee0f3833d1f738b0; classtype:trojan-activity; sid:2024122; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_30, malware_family Maldoc, performance_impact Moderate, updated_at 2017_03_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2280
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neverquest/Vawtrak Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/viewforum.php?f="; http_uri; fast_pattern:only; pcre:"/\/viewforum\.php\?f=\d+&sid=[A-F0-9]{32}$/U"; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream"; http_header; metadata: former_category CURRENT_EVENTS; reference:md5,0400671fd3804fbf3fd1d6cf707bced4; reference:md5,1dfaeb7b985d2ba039cd158f63b8ae54; classtype:trojan-activity; sid:2018543; rev:3; metadata:created_at 2014_06_06, updated_at 2017_05_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2334
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL"; flow:established,from_server; file_data; content:"|7b 5c 72 74|"; within:4; content:!"|66|"; within:1; content:"|5C 6F 62 6A 61 75 74 6C 69 6E 6B|"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:md5,8168b2305289ecc778216405d1fd7984; reference:cve,2017-0199; classtype:trojan-activity; sid:2024413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_19, performance_impact Low, updated_at 2017_06_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2385
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl"; flow:to_server,established; content:".hta"; nocase; fast_pattern; http_uri; pcre:"/\.hta(?:[?&]|$)/Ui"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Cookie|3a|"; metadata: former_category CURRENT_EVENTS; reference:md5,66a42e338e32fb6c02c9d4c56760d89d; classtype:attempted-user; sid:2024449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, cve 2017_0199, created_at 2017_07_07, updated_at 2017_07_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2392
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Shared Document Phishing Landing Nov 19 2015"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"pagename=|22|login|22|"; nocase; content:"<title>Sign in - Adobe"; nocase; distance:0; fast_pattern:2,20; content:"password-revealer"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:trojan-activity; sid:2023047; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2016_08_11, performance_impact Low, updated_at 2017_07_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2405
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG encrypted payload M1 Aug 01 2017"; flow:established,to_client; file_data; content:"|73 29 88 ff e0 d1 0e 74|"; within:8; metadata: former_category CURRENT_EVENTS; reference:md5,263a2cf88f340b2a755db749be1371ea; classtype:trojan-activity; sid:2024507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RigEK, signature_severity Major, created_at 2017_08_01, malware_family RIG, updated_at 2017_08_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2432
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nemucod JS Downloader Aug 01 2017"; flow:established,to_server; pcre:"/\/[A-Za-z0-9]{5,9}\?+[A-Za-z0-9]{6,12}=[A-Za-z0-9]{6,12}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; http_header; depth:29; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; http_user_agent; fast_pattern:30,20; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; metadata: former_category CURRENT_EVENTS; reference:md5,cb558b04216e0e7a9c936945ebee6611; classtype:trojan-activity; sid:2024508; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_01, malware_family Nemucod, updated_at 2017_08_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2433
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Maldoc Downloader Aug 18 2017"; flow:established,to_server; content:"/s.php?id="; http_uri; depth:10; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/s\.php\?id=[a-z0-9]{2,6}$/U"; metadata: former_category CURRENT_EVENTS; reference:md5,5285f1adfc0013fa86218a7d76c0016d; classtype:trojan-activity; sid:2024600; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2017_08_21, malware_family Maldoc, performance_impact Low, updated_at 2017_08_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2488
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Qtloader encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|1a 3d d0 28 82 1a 6f 08|"; depth:8; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_24, performance_impact Low, updated_at 2017_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2622
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Qtloader encrypted check-in response Oct 19 (1)"; flow:established,to_client; file_data; content:"|0c 3c|"; depth:2; content:"|04 a3|"; distance:1; within:2; metadata: former_category CURRENT_EVENTS; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024909; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_24, performance_impact Low, updated_at 2017_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2623
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN May 2016 (No UA)"; flow:established,to_server; content:"GET"; http_method; content:"/system/"; depth:8; http_uri; nocase; fast_pattern; pcre:"/^(?:cache|logs)\/[^\x2f]+\.(?:exe|dll|doc|bin)$/URi"; http_header_names; content:!"Referer"; reference:md5,c6747ca29d5c28f4349a5a8343d6b025; classtype:trojan-activity; sid:2022834; rev:5; metadata:created_at 2016_05_24, updated_at 2016_05_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2673
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<40; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern; content:!"Mozilla/"; http_user_agent; content:!"MstarUpdate"; http_header; content:!".bitdefender.com"; http_host; content:!".homestead.com"; http_host; pcre:"/\/[a-z0-9]+\/[a-z0-9]+\.exe$/Ui"; http_header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; metadata: former_category CURRENT_EVENTS; reference:md5,28208e19a528bfa95e5662e2d6f2e911; reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting; classtype:trojan-activity; sid:2020826; rev:7; metadata:created_at 2015_04_01, updated_at 2017_03_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2675
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Qtloader encrypted check-in Oct 19 M1"; flow:established,to_server; content:"|2c 45 32 4d f1 38 55|"; depth:7; http_client_body; fast_pattern; metadata: former_category CURRENT_EVENTS; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024908; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_24, performance_impact Low, updated_at 2017_12_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2701
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Napolar / Shifu SSL Cert Oct 9 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|19|secure.barrentomedear.com"; distance:1; within:26; metadata: former_category CURRENT_EVENTS; reference:md5,958804a1191cb281a3a967de17763cf4; classtype:trojan-activity; sid:2019376; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_10_09, updated_at 2018_03_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 2863
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET !9987 -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:12; metadata:created_at 2012_05_03, updated_at 2016_07_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3135
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3136
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; content:!"7PYqwfzt"; depth:8; byte_test:1,&,64,3; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:9; metadata:created_at 2012_05_03, updated_at 2016_07_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3137
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS HOIC with booster outbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_src; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018977; rev:3; metadata:created_at 2014_08_21, updated_at 2014_08_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3162
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS HOIC with booster inbound"; flow:to_server,established; content:"GET"; http_method; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; content:"If-Modified-Since|3a 20 20|"; http_raw_header; content:"Keep-Alive|3a 20 20|"; http_raw_header; content:"Connection|3a 20 20|"; http_raw_header; content:"User-Agent|3a 20 20|"; http_raw_header; threshold: type both, count 1, seconds 60, track by_dst; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018978; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3163
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE "; flow:to_server,established; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; http_header; fast_pattern:only; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023548; rev:3; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_11_28, updated_at 2016_11_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3490
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:48 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit Retrieving Wifi Key"; flow:to_server,established; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; http_header; fast_pattern:only; content:"|3c 75 3a 47 65 74 53 65 63 75 72 69 74 79 4b 65 79 73|"; http_client_body; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023549; rev:3; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, deployment Perimeter, signature_severity Major, created_at 2016_11_28, performance_impact Low, updated_at 2016_11_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3491
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PlaySushi User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|psi "; http_header; reference:md5,039815a7cb0b7ee52b753a9b79006f97; classtype:trojan-activity; sid:2014261; rev:2; metadata:created_at 2012_02_21, updated_at 2012_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3876
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AdWare.Win32.Sushi.au Checkin"; flow:to_server,established; content:"/inst.php?"; http_uri; content:"User-Agent|3a| psi"; http_header; reference:md5,3aad2075e00d5169299a0a8889afa30b; reference:url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au; classtype:trojan-activity; sid:2014262; rev:4; metadata:created_at 2012_01_21, updated_at 2012_01_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3877
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GameVance Adware Checkin"; flow:established,to_server; content:"/inst.asp?d="; http_uri; content:"&cl="; http_uri; content:"&l="; http_uri; content:"&e="; http_uri; content:"&v="; http_uri; content:"&uid="; http_uri; content:"&time="; http_uri; content:"&win="; http_uri; content:"&ac="; http_uri; content:"&ti="; http_uri; content:"&xv="; http_uri; reference:md5,2609c78efbc325d1834e49553a9a9f89; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:trojan-activity; sid:2014339; rev:2; metadata:created_at 2012_03_08, updated_at 2012_03_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3878
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LoudMo.Adware Checkin"; flow:established,to_server; content:"/?aff="; http_uri; content:"Host|3A 20|www.gamebound.com"; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FLoudmo; reference:md5,fc06c613e83f0d3271beba4fdcda987f; classtype:trojan-activity; sid:2014400; rev:3; metadata:created_at 2012_03_19, updated_at 2012_03_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3949
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dialer.Adultchat Checkin"; flow:established,to_server; content:"/getclientid.wnk?srv="; http_uri; content:"&ver="; http_uri; content:"&pin="; http_uri; content:"&OSInfo2="; http_uri; content:"&cinfo="; http_uri; content:"retryattempt="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDluca.AN&ThreatID=-2147365813; reference:md5,fd2c949dc20b651a53326a3d571641ec; classtype:trojan-activity; sid:2014667; rev:2; metadata:created_at 2012_05_02, updated_at 2012_05_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3951
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Bublik.B/Birele/Variant.Kazy.66443 Checkin"; flow:established,to_server; urilen:12; content:"POST"; http_method; content:"/rdc/rnd.php"; http_uri; reference:md5,48352e3a034a95845864c0f6aad07d39; classtype:trojan-activity; sid:2014767; rev:5; metadata:created_at 2012_05_18, updated_at 2012_05_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3953
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/OnlineGames Checkin"; flow:established,to_server; content:"/game"; http_uri; content:"/diary/item/"; http_uri; content:"User-Agent|3A| getURLDown|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:trojan-activity; sid:2015017; rev:4; metadata:created_at 2012_07_03, updated_at 2012_07_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3956
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (Huai_Huai)"; flow:to_server,established; content:"User-Agent|3a| Huai_Huai|0d 0a|"; http_header; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,91b9aa25563ae524d3ca4582630eb8eb; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:trojan-activity; sid:2006361; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3958
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.Win32/SProtector.A Client Checkin"; flow:established,to_server; content:"?data="; http_uri; content:"&version="; http_uri; distance:0; content:"win32"; http_user_agent; depth:5; fast_pattern; reference:md5,38f61d046e575971ed83c4f71accd132; classtype:trojan-activity; sid:2016780; rev:4; metadata:created_at 2013_04_22, updated_at 2013_04_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3981
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware pricepeep Adware.Shopper.297"; flow: established,to_server; content:"GET"; nocase; http_method; content:"/logger/software/hit/"; nocase; http_uri; content:"/?v."; nocase; http_uri; reference:url,virustotal.com/en/file/1ea487b1507305f17a2cd2ab0dbcfac523419dbc27cde38e27cb5c4a8d3c9caf/analysis/; reference:url,lists.clean-mx.com/pipermail/viruswatch/20121222/037085.html; reference:md5,0564e603f9ed646553933cb0d271f906; classtype:trojan-activity; sid:2016917; rev:2; metadata:created_at 2013_05_22, updated_at 2013_05_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3989
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.Ezula Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/UVid.asp?"; fast_pattern:only; http_uri; reference:md5,dede600f1e78fd20e4515bea1f2bdf61; classtype:trojan-activity; sid:2016938; rev:3; metadata:created_at 2013_05_28, updated_at 2013_05_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3990
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tibs Checkin"; flow:established,to_server; content:"/adv/"; nocase; http_uri; content:".php?a1="; nocase; http_uri; content:"&a2=Type of Processor|3a|"; nocase; http_uri; content:"&a3=Windows version is "; nocase; http_uri; content:"&a4=Build|3a|"; nocase; http_uri; reference:md5,65448c8678f03253ef380c375d6670ce; classtype:trojan-activity; sid:2002955; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 3991
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Linkular.Adware Icons.dat Second Stage Download"; flow:established,to_server; content:"/downloads/icons.dat"; http_uri; fast_pattern:only; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:trojan-activity; sid:2017881; rev:3; metadata:created_at 2013_12_17, updated_at 2013_12_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4002
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GMUnpackerInstaller.A Checkin"; flow:to_server,established; content:"/new/rar.xml"; fast_pattern:only; nocase; http_uri; content:!"User-Agent|3a| "; nocase; http_header; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:trojan-activity; sid:2017892; rev:2; metadata:created_at 2013_12_19, updated_at 2013_12_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4003
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/InstallRex.Adware Initial CnC Beacon"; flow:established,to_server; content:"/?step_id="; http_uri; content:"&publisher_id="; http_uri; content:"&page_id="; http_uri; content:"&country_code="; http_uri; content:"&browser_id="; http_uri; content:"&download_id="; http_uri; content:"&hardware_id="; http_uri; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:trojan-activity; sid:2017911; rev:2; metadata:created_at 2014_12_30, updated_at 2014_12_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4004
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/InstallRex.Adware Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/?report_version="; http_uri; content:"data="; http_client_body; depth:5; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:trojan-activity; sid:2017912; rev:2; metadata:created_at 2014_12_30, updated_at 2014_12_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4005
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BettrExperience.Adware Initial Checkin"; flow:established,to_server; content:"/updater/"; http_uri; content:"UpdaterResponse"; http_user_agent; depth:15; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018024; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4006
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BettrExperience.Adware POST Checkin"; flow:established,to_server; content:"POST"; content:"UpdaterResponse"; http_user_agent; fast_pattern; depth:15; pcre:"/^\x2F[A-F0-9]{25,40}$/U"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018025; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4007
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent EXE2"; flow: established,to_server; content:"EXE2"; nocase; depth:4; http_user_agent; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:trojan-activity; sid:2018049; rev:3; metadata:created_at 2014_01_31, updated_at 2014_01_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4008
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Magania"; flow: established,to_server; flowbits:set,EXE2; flowbits:noalert; content:"GET"; http_method; content:".txt"; http_uri; content:"EXE2"; depth:4; fast_pattern; nocase; http_user_agent; content:!"Accept|3a| "; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; content:!"Connection|3a| "; nocase; http_header; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:trojan-activity; sid:2018050; rev:4; metadata:created_at 2014_01_31, updated_at 2014_01_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4009
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent Mozi11a"; flow: established,to_server; content:"Mozi11a"; depth:7; http_user_agent; reference:md5,3cf3d4d5de51a8c37e11595159179571; classtype:trojan-activity; sid:2018051; rev:4; metadata:created_at 2014_01_31, updated_at 2014_01_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4010
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (gettingAnswer)"; flow: established,to_server; content:"gettingAnswer"; depth:13; nocase; http_user_agent; reference:md5,c305a0af3fe84525a993130b7854e3e0; classtype:trojan-activity; sid:2018084; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2014_02_06, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4012
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BetterInstaller"; flow:to_server,established; content:"GET"; http_method; content:"?v="; http_uri; content:"&uid="; http_uri; content:"&muid="; http_uri; pcre:"/[a-f0-9]{32}\?v=/Ui"; reference:md5,efa0bed2695446eab679083a9f0f89c6; classtype:trojan-activity; sid:2018195; rev:3; metadata:created_at 2014_01_15, updated_at 2014_01_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4014
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.AdWare.iBryte.C Install "; flow:established,to_server; content:"/offers.json?version="; http_uri; content:"&pid=installer&ts="; http_uri; reference:md5,2fae46d1a71a893834a01ed3106b8036; classtype:trojan-activity; sid:2018197; rev:2; metadata:created_at 2014_02_28, updated_at 2014_02_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4015
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Spyware Install Reporting"; flow: to_server,established; content:"/report.php?user_id="; fast_pattern; http_uri; content:"&status="; http_uri; content:"&country_id="; http_uri; content:"Windows Internet"; depth:16; http_user_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001472; reference:md5,17c204bb156dd7f6a3ebd1547129f347; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FZdesnado.AD&ThreatID=-2147454482; classtype:trojan-activity; sid:2001472; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4017
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Toolbar.CrossRider.A Checkin"; flow:to_server,established; content:".gif?action="; http_uri; content:"&browser="; http_uri; content:"&ver="; http_uri; content:"&bic="; fast_pattern:only; http_uri; content:"&app="; http_uri; content:"&appver="; http_uri; content:"&verifier="; http_uri; reference:md5,55668102739536c1b00bce9e02d8b587; classtype:trojan-activity; sid:2018301; rev:3; metadata:created_at 2012_10_05, updated_at 2012_10_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4018
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AdWare.MSIL.Solimba.b GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/dmr/access/"; http_uri; content:"DownloadMR"; nocase; depth:10; http_user_agent; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016905; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4019
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AdWare.MSIL.Solimba.b POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/dmr/exception"; http_uri; content:"DownloadMR"; depth:10; nocase; http_user_agent; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016906; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4020
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent Smart-RTP"; flow: established,to_server; content:"Smart-RTP"; depth:9; nocase; http_user_agent; reference:url,www.threatexpert.com/report.aspx?md5=a80f33c94c44556caa2ef46cd5eb863c; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader8.25530.html; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; classtype:trojan-activity; sid:2016915; rev:5; metadata:created_at 2013_05_22, updated_at 2013_05_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4021
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AdWare.Win32.Yotoon.hs Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/product-am.php?id="; http_uri; fast_pattern:only; content:"&v="; http_uri; content:"&offer["; distance:0; http_uri; content:"NSISDL/1.2 (Mozilla)"; depth:20; http_user_agent; content:!"Referer|3a|"; http_header; reference:md5,20c7226185ed7999e330a46d3501dccb; classtype:trojan-activity; sid:2018307; rev:4; metadata:created_at 2014_03_19, updated_at 2014_03_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4022
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SoundCloud Downloader Install Beacon"; flow:established,to_server; urilen:10; content:"POST"; http_method; content:"/index.php"; http_uri; content:"&OSversion="; http_client_body; content:"&Slv="; http_client_body; content:"&Sysid="; http_client_body; content:"&Sysid1="; http_client_body; content:"&admin="; http_client_body; content:"&browser="; http_client_body; content:"&exe="; http_client_body; content:"&ffver="; http_client_body; content:"&lang_DfltUser="; http_client_body; content:"&ver="; http_client_body; content:"&ts="; http_client_body; reference:url,blog.malwarebytes.org/online-security/2014/03/soundcloud-downloader-always-read-the-eulas/; reference:md5,2e20e446943ecd01d3a668083d81d1fc; classtype:trojan-activity; sid:2018324; rev:2; metadata:created_at 2014_03_26, updated_at 2014_03_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4023
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Amonetize.Downloader Executable Download Request"; flow:established,to_server; content:"GET"; http_method; content:"/bundle/"; http_uri; content:"/?p="; http_uri; content:"zz_afi"; depth:6; http_user_agent; reference:md5,23246f740cffc0bd9eb5be2e7703568a; classtype:trojan-activity; sid:2018333; rev:4; metadata:created_at 2014_03_28, updated_at 2014_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4024
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Linkular.Adware Successful Install Beacon"; flow:established,to_server; content:"/api/success/?s="; http_uri; fast_pattern:only; content:"&c="; http_uri; content:"&cv="; http_uri; content:"&context="; http_uri; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:trojan-activity; sid:2017880; rev:6; metadata:created_at 2013_12_17, updated_at 2013_12_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4028
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.PUQD Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/debug/Version/"; fast_pattern:only; http_uri; content:"/trace/"; http_uri; pcre:"/^\/debug\/Version\/\d_\d_\d_\d\d{1,2}?\/trace\/(?:mostrarFailed(?:EndLoading|ReadyState)|Get(?:XmlDataRequisites|BinaryData)|(?:DownloadRequisites|down_)Finish|Re(?:cievedXml|adyState)|PreDownloadRequisites|EndLoading|UserAdmin|Start)$/U"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; reference:md5,e44962d7dec79c09a767a1d3e8ce02d8; reference:url,www.virustotal.com/en/file/1a1ff0fc6af6f7922bae906728e1919957998157f3a0cf1f1a0d3292f0eecd85/analysis/; classtype:trojan-activity; sid:2017945; rev:3; metadata:created_at 2014_01_08, updated_at 2014_01_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4032
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/RocketfuelNextUp.Adware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/evt/?nexcb="; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; distance:0; pcre:"/^\x2Fevt\x2F\x3Fnexcb\x3D[a-f0-9\x2D]{10,}$/U"; reference:md5,408e8969cd0abd153eab6696f8add363; classtype:trojan-activity; sid:2018565; rev:3; metadata:created_at 2014_06_16, updated_at 2014_06_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4033
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.MultiInstaller checkin 2"; flow:established, to_server; content:"GET"; http_method; content:"/entrance?s1="; depth:13; http_uri; pcre:"/^\/entrance\?s1=[a-f0-9]{100,}$/Ui"; content:!"Referer|3a|"; http_header; reference:md5,c610d46d97c1b80f027f56d227a003f7; classtype:trojan-activity; sid:2018590; rev:2; metadata:created_at 2014_06_20, updated_at 2014_06_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4035
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OptimizerPro Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/op?sid="; http_uri; content:"&dt="; http_uri; distance:0; content:"&gid="; http_uri; distance:0; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,eba3a996f5b014b2d410f4bf32b8530b; classtype:trojan-activity; sid:2018742; rev:3; metadata:created_at 2013_12_11, updated_at 2013_12_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4036
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SearchSuite Install CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:23; content:"/install_statistics.php"; fast_pattern; http_uri; depth:23; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE|3B| Win32)"; http_header; content:"XML="; http_client_body; depth:4; content:!"Referer|3a|"; http_header; reference:md5,7203a56c3888e819c602e758fce823fa; reference:md5,77e33e8a53e2a0dbc06c921de9b71142; classtype:trojan-activity; sid:2018753; rev:2; metadata:created_at 2014_07_23, updated_at 2014_07_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4038
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MultiPlug.A checkin"; flow:to_server,established; content:"get/?ver="; http_uri; content:"&aid="; http_uri; distance:0; content:"&hid="; http_uri; distance:0; content:"&rid="; http_uri; distance:0; content:"&data="; http_uri; distance:0; content:"&report="; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; pcre:"/^\/get\/\?ver=.+?\&aid=\d{8,12}\&hid=[a-f0-9]{15,17}&rid=\d{13}\&data=.*?&report=/U"; reference:md5,f9556acf36168414ad7d5650eeee7972; reference:md5,69e28b658520528a1473f51e62698c87; classtype:trojan-activity; sid:2018867; rev:2; metadata:created_at 2014_08_01, updated_at 2014_08_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4039
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/iBryte.Adware Affiliate Campaign Executable Download"; flow:established,to_server; content:"GET"; http_method; content:".exe?mode="; fast_pattern:only; http_uri; content:"&subid="; http_uri; content:"&filedescription="; http_uri; content:!"Referer|3a 20|"; http_header; reference:md5,65e5b8e84772f55d761a85bf53c14169; reference:md5,cfda690ebe7bccc5c3063487f6e54086; classtype:trojan-activity; sid:2018367; rev:7; metadata:created_at 2014_04_07, updated_at 2014_04_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4040
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.InstallCore.B Checkin"; flow:established,to_server; urilen:13<>18; content:"POST"; http_method; content:"/?pcrc="; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/^\/\?pcrc=[0-9]{7,10}$/U"; content:"0A0Czut"; depth:7; http_client_body; reference:md5,d933bef7e1118b181add31eb5edc5c73; classtype:trojan-activity; sid:2019511; rev:5; metadata:created_at 2014_10_27, updated_at 2014_10_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4045
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DealPly Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/pxl/"; http_uri; fast_pattern:only; content:"e=-1"; http_uri; content:"&c="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,c6ebffb418813ed68ac5ed9f51f83946; classtype:trojan-activity; sid:2019622; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4046
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SoftonicDownloader.Adware User Agent"; flow:established,to_server; content:"Softonic Downloader/"; http_user_agent; reference:md5,1047b186bb2822dbb5907cd743069261; classtype:trojan-activity; sid:2014355; rev:3; metadata:created_at 2012_03_09, updated_at 2012_03_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4047
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32.SoftPulse Checkin"; flow: established, to_server; content:"POST"; http_method; content:"NSIS_Inetc (Mozilla|29|"; depth:20; http_user_agent; content:"|7b 22|event_type|22 3a 22|SPidentifier|22 2c 20 22|environment|22 3a 22|"; depth:45; http_client_body; content:"|22|machine_ID|22 3a 22|"; distance:0; http_client_body; reference:md5,9aa08a2700074c7a8a81e49dc8396e00; reference:md5,50f1fc1085f18a25c09c08566fc1a457; classtype:trojan-activity; sid:2018557; rev:6; metadata:created_at 2014_06_11, updated_at 2014_06_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4048
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DomaIQ Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; http_uri; content:"&OSversion="; http_client_body; content:"&Sysid="; http_client_body; content:"&Sysid1="; http_client_body; content:"&X64="; http_client_body; content:"&exe="; http_client_body; content:"&ffver="; http_client_body; content:"&lang_DfltSys="; http_client_body; content:"&lang_DfltUser="; http_client_body; reference:md5,9befc43d2019c5614e7372a16e3a5ce5; classtype:trojan-activity; sid:2019944; rev:3; metadata:created_at 2014_12_16, updated_at 2014_12_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4051
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP W32/DownloadGuide.D"; flow:established,to_server; content:"POST"; http_method; content:"/config-from-production"; http_uri; content:"{|22|os|22 3A 22|"; http_client_body; depth:7; content:"|22|lang|22 3A 22|"; http_client_body; distance:0; content:"|22|uid|22 3A 22|"; http_client_body; distance:0; content:"|22|prod|22 3A 22|"; http_client_body; distance:0; reference:md5,294752c7c4fcf4252a9e99bb4df7ff5c; classtype:trojan-activity; sid:2019974; rev:2; metadata:created_at 2014_12_18, updated_at 2014_12_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4052
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MALWARE W32/WinWrapper.Adware User-Agent"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:"WinWrapper"; depth:10; http_user_agent; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020629; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4058
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potentially Unwanted Application AirInstaller"; flow:to_server,established; urilen:>31; content:"GET"; http_method; content:"/launch/?c="; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"&m="; http_uri; content:"&l="; http_uri; content:"&b="; http_uri; content:"&sid="; http_uri; content:"&os="; http_uri;  reference:md5,3eaaf0de35579e5af89ae3dd81d0c592; reference:md5,ac030896aad1b6b0eeb00952dee24c3f; classtype:trojan-activity; sid:2018095; rev:5; metadata:created_at 2014_01_13, updated_at 2014_01_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4059
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potentially Unwanted Application AirInstaller CnC Beacon"; flow:to_server,established; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"/log/?"; http_uri; fast_pattern; content:"="; distance:1; within:1; http_uri; content:"&d="; distance:0; http_uri; content:"&o="; http_uri; content:"&r="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; pcre:"/^\/(?:[^\x2f]+\/)*log\/\?[bc]=/U"; reference:md5,e89ec5e8f89ee6ae4a6b65157c886614; classtype:trojan-activity; sid:2020701; rev:2; metadata:created_at 2015_03_16, updated_at 2015_03_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4060
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32/AdWare.Sendori User-Agent"; flow:established,to_server; content:"Sendori-Client"; http_user_agent; depth:14; reference:url,isc.sans.edu/forums/diary/Suspect+Sendori+software/16466; reference:md5,aee8ddf3b36d60d33c571ee798b6bad6; classtype:trojan-activity; sid:2020881; rev:3; metadata:created_at 2015_04_08, updated_at 2015_04_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4061
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Softpulse PUP Install Failed Beacon"; flow:established,to_server; content:"GET"; http_method; content:"?sentry_version="; http_uri; content:"&sentry_client="; distance:0; http_uri; content:"&sentry_key=84ce05510b844b75acc37de959560a65&sentry_secret=1c9aa912021b4626a5b7a7e589cba678&sentry_data="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,bb9f26d52327979fb9b4d467408eba25; classtype:trojan-activity; sid:2021027; rev:2; metadata:created_at 2015_04_28, updated_at 2015_04_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4062
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Toolbar.Conduit.AG Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla|29 0d 0a|"; http_header; content:"postInstallReport"; http_client_body; fast_pattern; content:"machineId|22 3a 22|"; http_client_body; reference:md5,8fc00c6696268ae42411a5ebf9d2576f; classtype:trojan-activity; sid:2021094; rev:3; metadata:created_at 2015_05_13, updated_at 2015_05_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4063
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP.GigaClicks Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/ver/"; http_uri; content:"/sid/"; http_uri; content:"instlog="; http_client_body; fast_pattern; content:!"User-Agent|3a|"; http_header; reference:md5,942fd71fb26b874502f3ba8546e6c164; classtype:trojan-activity; sid:2021099; rev:2; metadata:created_at 2015_05_15, updated_at 2015_05_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4064
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32/Conduit.SearchProtect.O CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/?uid="; http_uri; content:"&affid="; distance:0; http_uri; content:"&inst_date="; distance:0; http_uri; fast_pattern; content:"&prod="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,525917c79e22fa9bc54da36b94437a46; classtype:trojan-activity; sid:2021173; rev:2; metadata:created_at 2015_05_29, updated_at 2015_05_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4065
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.FakeAV.SystemDefender Checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".php?"; nocase; http_uri; content:"action=stat&wmid="; nocase; http_uri; content:"&event="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&i1"; nocase; http_uri; content:"&i2"; nocase; http_uri; reference:url,doc.emergingthreats.net/2008732; reference:md5,4d1df7240837832853c8b87606f3dfc2; classtype:trojan-activity; sid:2008732; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4068
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP TheSZ AutoUpdate CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/update.php?p="; http_uri; fast_pattern:only; content:"&v="; http_uri; content:"&id="; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|AutoUpdate|0d 0a|"; http_header; reference:md5,76e54deb6f81edd6b47c854c847d590d; classtype:trojan-activity; sid:2021401; rev:2; metadata:created_at 2015_07_10, updated_at 2015_07_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4069
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DealPly Adware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/?pcrc="; http_uri; depth:7; fast_pattern; content:"&v="; http_uri; pcre:"/^\/\?pcrc=\d+&v=[\d.]+$/U"; content:!"Referer|3a 20|"; http_header; reference:md5,a34236628ea04e10430e20ac2b9d7ad2; classtype:trojan-activity; sid:2021618; rev:4; metadata:created_at 2015_08_12, updated_at 2015_08_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4072
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUA Boxore User-Agent"; flow:to_server,established; content:"BoxoreClent"; depth:11; http_user_agent; content:!"Referer|3a|"; http_header; reference:md5,5cb2e8a9b6935f228623c69f1b17669d; classtype:trojan-activity; sid:2021700; rev:3; metadata:created_at 2015_08_21, updated_at 2015_08_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4075
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DealPly Adware CnC Beacon 4"; flow:established,to_server; content:"POST"; http_method; content:"/?v="; http_uri; depth:4; fast_pattern; content:"&pcrc="; http_uri; content:!"Referer|3a 20|"; http_header; content:!"Accept-"; http_header; pcre:"/^\/\?v=[\d.]+&pcrc=\d+$/U"; reference:md5,038da581f99c88a4ee6700de440a54ca; classtype:trojan-activity; sid:2022354; rev:2; metadata:created_at 2016_01_13, updated_at 2016_01_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4078
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SmartTab PUP Install Activity 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/v"; http_uri; depth:2; content:".asp"; http_uri; content:"User-Agent|3a 20|Mozilla/3.0 (compatible|3b| Indy Library|29 0d 0a|"; http_header; fast_pattern:32,20; pcre:"/\/v\d\/[^.]+\.asp$/Ui"; reference:md5,84fcdf1cd6dc3ee71686835f9489752c; classtype:trojan-activity; sid:2022694; rev:2; metadata:created_at 2016_04_01, updated_at 2016_04_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4079
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Adware.Pirrit CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".sh?do="; http_uri; content:"&d="; http_uri; content:"&inj="; http_uri; content:"&cl="; http_uri; content:"&cs="; http_uri; content:"&id="; http_uri; content:"&se="; http_uri; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; http_header; fast_pattern:5,20; content:!"Referer|3a|"; http_header; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022716; rev:2; metadata:created_at 2016_04_08, updated_at 2016_04_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4080
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Adware.Pirrit CnC Activity 1"; flow:established,to_server; content:"GET"; http_method; content:"?mid="; http_uri; fast_pattern; content:"User-Agent|3a 20|curl/"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/(cld|update-effect)\?mid=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&(ct|st)=[a-z0-9]+$/Ui"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022717; rev:2; metadata:created_at 2016_04_08, updated_at 2016_04_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4081
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Adware.Pirrit CnC Activity 2"; flow:established,to_server; content:"POST"; http_method; content:!"."; http_uri; content:"User-Agent|3a 20|curl/"; http_header; content:"vs_mid="; http_client_body; depth:7; fast_pattern; content:"&br_mid="; http_client_body; content:"&event_type="; http_client_body; content:"diss URL"; http_client_body; nocase; content:!"Referer|3a|"; http_header; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022718; rev:2; metadata:created_at 2016_04_08, updated_at 2016_04_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4082
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Adware.Pirrit Web Injects"; flow:established,to_server; content:"GET"; http_method; content:"/mu?id="; http_uri; fast_pattern; content:"&d="; http_uri; content:"&cl="; http_uri; pcre:"/\/mu\?id=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&d=[A-Za-z]+&cl=\d+$/Ui"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022719; rev:2; metadata:created_at 2016_04_08, updated_at 2016_04_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4083
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Adware.Adposhel.A Checkin 4"; flow:established,to_server; content:"POST"; http_method; content:"/u/"; depth:3; http_uri; fast_pattern; content:"Connection|3a| Close|0d 0a|"; nocase; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; content:!"Accept"; http_header; content:!"Referer|3a|"; nocase; http_header; content:"a="; depth:2; http_client_body; content:"&c="; http_client_body; distance:0; content:"&r="; http_client_body; distance:0; pcre:"/^a=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&h=[a-zA-Z0-9_-]+&r=[0-9]{15,}$/P"; reference:md5,3ea75d62966f8c52de16d7849eeb3691; classtype:trojan-activity; sid:2022723; rev:2; metadata:created_at 2016_04_11, updated_at 2016_04_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4085
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/MediaGet.Adware Installer Download"; flow:established,to_client; content:"Set-Cookie|3A 20 |MediagetDownloaderInfo=installer"; http_raw_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=860182; reference:md5,39c1769c39f61dd2ec009de8374352c6; classtype:trojan-activity; sid:2014353; rev:6; metadata:created_at 2012_03_09, updated_at 2012_03_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4086
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Successful QuizScope Installation"; flow:established,to_server; content:"GET"; http_method; content:"/qscope/ithankyou"; depth:17; fast_pattern; http_uri; reference:md5,4dae2a394b792c36936a88cfc296f9b9; classtype:trojan-activity; sid:2022812; rev:2; metadata:created_at 2016_05_17, updated_at 2016_05_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4087
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SearchProtect PUA User-Agent Observed"; flow:established,to_server; content:"SearchProtect|3b|"; depth:14; http_user_agent; reference:md5,34e2350c2ed6a9a9e9d444102ae4dd87; classtype:trojan-activity; sid:2022813; rev:2; metadata:created_at 2016_05_17, updated_at 2016_05_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4088
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Conduit Trovi Adware/PUA"; flow:established,to_server; content:"GET"; http_method; content:"/?gd="; http_uri; depth:5; fast_pattern; content:"&ctid="; http_uri; distance:0; content:"&octid="; http_uri; distance:0; content:"&SSPV="; http_uri; distance:0; reference:md5,069ce8c2a553f9bc5a9599d7541943ce; classtype:trojan-activity; sid:2022814; rev:2; metadata:created_at 2016_05_17, updated_at 2016_05_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4089
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Toolbar.WIDGI User-Agent (WidgiToolbar-)"; flow:to_server,established; content:"POST"; http_method; nocase; content:"WidgiToolbar-"; depth:13; http_user_agent; reference:md5,1785f9784cb4e7400ed6f2c8f0e421c2; classtype:trojan-activity; sid:2022826; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4095
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP/DriverRestore Sending System Information to Affiliate"; flow:established,to_server; content:".jsp?leadTrackerId="; http_uri; content:"|22|ComputerName|22|"; http_uri; distance:0; content:"|22|UserName|22|"; http_uri; distance:0; content:"|22|IsAdmin|22|"; http_uri; distance:0; content:"User-Agent|3a 20|DriverRestore/"; http_header; fast_pattern:6,20; content:!"Referer|3a 20|"; http_header; reference:md5,4f7f497668e3e716a6f4a53af0924a25; classtype:trojan-activity; sid:2022827; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4096
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TopTools PUP Install Activity"; flow:established,to_server; content:"POST"; http_method; content:"_install.cgi"; http_uri; content:"User-Agent|3a 20|BIDUI18N|0d 0a|"; http_header; content:"name=|22|ufile01|22 3b 20|filename=|22|boundary|22|"; http_client_body; fast_pattern; content:"Content-Type|3a 20|application/octet-stream"; http_client_body; distance:0; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3e464cff8690c7a2f57542688a278c62; classtype:trojan-activity; sid:2022829; rev:2; metadata:created_at 2016_05_19, updated_at 2016_05_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4097
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CloudScout Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/QualityCheck/"; http_uri; fast_pattern; content:".php"; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:"dp="; http_client_body; depth:3; content:"&sdp="; http_client_body; distance:0; content:"&a="; http_client_body; distance:0; pcre:"/\.php$/U"; reference:md5,c732b52b245444e3f568d372ce399911; classtype:trojan-activity; sid:2019780; rev:8; metadata:created_at 2014_11_24, updated_at 2016_05_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4098
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; content:"/?q="; http_uri; fast_pattern; depth:4; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; content:"+"; http_raw_uri; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/U"; content:!"map24.com|0d 0a|"; http_header; content:!"aptrk.com|0d 0a|"; http_header; content:!"Accept-"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\n\r?$/H"; reference:md5,6b95ddc5238cc0576db7b206af13339e; classtype:trojan-activity; sid:2023707; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_09, malware_family PUA, performance_impact Low, updated_at 2017_01_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4102
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BettrExperience.Adware Update Checkin"; flow:established,to_server; content:"/Check.ashx?"; depth:12; http_uri; content:"&e="; http_uri; content:"&n="; http_uri; content:"&mv="; http_uri; content:!"Referer|3a 20|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018026; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4105
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyGearPro Proxy Tool PUA"; flow:to_server,established; content:"GET"; http_method; content:"Proxy|20|Gear|20|Pro/"; http_user_agent; fast_pattern; content:!"Referer|3a 20|"; http_header; metadata: former_category MALWARE; reference:md5,b8889db7b4ef74c9302c12781a92a23a; classtype:policy-violation; sid:2024484; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_20, performance_impact Moderate, updated_at 2017_07_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4123
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LoadMoney Adware Activity"; flow:to_server,established; content:"POST"; http_method; content:".htm?v="; http_uri; fast_pattern; content:"&eh="; distance:0; http_uri; content:"&ts="; distance:0; http_uri; content:"&u2="; distance:0; http_uri; content:"Cookie|3a 20|a=h+"; content:!"Referer|3a 20|"; http_header; flowbits:set,ETPTadmoney; metadata: former_category MALWARE; reference:md5,681501695c12112aaf2129ab614481bd; reference:md5,1282b899c41b06dac0adb17e0e603d30; classtype:trojan-activity; sid:2024693; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_12, malware_family Neshta, performance_impact Low, updated_at 2017_09_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4124
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32.SoftPulse Retrieving data"; flow:established,to_server; content:"GET"; http_method; content:"/maxpower-static/templates/"; depth:27; http_uri; http_header_names; content:!"Referer"; reference:md5,4aa02ca6a3f04cf445924a6d657d10e5; classtype:trojan-activity; sid:2019143; rev:5; metadata:created_at 2014_07_22, updated_at 2014_07_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4146
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32/DownloadGuide.A"; flow:established,to_server; content:"POST"; http_method; content:"/1/dg/3"; http_uri; fast_pattern; content:"Content-Type|3a 20|application/json"; http_header; content:"{|22|BuildId|22 3a|"; http_client_body; content:"|22|Campaign|22|"; http_client_body; content:"|22|TrackBackUrl|22|"; http_client_body; http_header_names; content:!"Referer"; reference:md5,37b91123a58a48975770241445392aeb; classtype:trojan-activity; sid:2018513; rev:4; metadata:created_at 2014_06_02, updated_at 2014_06_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4147
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SoftPulse.H Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:9; content:"/__dmp__/"; http_uri; fast_pattern; content:"data={"; depth:6; http_client_body; http_header_names; content:!"Accept"; content:!"Connection"; content:!"Referer"; reference:md5,6424fb3317b4be3d00e4d489122c9a48; classtype:trojan-activity; sid:2019228; rev:4; metadata:created_at 2014_09_24, updated_at 2014_09_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4149
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BrowseFox.H Checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:3; content:"/rs"; http_uri; content:"alpha="; http_client_body; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/PR"; http_header_names; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5,437a5cb57567c2691ce61a700682eab7; classtype:trojan-activity; sid:2018899; rev:4; metadata:created_at 2014_07_29, updated_at 2014_07_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4151
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PullUpdate.Adware CnC Beacon"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"?v="; http_uri; fast_pattern; pcre:"/^\/[a-z]{2}\x3Fv\x3D[0-9]$/U"; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,129563c2ab034af094422db408d7d74f; classtype:trojan-activity; sid:2018368; rev:5; metadata:created_at 2014_04_07, updated_at 2014_04_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4152
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/iBryte.Adware Installer Download"; flow:established,to_server; content:"GET"; http_method; content:".exe?mode="; http_uri; content:"&sf="; http_uri; content:"&browser="; http_uri; content:"&useragent="; http_uri; http_header_names; content:!"Referer"; reference:md5,4c80e5f72a2ab8324b981e37b3b0e5d1; classtype:trojan-activity; sid:2020197; rev:5; metadata:created_at 2015_01_16, updated_at 2015_01_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4153
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AdWare.Win32.BetterSurf.b SSL Cert"; flow:established,from_server; content:"CN=*.tr553.com"; threshold: type limit, track by_src, count 2, seconds 60; reference:md5,54c9288cbbf29062d6d873cba844645a; classtype:trojan-activity; sid:2020712; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_19, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4154
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32/ELEX Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/v"; depth:2; http_uri; content:"?update"; http_uri; fast_pattern; distance:0; pcre:"/^[0-9]?=[a-z]+/URi"; http_header_names; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5, 2fed7fe9d055ebb63897bc2c8996676d; reference:md5,e2fd0d2c44e96cab5017bb8a68ca92a6; classtype:trojan-activity; sid:2019779; rev:6; metadata:created_at 2014_11_24, updated_at 2014_11_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4157
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32/DownloadAssistant.A Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/launch/"; http_uri; isdataat:!1,relative; http_header_names; content:"X-Crypto-Version"; fast_pattern; content:!"User-Agent"; content:!"Referer"; reference:md5,62a4d32dcb1c495c5583488638452ff9; classtype:trojan-activity; sid:2021283; rev:4; metadata:created_at 2015_06_16, updated_at 2015_06_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4159
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WinWrapper.Adware Initial Install Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/api.cgi?act="; http_uri; fast_pattern; content:"&appid="; http_uri; content:"&ts="; http_uri; content:"&dlip="; http_uri; content:"&dlid="; http_uri; content:"&proto="; http_uri; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; http_header_names; content:!"Referer"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020627; rev:5; metadata:created_at 2015_03_06, updated_at 2015_03_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4162
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/OutBrowse.G Variant Checkin"; flow:to_server,established; content:"/dmresources/instructions"; fast_pattern; http_uri; content:".dat"; http_uri; content:"NSISDL/1.2 (Mozilla)"; depth:20; http_user_agent; http_protocol; content:"HTTP/1.0"; isdataat:!1,relative; http_header_names; content:!"Referer"; reference:md5,d75055c45e2c5293c3e0fbffb299ea6d; reference:url,www.virustotal.com/en/file/95e0eaaee080f2c167464ed6da7e4b7a27937ac64fd3e1792a1aa84c1aed488e analysis/; classtype:trojan-activity; sid:2017992; rev:8; metadata:created_at 2014_01_20, updated_at 2014_01_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4163
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/InstallCore Initial Install Activity 1"; flow:established,to_server; content:"POST"; http_method; content:"/?v="; depth:4; http_uri; content:"&subver="; fast_pattern; distance:0; http_uri; content:"&pcrc="; distance:0; http_uri; pcre:"/^\/\?v=[\d\.]{3,4}&subver=[\d\.]{4,5}&pcrc=\d+$/U"; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,0a6a0baf77b80706cab665754ecadac9; classtype:trojan-activity; sid:2022807; rev:2; metadata:created_at 2016_05_16, updated_at 2016_05_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4165
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hadsruda!bit Adware/PUA Installation Activity"; flow:to_server,established; content:"GET"; http_method; content:"?alpha="; http_uri; content:"NSIS_Inetc"; http_user_agent; depth:10; fast_pattern; pcre:"/\?alpha=(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})/U"; reference:md5,6b58b3eb9bbb0f7297a2e36e615506d3; classtype:trojan-activity; sid:2022850; rev:3; metadata:created_at 2016_06_02, updated_at 2016_06_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4172
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.MultiInstaller"; flow:established, to_server; content:"GET"; http_method; content:"?s1="; http_uri; fast_pattern; pcre:"/^\/(?:info|entrance|start|debug)\?s1=[a-f0-9]{100,}$/U"; http_header_names; content:!"Referer"; reference:md5, 26973eeddb4781225b7c23d2d9cce996; reference:md5,a74b1602a50b9c7d3262e3f80a6a2e68; classtype:trojan-activity; sid:2018512; rev:6; metadata:created_at 2014_06_02, updated_at 2014_06_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4176
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PicColor Adware CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"?d="; http_uri; content:"&format=json"; http_uri; isdataat:!1,relative; fast_pattern; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,6b173406ffccaa6d0287b795f8de2073; classtype:trojan-activity; sid:2020948; rev:3; metadata:created_at 2015_04_20, updated_at 2015_04_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4177
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DownloadAssistant.A PUP CnC"; flow:established,to_server; content:"POST"; http_method; content:"/v2/"; http_uri; depth:4; fast_pattern; pcre:"/^\/v2\/(?:(?:(?:intro_impr|s)ession|l(?:aunch|og)|exit)/$|c(?:(?:dn_(?:success|check)|ancel)/$|lick/))/U"; http_header_names; content:"X-Crypto-Version"; content:!"User-Agent"; reference:md5,a54f78d0fe6d1a1a09c22a71646c24b3; classtype:trojan-activity; sid:2021282; rev:3; metadata:created_at 2015_06_16, updated_at 2015_06_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4179
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MALWARE W32/WinWrapper.Adware POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/api.cgi?act="; http_uri; fast_pattern; content:"&appid="; http_uri; content:"&proto="; http_uri; content:"WinWrapper"; depth:10; http_user_agent; content:"{|22|appId|22 3a 22|"; http_client_body; content:"|22|uuId|22 3a 22|"; http_client_body; http_header_names; content:!"Referer"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020628; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4180
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.Gamevance.AV Checkin"; flow:established,to_server; content:"/aj/"; http_uri; fast_pattern; content:".php?p="; http_uri; http_header_names; content:!"Referer"; reference:url,virustotal.com/en/file/21e04ef285d9df2876bab83dd91a8bd78ecdf0d47a8e4693e2ec1924f642bfc8/analysis/; reference:md5,0134997dff945fbfe62f343bcba782bc; classtype:trojan-activity; sid:2017136; rev:5; metadata:created_at 2013_07_11, updated_at 2013_07_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4181
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Adware.Adposhel.A Checkin 5"; flow:established,to_server; content:"POST"; http_method; content:"/q/"; depth:3; http_uri; fast_pattern; content:"q="; depth:2; http_client_body; pcre:"/^[a-zA-Z0-9_-]+$/PR"; http_connection; content:"close"; nocase; isdataat:!1,relative; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; http_header_names; content:!"Accept"; content:!"Referer"; metadata: former_category MALWARE; reference:md5,f0e02ba660cfcb122b89bc780a6555ac; classtype:trojan-activity; sid:2025094; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internet, tag Adware, signature_severity Major, created_at 2017_12_01, malware_family Adposhel, performance_impact Moderate, updated_at 2017_12_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4183
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LoadMoney Adware Activity M2"; flow:to_server,established; content:"GET"; http_method; content:"/software_install?sid="; http_uri; fast_pattern; content:"&sub_id="; distance:0; http_uri; content:"&hash="; distance:0; http_uri; content:"&mid="; distance:0; http_uri; content:"&fname="; distance:0; http_uri; content:!"Referer|3a 20|"; http_header; flowbits:set,ETPTadmoney; metadata: former_category MALWARE; reference:md5,844e53381099d572c3864c7a42ddbbf1; classtype:trojan-activity; sid:2025303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, malware_family Loadmoney, performance_impact Moderate, updated_at 2018_02_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4188
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.WinPCDefender Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/?machine_id={"; http_uri; depth:14; fast_pattern; content:"}"; http_uri; distance:0; isdataat:!1,relative; content:!"Referer"; http_header; content:"anti"; http_host; depth:4; metadata: former_category MALWARE; reference:md5,aa8def27909596f8477a5374f735eec9; reference:url,www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2017; classtype:trojan-activity; sid:2025358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_14, performance_impact Moderate, updated_at 2018_02_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4189
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PPI User-Agent (InstallCapital)"; flow:to_server,established; content:"User-Agent|3a 20|InstallCapital"; http_header; metadata: former_category TROJAN; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:trojan-activity; sid:2022246; rev:3; metadata:created_at 2015_12_11, updated_at 2018_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4190
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Win32/Foniad Domain (suggedin .info in DNS Lookup)"; dns_query; content:"suggedin.info"; nocase; isdataat:!1,relative; metadata: former_category MALWARE; reference:md5,dc2c0b6a8824f5ababf18913ad6d0793; classtype:trojan-activity; sid:2025531; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_17, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4200
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WiseCleaner Installed (PUA)"; flow:established,to_server; content:"POST"; http_method; content:".php?p=install_statistics"; nocase; http_uri; content:"wisecleaner.net"; http_host; fast_pattern; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|Maxthon)"; http_user_agent; metadata: former_category MALWARE; reference:url,wisecleaner.com; reference:md5,cd6e96207ea60b3e6e46c393fdcc9e0c; classtype:trojan-activity; sid:2025589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_06_12, updated_at 2018_06_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4202
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antibody Software Installed (PUA)"; flow:established,to_server; content:"GET"; http_method; content:"version.php?ver="; nocase; http_uri; content:"&newinstall="; nocase; http_uri; distance:0; content:"antibody-software.com"; http_host; fast_pattern; content:"Embarcadero URI Client/1.0"; http_user_agent; metadata: former_category MALWARE; reference:url,antibody-software.com; reference:md5,8e22d630b992f9cb4d7f6b0aceebb37f; classtype:trojan-activity; sid:2025590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_06_12, updated_at 2018_06_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4203
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Adload.AT Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/impression.do"; http_uri; fast_pattern; content:"source="; http_uri; content:"&event="; http_uri; content:"&implementation_id="; http_uri; content:"user_id="; http_uri; content:"&useragent="; http_uri; content:"&sgn="; http_uri; content:"&subid2="; http_uri; content:"&ts="; http_uri; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category MALWARE; reference:md5,d15069e44ec849ab26bcefffe6867f10; reference:md5,4ececc2f027a096c2100ec1125d0d151; classtype:trojan-activity; sid:2022893; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Adware, signature_severity Major, created_at 2016_06_13, malware_family MSIL_Adload, updated_at 2018_06_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4204
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Win32/Adware.Adposhel.lgvk CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/inst?data="; http_uri; nocase; content:"Installer event sender/"; http_user_agent; depth:23; fast_pattern; isdataat:!3,relative; http_header_names; content:!"Accept"; content:!"Referer"; metadata: former_category MALWARE; reference:md5,e7c2c1b796dad6210165110b7e8cda7d; classtype:trojan-activity; sid:2025645; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_10, malware_family Adposhel, performance_impact Low, updated_at 2018_07_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4205
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; content:"/kspp/do?imei="; fast_pattern:only; http_uri; content:"&wid="; http_uri; content:"&type="; http_uri; content:"&step="; http_uri;  reference:md5,e6d9776113b29680aec73ac2d1445946; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; classtype:trojan-activity; sid:2016318; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_12_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4239
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android TrojanFakeLookout.A"; flow:established,to_server; urilen:13; content:"/controls.php"; http_uri; content:"Dalvik/"; http_user_agent; reference:url,blog.trustgo.com/fakelookout/; reference:md5,65baecf1fe1ec7b074a5255dc5014beb; classtype:trojan-activity; sid:2016343; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4240
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&online="; distance:0; http_uri; content:"&m="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"User-Agent|3a| Dalvik/"; http_header; reference:md5,7dec1c9174d0f688667f6c34c0fa66c2; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:2016344; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_02_05, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4241
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; content:"/send.php?a_id="; http_uri; content:"&telno="; fast_pattern:only; http_uri; content:"&m_addr="; http_uri; content:"Android"; http_user_agent; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:trojan-activity; sid:2014161; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4243
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SMSSend Fake flappy bird APK"; flow:to_server,established; content:"GET"; http_method; content:"/bookmark/getServiceCode?price="; http_uri; fast_pattern:only; content:"Dalvik"; depth:6; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,securehoney.net/blog/how-to-dissect-android-flappy-bird-malware.html; reference:md5,6c357ac34d061c97e6237ce9bd1fe003; classtype:trojan-activity; sid:2018306; rev:3; metadata:created_at 2014_03_24, updated_at 2014_03_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4259
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017788; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4260
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS/Lotoor.Q"; flow:established, to_server; content: "device_id="; http_uri; pcre:"/^\d{10,20}&imsi=\d{10,15}&device_name=/URi"; content:"&app_id="; http_uri; pcre:"/^[a-f0-9]{30,35}&app_package_name=/URi"; content: "screen_density="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,92608e6ff795862f83d891ad8337b387; classtype:trojan-activity; sid:2018520; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_04, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4261
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern:only; content:"meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi"; http_user_agent; depth:51; content:!"Referer|3a|"; http_header; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_06_05, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4262
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Andr/com.sdwiurse"; flow:established,to_server; content:"POST"; http_method; content:"/youxi_up.php"; fast_pattern:only; http_uri; content:"--*****|0d 0a|Content-Disposition|3a| form-data|3b| name=|22|npki|22|"; depth:52; http_client_body; reference:url,fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html; reference:md5,04d24eb45d3278400b5fee5c1b06226c; classtype:trojan-activity; sid:2018584; rev:3; metadata:created_at 2014_06_19, updated_at 2014_06_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4264
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET MOBILE_MALWARE Android Spyware Dowgin Checkin"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/webviewAdReq"; nocase; depth:13; http_uri; reference:md5,45bf9f6e19649d3e1642854ecd82623c; classtype:trojan-activity; sid:2018663; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_10, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4265
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin"; flow:established,to_server; content:"POST"; http_method; content:"/flash/api.php?id="; http_uri; fast_pattern:only; pcre:"/^\/flash\/api\.php\?id=\d/U"; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018769; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4266
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:14; content:"/api33/api.php"; http_uri; fast_pattern:only; content:"method="; depth:7; http_client_body; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018774; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_24, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4267
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS.Simplocker Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:5; content:"/1/?1"; http_uri; fast_pattern:only; content:"{|22|n|22 3a 22|"; depth:6; http_client_body; content:"|22 2c 22|d|22 3a 22|"; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,welivesecurity.com/2014/07/22/androidsimplocker/; reference:md5,b98cac8f1ce9284f9882ba007878caf1; classtype:trojan-activity; sid:2018781; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_25, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4268
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/message.php"; http_uri; fast_pattern:only; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a|"; http_header; reference:md5,54b715f6608d4457a9d22cfdd8bddbe6; reference:url,adaptivemobile.com/blog/selfmite-worm; reference:url,computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmite_targets_Android_devices; classtype:trojan-activity; sid:2018792; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4269
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP"; flow:established,to_server; content:"MAIL FROM|3a|<a137736513@qq.com>"; nocase; reference:md5,ef819779fc4bee6117c124fb752abf57; classtype:trojan-activity; sid:2018887; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4270
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/path/DeviceManager.php"; nocase; depth:23; http_uri; content:"func="; depth:5; http_client_body; content:"&deviceid="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header;  reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_04, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4271
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=counter&app_key="; depth:23; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018945; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4272
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"method=devicestatus"; http_client_body; fast_pattern:only; content:"&app_key="; offset:19; http_client_body; content:"&imei="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018946; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_08_18, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4273
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:15; content:"/report/install"; http_uri; fast_pattern:only; content:"data="; http_client_body; depth:5; content:"os="; http_client_body; distance:0; content:"mac="; http_client_body; distance:0; content:"sign="; http_client_body; distance:0; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:trojan-activity; sid:2019125; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_09_05, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4274
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 1"; flow:established,to_server; content:"/updatesrv.aspx?f=1"; http_uri; fast_pattern:only; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019174; rev:2; metadata:created_at 2014_09_15, updated_at 2014_09_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4275
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 2"; flow:established,to_server; content:"/updatesrv.aspx?f=2&uuid="; http_uri; fast_pattern:only; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019175; rev:2; metadata:created_at 2014_09_15, updated_at 2014_09_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4276
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetConnect.aspx"; http_uri; content:"&tIMEI="; http_uri; content:"&tIMSI="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019331; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4277
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending GPS info"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/TargetUploadGps.aspx"; http_uri; content:"tmac="; http_uri; content:"&JZ="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019332; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4278
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending files"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/TargetUploadFile.aspx"; http_uri; content:"tmac="; http_uri; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019333; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4279
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser checking library version"; flow:to_server,established; content:"GET"; http_method; nocase; urilen:18; content:"/CheckLibrary.aspx"; http_uri; content:!"Referer|3a|"; http_header; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019334; rev:2; metadata:created_at 2014_10_01, updated_at 2014_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4280
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Stealthgenie Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/SGCommand.aspx?sgcommand="; fast_pattern:6,20; http_uri; content:"&uid="; http_uri; distance:0; content:"&sid="; http_uri; distance:0; content:"&value="; http_uri; distance:0; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"|20|Android|20|"; http_user_agent; reference:md5,06947ce839a904d6abcb272ff46e7de1; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99&tabid=2; reference:url,engadget.com/2014/09/30/crackdown-on-spying-apps-leads-to-stealthgenie-ceos-arrest/; classtype:trojan-activity; sid:2019805; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_11_25, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4281
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established;  content:"POST"; http_method; nocase; content:"/contacts"; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:"contact|25|26="; depth:11; fast_pattern; http_client_body; pcre:"/\/contacts$/U";  reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_02, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4286
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon"; flow:established,to_server; content:"/input_data_get_contact.asp?user="; http_uri; content:"&pwd="; http_uri; content:"&addr="; http_uri; reference:url,research.zscaler.com/2015/02/android-banking-trojan-and-sms-stealer.html; reference:md5,ff081c1400a948f2bcc4952fed2c818b; classtype:trojan-activity; sid:2020353; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_02_03, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4287
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SMSSend.Y"; flow:established,to_server; content:"/api/log.html|3f|"; http_uri; fast_pattern; content:"c="; http_uri; content:"&o="; http_uri; content:"&n="; http_uri; content:"Apache-HttpClient"; depth:18; http_user_agent; reference:md5,ef79985c90675e7abfb6b9a6bc5a6c65; classtype:trojan-activity; sid:2020729; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_03_23, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4290
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"User-Agent|3a 20|"; http_header; content:"content=eyJmaW5nZXJwcmludCI"; fast_pattern; depth:27; http_client_body; reference:md5,0aa69ad64e20bb6cbf72f346ce43ff23; reference:url,www.fireeye.com/blog/threat-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html; classtype:trojan-activity; sid:2021185; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_06_04, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4292
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 5.2|29 20|"; http_header; content:"appid="; depth:6; http_client_body; content:"&model="; http_client_body; content:"&imei="; fast_pattern:only; http_client_body; content:"&connect="; http_client_body; content:"&dpi="; http_client_body; content:"&width="; http_client_body; content:"&cpu="; http_client_body; content:"&phoneno="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021386; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4293
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gunpoder Checkin"; flow:to_server,established; content:"/landing?c="; fast_pattern:only; http_uri; content:"&g="; http_uri; content:"&a="; http_uri; content:"&s1="; http_uri; content:"&s2="; http_uri; content:"&s3="; http_uri; content:"&s4="; http_uri; content:"&s5="; http_uri; content:"&s6="; http_uri; content:"&s7="; http_uri; content:"&s8="; http_uri; content:"&s9="; http_uri; content:"&s10="; http_uri; content:"&s11="; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; reference:url,researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/; reference:md5,b0b2cd71b4d15bb5f07b8315d7b27822; classtype:trojan-activity; sid:2021392; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_07, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4294
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"uuid="; http_client_body; content:"language="; http_client_body; content:"appkey"; http_client_body; content:"model="; http_client_body; content:"operatorsname="; fast_pattern:only; http_client_body; content:"networkname="; http_client_body; content:"networktype="; http_client_body; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021387; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_06, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4295
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|tinduongpho|03|com|00|"; fast_pattern; distance:0; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_07_14, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4296
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Koler.C Checkin"; flow:to_server,established; content:".php?v="; http_uri; content:"&brok="; fast_pattern:only; http_uri; content:"&u="; http_uri; content:"&id="; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/&id=\d{15}$/U"; reference:md5,6ae7b0d04e2fd64a50703910d0eff9cc; classtype:trojan-activity; sid:2019510; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_10_27, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4300
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.c  Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; nocase; content:!"Referer|3a 20|"; http_header; content:"{|22|type|22 3a|"; depth:8; http_client_body; content:",|22|text|22 3a|"; http_client_body; content:",|22|code|22 3a|"; fast_pattern:only; http_client_body; content:",|22|from|22 3a|"; http_client_body; content:"|22|}"; http_client_body; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; reference:url,fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022137; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_11_24, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4308
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pc35hiptpcwqezgs"; nocase; distance:0; fast_pattern; reference:url,www.csis.dk/da/csis/blog/4818/; reference:md5,111b71c120167b5b571ee5501ffef65e; classtype:trojan-activity; sid:2022517; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4311
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yuwurw46taaep6ip"; nocase; distance:0; fast_pattern; reference:md5,58fed8b5b549be7ecbfbc6c63b84a728; classtype:trojan-activity; sid:2022562; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4312
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|voooxrrw2wxnoyew"; nocase; distance:0; fast_pattern; reference:md5,8d260ab2bb36aeaf5b033b80b6bc1e6a; classtype:trojan-activity; sid:2022563; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2016_02_23, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4313
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"Referer|3a 20|"; http_header; content:",|22|model|22 3a|"; http_client_body; content:",|22|apps|22 3a 5b 22|"; http_client_body; content:",|22|imei|22 3a|"; fast_pattern:only; http_client_body; pcre:"/^\{\x22(?:os|type)\x22\x3a/P";   reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2015_12_21, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4314
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE DNS Trojan-Banker.AndroidOS.Marcher.i Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmdxiawceahpbhmb|03|com"; nocase; distance:0; fast_pattern; reference:md5,3c52de547353d94e95cde7d4c219ccac; classtype:trojan-activity; sid:2022975; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_07_18, performance_impact Low, updated_at 2016_07_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4316
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Sending Credit Card Info"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cards_json.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"bot_id="; depth:7; fast_pattern; http_client_body; content:"&info="; http_client_body; content:"cardNum"; http_client_body; pcre:"/^bot_id=[a-f0-9]{32}&/P"; pcre:"/\.php$/U"; reference:md5,78c2444fe15a8e58c629076781d9442a; reference:url,blog.fortinet.com/2016/11/01/android-banking-malware-masquerades-as-flash-player-targeting-large-banks-and-popular-social-media-apps; classtype:trojan-activity; sid:2023483; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_03, performance_impact Low, updated_at 2016_11_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4318
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/RequestActionsToExecute"; fast_pattern; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|CommandLine|22 3a|"; depth:15; http_client_body; content:",|22|CurrentDirectory|22 3a|"; http_client_body; pcre:"/\/RequestActionsToExecute$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023507; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4321
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/NotifyLog"; fast_pattern:only; http_uri; content:"|20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|ClientId|22 3a|"; depth:12; http_client_body; content:",|22|Date|22 3a|"; http_client_body; pcre:"/\/NotifyLog$/U"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023508; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4322
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert"; flow:established,from_server; content:"|02|IT"; content:"|03|AAA"; distance:0; content:"|02|BB"; distance:0; content:"|03|EEE"; distance:0; content:"|0d|IT Department"; distance:0; content:"|0a|SASDS_Srv0"; fast_pattern; distance:0; reference:md5,cbd1c2db9ffc6b67cea46d271594c2ae; classtype:trojan-activity; sid:2023509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_15, updated_at 2016_11_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4323
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin"; flow:to_server,established; content:"lm="; http_uri; content:"/watch/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023680; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4326
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 3"; flow:to_server,established; content:"lm="; http_uri; content:"/find/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023682; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4327
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 4"; flow:to_server,established; content:"lm="; http_uri; content:"/results/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023683; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4328
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 5"; flow:to_server,established; content:"lm="; http_uri; content:"/open/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023684; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4329
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 6"; flow:to_server,established; content:"lm="; http_uri; content:"/close/?"; fast_pattern:only; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023685; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2016_12_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4330
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert"; flow:established,from_server; content:"|00 dd 45 ec 3f 08 74 58 6a|"; content:"|0a|Department"; distance:0; content:"|55 04 03|"; distance:0; content:"|0f|www.example.com"; distance:1; within:16; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023708; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4331
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|rockybalboa|02|at|00|"; nocase; distance:0; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023709; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4332
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|storegoogle|02|at|00|"; nocase; distance:0; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, created_at 2017_01_09, updated_at 2017_01_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4333
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php"; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Language|3a 20|en-US|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:98; http_header; content:!"Referer|3a 20|"; http_header; content:"&method="; fast_pattern:only; http_client_body; pcre:"/^d(?:id|ei)=[A-F0-9]{10,100}&method=IS[A-Z]{1,10}$/P"; pcre:"/\.php$/U"; reference:md5,d6ef9b0cdb49b56c53da3433e30f3fd6; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023933; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4334
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/functions.php"; fast_pattern:only; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:"apslst="; depth:7; http_client_body; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023934; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_02_16, performance_impact Low, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4335
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/n/"; http_uri; content:!"Referer|3a 20|"; http_header; content:"content=eyJ"; http_client_body; depth:11; fast_pattern; content:!"Accept|3a|"; http_header; pcre:"/\/n\/\d{15}$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,a78e904a05d4a9e6a15b6f56b261eab9; classtype:trojan-activity; sid:2018630; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_07_03, updated_at 2017_03_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4342
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/sdk_api.php?id="; fast_pattern:only; http_uri; content:"&type="; http_uri; content:"Apache-HttpClient/"; depth:18; http_user_agent; content:!"Referer|3a 20|"; http_header; pcre:"/\.php\?id=[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}&type=/U"; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024201; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4347
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response"; flow:from_server,established; file_data; content:"[{|22|id|22 3a 22|0|22|,|22|command|22 3a 22|OK|22|}"; depth:26; fast_pattern; metadata: former_category MOBILE_MALWARE; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024202; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_04_11, malware_family Android_Ewind, updated_at 2017_04_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4348
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/send_sim_no.php|20|HTTP/1."; fast_pattern; content:!"Referer|3a 20|"; http_header; content:"_no="; http_client_body; depth:16; metadata: former_category MOBILE_MALWARE; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017787; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2013_11_27, updated_at 2017_04_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4349
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Dropper.Abd Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/ad-"; http_uri; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"RgQ7"; depth:4; fast_pattern; http_client_body; pcre:"/\/ad-(?:strat|devi)\/$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,66a1dda748d073f5e659b700339c3343; reference:url,www.zscaler.com/blogs/research/malicious-android-ads-leading-drive-downloads; classtype:trojan-activity; sid:2024411; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android_07012016, signature_severity Major, created_at 2017_06_19, updated_at 2017_06_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4350
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a CnC Beacon"; flow:to_server,established; content:"/inj/injek-1.php?id="; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/\?id=(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})$/U"; metadata: former_category MOBILE_MALWARE; reference:md5,e9542a8bd9f0ab57e40bb8519ac443a2; classtype:trojan-activity; sid:2024426; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_06_26, malware_family Android_Marcher, updated_at 2017_06_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4351
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/get.php|20|HTTP/1."; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:"info"; http_client_body; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/P"; metadata: former_category MOBILE_MALWARE; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2014_04_17, malware_family Android_Hqwar, updated_at 2017_07_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4352
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE WireX Botnet DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|axclick|05|store|00|"; fast_pattern; distance:0; nocase; metadata: former_category MOBILE_MALWARE; reference:md5,6af299a2ac9b59f7d551b6e235e0d200; reference:url,blog.cloudflare.com/the-wirex-botnet/; classtype:trojan-activity; sid:2024615; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_08_28, malware_family Android_WireX, updated_at 2017_08_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4355
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gt|20|HTTP/1."; fast_pattern:only; content:"|0d 0a|Connection|3a 20|keep-alive|0d 0a|Content-Type|3a 20|application/json|0d 0a|"; http_header; content:"|3b 20|Android|20|"; http_user_agent; content:!"Referer|3a 20|"; http_header; metadata: former_category MOBILE_MALWARE; reference:md5,b66010a9c91b17f4d26dc973a97419ac; reference:url,info.phishlabs.com/blog/redalert2-mobile-banking-trojan-actively-updating-its-techniques; classtype:trojan-activity; sid:2024765; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_09_25, malware_family Android_RedAlert, updated_at 2017_09_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4372
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon"; flow:to_server,established; dsize:<500; content:"@!MyID|3a|"; depth:7; content:"IMEI|3a|"; distance:0; content:"Mobile|20|ID|3a|"; content:"SIM|3a|"; content:"IMSI|3a|"; content:"Android|20|version|3a|"; content:"Model|3a|"; content:"All|20|SD|20|Size|3a|"; fast_pattern:only; content:"Free|20|SD|20|Size|3a|"; content:"Network|20|type|3a|"; metadata: former_category MOBILE_MALWARE; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:trojan-activity; sid:2024895; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_10_23, malware_family Android_JadeRAT, updated_at 2017_10_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4373
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon 2"; flow:to_server,established; dsize:22; content:"@!hi|3a|"; depth:5; fast_pattern; pcre:"/^\d{15}\r\n$/R"; metadata: former_category MOBILE_MALWARE; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:trojan-activity; sid:2024896; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2017_10_23, malware_family Android_JadeRAT, updated_at 2017_10_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4374
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 1"; dns_query; content:"loaderclientarea24.ru"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025014; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, created_at 2017_11_22, updated_at 2017_11_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4379
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 2"; dns_query; content:"loaderclientarea22.ru"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025015; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, created_at 2017_11_22, updated_at 2017_11_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4380
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 3"; dns_query; content:"loaderclientarea20.ru"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025016; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, created_at 2017_11_22, updated_at 2017_11_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4381
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 4"; dns_query; content:"loaderclientarea15.ru"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025017; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, created_at 2017_11_22, updated_at 2017_11_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4382
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Adware.Adwo.A"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; content:!"&ComPut="; http_uri; http_header_names; content:!"User-Agent"; reference:md5,bbb0aa6c9f84963dacec55345fe4c47e; classtype:trojan-activity; sid:2023475; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2016_11_01, performance_impact Low, updated_at 2016_11_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4384
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Marcher.U DNS Lookup"; dns_query; content:"sagdzusghcsh.top"; nocase; isdataat:!1,relative; metadata: former_category MOBILE_MALWARE; reference:md5,ccefe18d7b9bc31a8673b9bf82104f48; classtype:trojan-activity; sid:2025273; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2018_01_30, malware_family Android_Marcher, updated_at 2018_01_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4385
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 2"; flow:to_server,established; content:"POST"; http_method; content:"lm="; http_uri; content:"/search/?"; fast_pattern:only; http_uri; content:!"&clid="; http_uri; content:!"&banerid="; http_uri; content:!"&win="; http_uri; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/U"; metadata: former_category MOBILE_MALWARE; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023681; rev:3; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, signature_severity Major, created_at 2016_12_23, malware_family Fancy_Bear, updated_at 2018_02_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4386
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Golden Rat Checkin"; flow:to_server,established; content:"<HmzaPacket>|3e 0a 20 20|<Command>"; depth:25; fast_pattern; content:"<MSG>"; within:40; content:"</MSG>|3e 0a 20 20|"; distance:0; content:"</HmzaPacket></HAMZA_DELIMITER_STOP>"; distance:0; metadata: former_category MOBILE_MALWARE; reference:url,csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf; reference:md5,6296586cf9a59b25d1b8ab3eeb0c2a33; classtype:trojan-activity; sid:2025895; rev:1; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_07_25, malware_family Android_GoldenRat, updated_at 2018_07_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4397
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/admin/data/collectdata-new.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"okhttp/"; depth:7; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|a|22 3a|"; depth:5; http_client_body; content:"|22|b|22 3a|[{|22|"; http_client_body; metadata: former_category MOBILE_MALWARE; reference:md5,cc56d261cbf0ecddcdc70de85af138d1; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025987; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Major, created_at 2018_08_13, malware_family ANdroid_CrazyMango, updated_at 2018_08_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4448
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a CnC Beacon"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/admin/newuser.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"okhttp/"; depth:7; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|imei|22 3a|"; depth:8; http_client_body; content:"|22|tag|22 3a|"; http_client_body; metadata: former_category MOBILE_MALWARE; reference:md5,cc56d261cbf0ecddcdc70de85af138d1; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025988; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_08_13, malware_family ANdroid_CrazyMango, updated_at 2018_08_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4449
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/admin/data/fcollectdata.php"; http_uri; fast_pattern; isdataat:!1,relative; content:"okhttp/"; depth:7; http_user_agent; content:!"Referer|3a 20|"; http_header; content:"{|22|category|22 3a|"; http_client_body; metadata: former_category MOBILE_MALWARE; reference:md5,b603017bbcee17a76f5b0ee478d2d935; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025989; rev:2; metadata:affected_product Android, attack_target Mobile_Client, deployment Perimeter, tag Android, signature_severity Critical, created_at 2018_08_13, malware_family ANdroid_CrazyMango, updated_at 2018_08_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 4450
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN PoisonIvy.Eu5 Keepalive from CnC"; flow:established,from_server; content:"|3a 62 26 fd 44 34 01 ed a1 ed 88 48 7e f4 6e ca 0d 81 aa 70 c7 da e0 1c fc f2 f1 d2 94 f6 d9 44 f6 c1 92 c4 4f d4 2d 53 a7 5f 59 fd f6 1e 9b 6f|"; depth:48; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:trojan-activity; sid:2014057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2011_12_30, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5208
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu5 Keepalive to CnC"; flow:established,to_server; content:"|13 cb df 56 6f f3 20 08 c2 f1 ab d3 6f 75 56 a9|"; offset:16; depth:16; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:trojan-activity; sid:2014056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2011_12_30, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5209
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nuclear Checkin"; flow:established,to_server; content:".htm"; http_uri; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32)"; http_header; content:"HOST|3A 20|"; http_header; reference:md5,bd4af162f583899eeb6ce574863b4db6; classtype:trojan-activity; sid:2014121; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_01_12, malware_family Nuclear, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5215
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Ehy Keepalive to CnC"; flow:established,to_server; content:"|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27|"; offset:16; depth:16; dsize:48; reference:md5,d2311b7208d563ac59c9114f5d422441; classtype:trojan-activity; sid:2014145; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2012_01_23, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5217
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/DelfInject.A CnC Checkin 2"; flow:established,to_server; content:"/gate.php?username="; http_uri; content:"&country="; http_uri; content:"&OS="; http_uri; reference:md5,d8c2f31493692895c45d620723e9a8c3; classtype:trojan-activity; sid:2014164; rev:2; metadata:created_at 2012_01_27, updated_at 2012_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5218
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Mentory CnC Server Providing Update Details"; flow:established,to_client; content:"[UPDATE]|0D 0A|VER ="; content:"URL ="; distance:0; content:"[PATTERN]|0D 0A|VER ="; distance:0; content:"URL ="; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:trojan-activity; sid:2014166; rev:2; metadata:created_at 2012_01_27, updated_at 2012_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5219
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Mentory CnC Server Providing File Info Details"; flow:established,to_client; content:"[DBINFO]|0D 0A|Info ="; content:"Version ="; distance:0; content:"[TotalCount]|0D 0A|Count ="; distance:0; content:"[GaruYac"; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:trojan-activity; sid:2014167; rev:2; metadata:created_at 2012_01_27, updated_at 2012_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5220
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Query for Known Hostile *test.3322.org.cn Domain"; content:"|01 00 00 01 00 00 00 00 00|"; depth:9; offset:2; content:"test|04|3322|03|org|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814; reference:md5,e4afcee06ddaf093982f80dafbf9c447; classtype:trojan-activity; sid:2014267; rev:1; metadata:created_at 2012_02_21, updated_at 2012_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5231
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.RShot Checkin"; flow:established,to_server; content:"connected#"; depth:10; content:"#Windows "; content:"##"; distance:0; dsize:<120; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:trojan-activity; sid:2014268; rev:1; metadata:created_at 2012_02_21, updated_at 2012_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5232
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.PEx.942728546 Checkin"; flow:established,to_server; content:".com.exe"; http_uri; fast_pattern; content:"User-Agent|3a| GetRight/"; http_header; reference:md5,25e9e3652e567e70fba00c53738bdf74; reference:url,threatcenter.crdf.fr/?More&ID=74977&D=CRDF.Backdoor.Win32.PEx.942728546; classtype:trojan-activity; sid:2014290; rev:2; metadata:created_at 2012_02_29, updated_at 2012_02_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5236
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Koobface Variant Checkin Attempt"; flow:established,to_server; content:"/ping.php"; http_uri; content:" WinHttp.WinHttpRequest.5|29 0d 0a|"; http_header; reference:md5,62aa9e798746e586fb1f03459a970104; classtype:trojan-activity; sid:2014303; rev:2; metadata:created_at 2012_03_05, updated_at 2012_03_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5237
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Backdoor.BlackMonay Checkin"; flow:established,to_server; content:".Php?UserName="; nocase; http_uri; content:"&Bank="; nocase; http_uri; content:"&Money="; nocase; http_uri; content:"Accept-Language|3A 20|zh-cn"; http_header; reference:md5,4a203e37caa2e04671388341419bda69; classtype:trojan-activity; sid:2014306; rev:3; metadata:created_at 2012_03_05, updated_at 2012_03_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5238
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/NSIS.TrojanDownloader Second Stage Download Instructions from Server"; flow:established,to_client; content:"|3B 20|Ini download file modue"; nocase; content:"DownUrl="; nocase; distance:0; content:"FileName="; nocase; distance:0; content:"SaveType="; nocase; distance:0; pcre:"/FileName\x3D[^\r\n]*\x2E(dll|exe)/i"; reference:md5,3ce5da32903b52394cff2517df51f599; classtype:trojan-activity; sid:2014312; rev:2; metadata:created_at 2012_03_05, updated_at 2012_03_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5240
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Win32.Genome.aetqe Checkin"; flow:established,to_server; content:"/stats/counterz.php?id="; http_uri; content:"&stat="; http_uri; reference:md5,700b7a81d1460a652e5f9f06fc54dcd6; classtype:trojan-activity; sid:2014331; rev:1; metadata:created_at 2012_03_07, updated_at 2012_03_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5242
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN SMTP Subject Line Contains C Path and EXE Possible Trojan Reporting Execution Path/Binary Name"; flow:established,to_server; content:"Subject|3A 20|"; content:"C|3A 5C|"; nocase; fast_pattern; within:100; content:".exe"; within:40; pcre:"/Subject\x3A\x20[^\r\n]*C\x3A\x5C[^\r\n]*\x2Eexe/i"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:bad-unknown; sid:2014343; rev:2; metadata:created_at 2012_03_08, updated_at 2012_03_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5243
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Coced.PasswordStealer User-Agent 5.0"; flow:established,to_server; content:"User-Agent|3A 20|5.0|0D 0A|"; http_header; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:trojan-activity; sid:2014344; rev:2; metadata:created_at 2012_03_08, updated_at 2012_03_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5244
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Smart Fortress FakeAV/Kryptik.ABNC Checkin"; flow:established,to_server; content:"/?&affid="; http_uri; fast_pattern; content:"Accept|3a| *//*|0d 0a|"; http_header; reference:md5,fa20c17e5f58e7419b4f0eed318fa95a; reference:url,support.kaspersky.com/viruses/rogue/description?qid=208286259; classtype:trojan-activity; sid:2014293; rev:3; metadata:created_at 2012_02_29, updated_at 2012_02_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5245
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Graybird Checkin"; flow:to_server,established; content:"/count.asp?mac="; http_uri; content:"&os="; http_uri; content:"&av="; http_uri; content:"User-Agent|3a| Post|0d 0a|"; http_header; reference:md5,0fd68129ecbf68ad1290a41429ee3e73; reference:md5,11353f5bdbccdd59d241644701e858e6; classtype:trojan-activity; sid:2014365; rev:3; metadata:created_at 2012_02_11, updated_at 2012_02_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5246
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Lici Initial Checkin"; flow:established,to_server; content:".php?email="; http_uri; content:"&lici="; http_uri; content:"&ver="; http_uri; content:"HTTP/1.0"; content:!"User-Agent|3A|"; http_header; reference:md5,2f4d35e797249e837159ff60b827c601; classtype:trojan-activity; sid:2014119; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5247
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32-Dynamer.dtc Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/total_visitas.php"; http_uri; content:".php HTTP/1.1|0d 0a|Host|3a| "; content:!"User-Agent|3a| "; http_header; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Dynamer!dtc; reference:md5,989ba48e0a9e39b4b6fc5c6bf400c41b; classtype:trojan-activity; sid:2014113; rev:4; metadata:created_at 2012_01_11, updated_at 2012_01_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5406
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Jiwerks.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/update.aspx"; http_uri; content:"Accept-Language|3A 20|zh-cn"; http_header; content:"a="; fast_pattern; http_client_body; depth:2; content:"&v="; http_client_body; distance:0; reference:md5,0e47c711d9edee337575b6dbef850514; classtype:trojan-activity; sid:2014133; rev:4; metadata:created_at 2012_01_18, updated_at 2012_01_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5407
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.RShot HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|3B| name=|22|bot_id|22 0D 0A 0D 0A|"; fast_pattern; content:" name=|22|os_version|22 0D 0A 0D 0A|"; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:trojan-activity; sid:2014269; rev:5; metadata:created_at 2012_02_21, updated_at 2012_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5413
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Protux.B POST checkin"; flow:from_client,established; content:"POST"; nocase; http_method; content:"Mozilla/4.8.20 (compatible|3B| MSIE 5.0.2|3B| Win32)|0D 0A|Host|3a| "; http_header; reference:md5,53105ecf3cf6040039e16abb382fb836; classtype:trojan-activity; sid:2014360; rev:4; metadata:created_at 2012_03_09, updated_at 2012_03_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5414
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Datamaikon Checkin myAgent"; flow:to_server,established; content:"/index.dat?"; http_uri; content:" myAgent|0d 0a|Host|3a| "; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDatamaikon.gen!A&ThreatID=-2147312276; reference:md5,a51933ee0f2ade7df98feb7207a2ffaf; classtype:trojan-activity; sid:2014468; rev:3; metadata:created_at 2012_04_04, updated_at 2012_04_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5418
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Win32.Yakes.pwo Checkin"; flow:to_server,established; content:"/stat.php?w="; http_uri; content:"&i="; http_uri; content:"&a="; http_uri; content:"User-Agent|3A| Opera/6"; http_header; content:"|3B| LangID="; http_header; reference:md5,d40927e8c4b59a1c2af4f981ef295321; classtype:trojan-activity; sid:2014604; rev:3; metadata:created_at 2012_03_01, updated_at 2012_03_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5429
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Es11 Keepalive to CnC"; flow:established,to_server; content:"|89 e7 52 d4 68 64 a7 73 bd 7e 3f 5c f7 99 3a 2e|"; offset:16; depth:16; dsize:48; reference:md5,4a17e9bd99f496c518ddfaaef93384b0; classtype:trojan-activity; sid:2014630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2012_04_20, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5434
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_test:1,>,SSL.Client_Hello.length,34,relative; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014634; rev:1; metadata:created_at 2012_04_24, updated_at 2012_04_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5440
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_jump:1,34,relative; byte_test:2,>,SSL.Client_Hello.length,0,relative; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014635; rev:1; metadata:created_at 2012_04_24, updated_at 2012_04_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5441
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ConstructorWin32/Agent.V"; flow:to_server,established; content:"GET http|3A|//"; depth:11; content:"|0D 0A|Pragma|3A| no-catch|0D 0A|"; http_header; content:"|0D 0A|X-HOST|3A| "; http_header; content:"|0D 0A|Content-Length|3A| 0|0D 0A|"; http_header; reference:md5,3305ad96bcfd3a406dc9daa31e538902; classtype:trojan-activity; sid:2014643; rev:7; metadata:created_at 2012_04_26, updated_at 2012_04_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5443
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Mepaow.Backdoor Initial Checkin to Intermediary Pre-CnC"; flow:established,to_server; content:"/PostView.nhn?blogId="; fast_pattern; http_uri; content:"&logNo="; http_uri; content:"&parentCategoryNo="; http_uri; content:"&userTopListOpen="; http_uri; content:"&userTopListManageOpen="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)|0d 0a|"; http_header; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=1072862; reference:md5,8af17164500aac1c0965b842aca3fed7; classtype:trojan-activity; sid:2014754; rev:6; metadata:created_at 2012_05_17, updated_at 2012_05_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5446
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/SpyBanker Infection Confirmation Email 2"; flow:established,to_server; content:"From|3A 20 22|Infected|22|"; reference:md5,f091e8ed0e8f4953ff10ce3bd06dbe54; classtype:trojan-activity; sid:2014762; rev:2; metadata:created_at 2012_05_17, updated_at 2012_05_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5447
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Comrerop Checkin to FTP server"; flow:established,to_server; content:"USER griptoloji|0d 0a|"; fast_pattern:5,12; reference:md5,6b16290b05afd1a9d638737924f2ab5c; classtype:trojan-activity; sid:2014757; rev:4; metadata:created_at 2012_05_15, updated_at 2012_05_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5449
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN VBS/Wimmie.A Set"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=c&n="; http_uri; content:"_"; distance:0; http_uri; content:"@"; distance:0; http_uri; content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=6fd7493e56fdc3b0dd8ecd24aea20da1; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; classtype:trojan-activity; sid:2014803; rev:7; metadata:created_at 2011_11_04, updated_at 2011_11_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5454
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg:"ET TROJAN IRC Bot Download http Command"; flow:established,from_server; content:"JOIN |3a|#"; nocase; content:"dl|20|http|3a 2f 2f|"; distance:0; content:"|2e|exe"; distance:0; reference:md5,fa6ae89b101a0367cc98798c7333e3a4; classtype:trojan-activity; sid:2014439; rev:4; metadata:created_at 2012_03_28, updated_at 2012_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5459
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Nutiliers.A Downloader CnC Checkin - Request Encrypted Response"; flow:established,to_server; content:"/js/data/encryptedtest.dll"; http_uri; reference:md5,7b2bfb9d270a5f446f32502d2ed34d67; classtype:trojan-activity; sid:2014962; rev:2; metadata:created_at 2012_06_25, updated_at 2012_06_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5471
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Armageddon CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| ArmageddoN"; nocase; http_header; content:"GetList="; http_client_body; depth:8; reference:md5,3f4c5649d66fc5befc0db47930edb9f6; classtype:trojan-activity; sid:2014963; rev:2; metadata:created_at 2012_06_25, updated_at 2012_06_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5472
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Rogue.Win32/Winwebsec Install 2"; flow:to_server,established; content:"/api/urls/?ts="; http_uri; content:"&affid="; http_uri; content:"GTB0.0|3b|"; http_header; reference:md5,181999985de5feae6f44f9578915417f; classtype:trojan-activity; sid:2014816; rev:5; metadata:created_at 2012_05_24, updated_at 2012_05_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5473
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zbot CnC POST /common/versions.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/common/versions.php"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014979; rev:2; metadata:created_at 2012_06_28, updated_at 2012_06_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5475
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zbot CnC GET /lost.dat"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/lost.dat"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014980; rev:3; metadata:created_at 2012_06_28, updated_at 2012_06_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5476
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zbot CnC POST /common/timestamps.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/common/timestamps.php"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014999; rev:2; metadata:created_at 2012_07_02, updated_at 2012_07_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5477
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Numnet.Downloader CnC Checkin 1"; flow:established,to_server; content:"/counter/mac_proc.php?cid="; fast_pattern; http_uri; content:"&mid="; http_uri; content:"User-Agent|3A| internet|0D 0A|"; http_header; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:trojan-activity; sid:2015020; rev:2; metadata:created_at 2012_07_03, updated_at 2012_07_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5478
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Numnet.Downloader CnC Checkin 2"; flow:established,to_server; content:"/check_counter.php?pid="; http_uri; content:"&mid="; http_uri; content:"User-Agent|3A| internet|0D 0A|"; http_header; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:trojan-activity; sid:2015021; rev:2; metadata:created_at 2012_07_03, updated_at 2012_07_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5479
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Pift Checkin 1"; flow:established,to_server; content:"/plg3.z"; fast_pattern; http_uri; urilen:7; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015458; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5481
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Pift Checkin 2"; flow:established,to_server; content:"/ext1.z"; fast_pattern; http_uri; urilen:7; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015459; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5482
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Playtech Downloader Online Gaming Checkin"; flow:to_server,established; content:"/client_update_urls.php"; http_uri; content:"User-Agent|3a| Playtech "; http_header; reference:md5,00740d7d15862efb30629ab1fd7b8242; classtype:trojan-activity; sid:2008365; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5485
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Medfos/Midhos Checkin"; flow:to_server,established; content:"/id="; http_uri; content:"&rt="; distance:0; http_uri; content:"AAAAAAAAAAA"; http_uri; fast_pattern; content:!"Accept|3a 20|"; http_header; content:!"Connection|3a 20|"; http_header; reference:md5,00da8acc14d0e827dbb1326c023fc720; reference:md5,8f561f46fb262cac6bb4cacf3e4e78a6; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:trojan-activity; sid:2014722; rev:4; metadata:created_at 2012_05_08, updated_at 2012_05_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5498
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Win32.Jorik.Totem.vg HTTP request"; flow:established,to_server; content:"/?xclzve_"; depth:9; http_uri; reference:md5,cf5df13f8498326f1c6407749b3fe160; classtype:trojan-activity; sid:2015562; rev:2; metadata:created_at 2012_08_03, updated_at 2012_08_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5506
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Lile.A DoS Outbound"; flow:established,to_server; content:"GET"; http_method; content:"UserAgent|3a|"; http_header; content:"Windows 98"; fast_pattern:only; http_header; content:"Host|3a| www.fbi.gov"; http_header; threshold:type limit, track by_src, count 1, seconds 30; reference:url,symantec.com/security_response/writeup.jsp?docid=2005-101311-0945-99&tabid=2; reference:md5,d6d0cd7eca2cef5aad66efbd312a7987; classtype:trojan-activity; sid:2015577; rev:3; metadata:created_at 2012_08_06, updated_at 2012_08_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5507
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Mirage Campaign checkin"; flow:established,to_server; content:"POST"; http_method; content:"/result?hl="; depth:11; http_uri; content:"&meta="; distance:0; http_uri; content:"Mjtdkj"; depth:6; http_client_body; reference:md5,ce1cdc9c95a6808945f54164b2e4d9d2; reference:url,secureworks.com/research/threats/the-mirage-campaign/; classtype:trojan-activity; sid:2015714; rev:2; metadata:created_at 2012_09_19, updated_at 2012_09_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5526
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Runner/Bublik Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"G="; http_client_body; nocase; content:"&PG="; http_client_body; nocase; content:"&EPBB="; http_client_body; fast_pattern; nocase; content:!"User-Agent|3a|"; http_header; reference:url,www.spywarecease.com/spyware-list/Spyware_Trojan.Win32.Runner.s.html; reference:url,www.threatexpert.com/threats/trojan-win32-runner.html; reference:md5,6d2919a92d7dda22f4bc7f9a9b15739f; classtype:trojan-activity; sid:2009711; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5531
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A/DarkRat Checkin Outbound"; flow:to_server,established; dsize:<16; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; reference:url,www.eff.org/deeplinks/2012/08/syrian-malware-post; reference:md5,a2f58a4215441276706f18519dae9102; classtype:trojan-activity; sid:2013090; rev:10; metadata:created_at 2010_11_22, updated_at 2010_11_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5533
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Pushdo.s Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:39; content:"/?ptrxcz_"; fast_pattern:only; http_uri; pcre:"/^\/\?ptrxcz_[a-z0-9A-Z]{30}$/U"; reference:md5,58ffe2b79be4e789be80f92b7f96e20c; classtype:trojan-activity; sid:2015807; rev:3; metadata:created_at 2012_10_05, updated_at 2012_10_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5543
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 3"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Stable|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:trojan-activity; sid:2015870; rev:2; metadata:created_at 2012_11_06, updated_at 2012_11_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5550
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WORM_VOBFUS Checkin 1"; flow:established,to_server; content:"GET"; http_method; urilen:5; content:"/1/?"; http_uri; depth:4; content:"MSIE 7.0|3b|"; http_user_agent; content:".ddns"; fast_pattern; http_header; distance:0; content:".eu|0d 0a|"; distance:1; within:5; http_header; pcre:"/Host\x3a \d{5}\x2eddns[a-z0-9]\x2eeu\r\n$/H"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015968; rev:8; metadata:created_at 2012_11_29, updated_at 2012_11_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5556
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Necurs"; flow:to_server,established; content:"POST"; http_method; content:"/iis/host.aspx"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:"application/octet-stream"; http_header; reference:md5,871ecf11ddd7ffe294cab82bcaf9c310; reference:url,blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx; classtype:trojan-activity; sid:2016000; rev:2; metadata:created_at 2012_12_07, updated_at 2012_12_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5557
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Kuluoz.B Request"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/[a-f0-9]+$/Ui"; content:"Windows NT 9.0|3b|"; http_header; pcre:"/^Host\x3a\s*(\d{1,3}\.){3}\d{1,3}(\x3a\d{1,5})?\r?$/Hmi"; reference:md5,0282bc929bae27ef95733cfa390b10e0; classtype:trojan-activity; sid:2015985; rev:4; metadata:created_at 2012_12_04, updated_at 2012_12_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5608
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Zbot.ivgw Downloading EXE"; flow:to_server,established; content:"/forum/images.php?id"; http_uri; nocase; fast_pattern:only; content:"Mozilla/6"; http_user_agent; depth:9; content:" MSIE "; http_user_agent; distance:0; reference:md5,e8e3d22203f9549d6c5f361dfe51f8c6; classtype:trojan-activity; sid:2016425; rev:5; metadata:created_at 2013_02_18, updated_at 2013_02_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5609
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likseput.B Checkin"; flow:established,to_server; content:"|3b|Trident/4.0 "; fast_pattern; http_user_agent;  pcre:"/User-Agent\x3a[^\r\n]+[^\x20]\x3bTrident\/4\.0\x29\s\d{2}\x3a\d{2}\s\r$/Hmi"; reference:md5,95d85aa629a786bb67439a064c4349ec; classtype:trojan-activity; sid:2016432; rev:4; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5610
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32/Likseput.A Checkin Windows Vista/7/8"; flow:to_server,established; content:"User-Agent|3a| 6|2e|"; http_header; content:"|5c|"; within:64; http_header; content:"Host|3a| "; http_header; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http_header; pcre:"/User\-Agent\x3a\x206\.[0-2]\x20\d\d\x3a\d\d\x20/Hi"; reference:md5,b5e9ce72771217680efaeecfafe3da3f; reference:url,threatexpert.com/report.aspx?md5=4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:trojan-activity; sid:2016433; rev:3; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5611
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-TABLE Checkin 1 - APT1 Related"; flow:established,to_server; content:"User-Agent|3a| 0"; http_header; content:"|3a|";  http_header; distance:1; within:1; content:"|3a|"; http_header; distance:2; within:1; content:"+"; http_header; distance:2; within:1; flowbits:set,ET.webc2; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016435; rev:5; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5613
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-TABLE Checkin 2 - APT1 Related"; flow:established,to_server; content:"User-Agent|3a| 1"; http_header; content:"|3a|"; http_header; distance:1; within:1; content:"|3a|"; http_header; distance:2; within:1; content:"+"; http_header; distance:2; within:1; flowbits:set,ET.webc2; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016436; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5614
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-TABLE Checkin 3 - APT1 Related"; flow:established,to_server; content:"User-Agent|3a| 2"; http_header; content:"|3a|"; http_header; distance:1; within:1; content:"|3a|"; http_header; distance:2; within:1; content:"+"; http_header; distance:2; within:1; flowbits:set,ET.webc2; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016437; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5615
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN WEBC2-TABLE Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; flowbits:isset,ET.webc2; file_data; content:"<!---<table<b"; reference:url,www.mandiant.com/apt1; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; classtype:trojan-activity; sid:2016438; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5616
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SEASALT HTTP Checkin"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b| MSIE 5.00|3b| Windows 98) KSMM|0d 0a|"; http_header; fast_pattern:24,20; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016440; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5617
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SEASALT Client Checkin"; flow:established,to_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016441; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5618
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SEASALT Server Response"; flow:established,from_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016442; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5619
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN STARSYPOUND Client Checkin"; flow:established,to_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016443; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5620
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN SWORD Sending Sword Marker"; flow:established,to_server; content:"|20 20 20 20 2f 2a 0a 40 2a 2a 2a 40 2a 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40|"; reference:md5,052f5da1734464a985dcd669bff62f93; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016445; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5621
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TABMSGSQL/Sluegot.C Checkin"; flow:established,to_server; content:"?rands="; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| )|0d 0a|"; http_header; reference:url,www.cyberesi.com/2011/06/15/trojan-letsgo-analysis/; reference:url,www.mandiant.com/apt1; reference:md5,052ec04866e4a67f31845d656531830d; classtype:trojan-activity; sid:2016446; rev:4; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5622
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WARP Win32/Barkiofork.A"; flow:established,to_server; content:"/s/asp?"; http_uri; fast_pattern; pcre:"/p=1$/U"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| )|0d 0a|"; http_header; reference:url,www.mandiant.com/apt1; reference:md5,7acb0d1df51706536f33bbdb990041d3; classtype:trojan-activity; sid:2016447; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5623
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN WEBC2-AUSOV Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!-- DOCHTMLAuthor"; pcre:"/^\d+\s*-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,0cf9e999c574ec89595263446978dc9f; classtype:trojan-activity; sid:2016449; rev:3; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5625
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Namsoth.A Checkin/NEWSREELS APT1 Related"; flow:established,to_server; content:"POST"; http_method; content:"name="; depth:5; http_client_body; content:"&userid="; distance:0; http_client_body; content:"&other"; distance:4; within:6; http_client_body; pcre:"/&userid=\d{4}&other=[MF]/P"; reference:md5,a2cd1189860b9ba214421aab86ecbc8a; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016439; rev:3; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5626
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN STARSYPOUND Client Checkin"; flow:established,from_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016444; rev:3; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5627
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-CLOVER Checkin APT1 Related"; flow:established,to_server; content:"/Default.asp"; http_uri; content:"Accept: image/gif,image/x-xbitmap"; http_header; content:" MSIE "; http_header; content:"Cookie|3a 20|PREF=86845632017245|0d 0a|"; fast_pattern; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:trojan-activity; sid:2016452; rev:2; metadata:created_at 2013_02_21, updated_at 2013_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5628
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-CLOVER Download UA"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| Windows NT 5.1|3b| en-US|3b| rv|3a|1.8.0.12) Firefox/1.5.0.12|0d 0a|"; http_header; fast_pattern:66,20; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:trojan-activity; sid:2016453; rev:2; metadata:created_at 2013_02_21, updated_at 2013_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5629
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-DIV UA"; flow:established,to_server; content:"User-Agent|3a| Microsoft Internet Explorer Exelon "; http_header; fast_pattern:27,20; reference:url,www.mandiant.com/apt1; reference:md5,1e5ec6c06e4f6bb958dcbb9fc636009d; classtype:trojan-activity; sid:2016454; rev:2; metadata:created_at 2013_02_21, updated_at 2013_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5631
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible WEBC2-GREENCAT Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"<!--|0d 0a|<img border="; pcre:"/^[0-4]\s*src=\x22[^\x22]+\x22\swidth=\d+\sheight=\d+>\r\n-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,b5e9ce72771217680efaeecfafe3da3f; classtype:trojan-activity; sid:2016455; rev:3; metadata:created_at 2013_02_21, updated_at 2013_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5632
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-KT3 Intial Connection Beacon APT1 Related"; flow:established,to_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:set,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:trojan-activity; sid:2016456; rev:2; metadata:created_at 2013_02_21, updated_at 2013_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5633
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-KT3 Intial Connection Beacon Server Response APT1 Related"; flow:established,from_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:isset,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:trojan-activity; sid:2016457; rev:3; metadata:created_at 2013_02_21, updated_at 2013_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5634
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Sluegot.A Checkin WEBC2-YAHOO APT1 Related"; flow:to_server,established; content:"User-Agent|3a| IPHONE"; http_header; pcre:"/User-Agent\x3a\sIPHONE\d+\x2e\d+\x28(host\x3a|[^\r\n\x2c]+\x2c(\d{1,3}\.){3}\d{1,3})/Hi";  reference:url,www.securelist.com/en/descriptions/24052976/Trojan.Win32.Scar.ddxe; reference:md5,0149b7bd7218aab4e257d28469fddb0d; reference:md5,6f9992c486195edcf0bf2f6ee6c3ec74; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016461; rev:4; metadata:created_at 2011_06_27, updated_at 2011_06_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5635
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN WEBC2-UGX Embedded CnC Response APT1"; flow:established,from_server; flowbits:isset,ET.webc2ugx; file_data; content:"<!-- dW"; within:20; reference:md5,ae45648a8fc01b71214482d35cf8da54; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016472; rev:2; metadata:created_at 2013_02_21, updated_at 2013_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5646
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Xtrat Checkin 2"; flow:to_server,established; content:"/1234.functions"; http_uri; reference:md5,fea70e818984b82c9a6bbdc5157d4a40; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fXtrat.A; classtype:trojan-activity; sid:2016599; rev:4; metadata:created_at 2012_10_25, updated_at 2012_10_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5665
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Delfinject Check-in"; flow:established,to_server; content: "|44 4d 7f 49 51 48 50 62 7d 74 61 77 4e 55 32 2f|"; depth:16; dsize:<65; reference:md5,90f8b934c541966aede75094cfef27ed; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject; classtype:trojan-activity; sid:2016685; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5673
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Enchanim Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"svchost.exe"; http_uri; fast_pattern:only; content:"Mozilla/4.0 (compatible|3b| MSIE 5.01|3b| Windows NT 5.0)"; http_user_agent; reference:md5,539d3b15e9c3882ac70bb1ac7f90a837; classtype:trojan-activity; sid:2016707; rev:4; metadata:created_at 2013_04_01, updated_at 2013_04_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5674
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zeus User-Agent(z00sAgent)"; flow:to_server,established; content:"z00sAgent"; depth:9; http_user_agent; reference:md5,e94fb19f3a38f9b2a775b925e4c0abe3; classtype:trojan-activity; sid:2016710; rev:3; metadata:created_at 2013_04_02, updated_at 2013_04_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5676
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Haxdoor Reporting User Activity 2"; flow:established,to_server; content:"param="; http_uri; content:"&socksport="; http_uri; content:"&httpport="; fast_pattern:only; http_uri; content:"&uptime"; http_uri; content:"&uid="; http_uri; content:"&ver="; http_uri; reference:url,doc.emergingthreats.net/2002929; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94; reference:url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954; reference:url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca; reference:md5,0995ecb8bb78f510ae995a50be0c351a; classtype:trojan-activity; sid:2002929; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5686
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Enchanim Check-in Response"; flow:established,to_client; file_data; content:"|3a|some_magic_code1"; distance:9; within:29; isdataat:!1,relative; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016769; rev:2; metadata:created_at 2013_04_18, updated_at 2013_04_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5690
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Enchanim Process List Dump"; flow:to_server,established; content:"GET"; http_method; content:"&pl=|5b|System|20|Process"; http_uri; content:"svchost.exe"; http_uri; content:"&r="; http_uri; content:"&g="; http_uri; content:"&s="; http_uri; content:"&c="; http_uri; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016770; rev:2; metadata:created_at 2013_04_18, updated_at 2013_04_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5691
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent MyAgrent"; flow:established,to_server; content:"MyAgrent"; http_user_agent; reference:md5,75c2f3168eca26e10bd5b2f3f0e2a8c5; classtype:trojan-activity; sid:2014165; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2012_01_27, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5693
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/TCYWin.Downloader User-Agent"; flow:established,to_server; content:"TCYWinHTTPDownload"; http_user_agent; reference:md5,4cfe5674d9f33804572ae0d14f0c941b; classtype:trojan-activity; sid:2014305; rev:3; metadata:created_at 2012_03_05, updated_at 2012_03_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5694
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN System Progressive Detection FakeAV (AMD)"; flow:to_server,established; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"|3b|c|3a|AMD-"; http_user_agent; fast_pattern:only; pcre:"/\(b\x3a\d+?\x3bc\x3aAMD-/V"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015861; rev:7; metadata:created_at 2012_10_12, updated_at 2012_10_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5696
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN System Progressive Detection FakeAV (INTEL)"; flow:to_server,established; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"|3b|c|3a|INT-"; http_user_agent; fast_pattern:only; pcre:"/\(b\x3a\d+?\x3bc\x3aINT-/V"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015860; rev:8; metadata:created_at 2012_10_12, updated_at 2012_10_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5697
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Cookies/Cookiebag Checkin"; flow:to_server,established; content:"/indexs.zip"; http_uri; fast_pattern:only; reference:md5,840BD11343D140916F45223BA05ABACB; classtype:trojan-activity; sid:2016808; rev:2; metadata:created_at 2013_05_01, updated_at 2013_05_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5700
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Urausy.C Checkin 3"; flow:to_server,established; urilen:>80; content:"GET"; http_method; content:".php"; http_uri; fast_pattern:only; content:!"Referer|3a| "; http_header; content:!"Accept|3a| "; http_header; pcre:"/\/[a-z-_]{75,}\.php$/U"; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE "; depth:42; http_header; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:trojan-activity; sid:2016809; rev:5; metadata:created_at 2013_05_01, updated_at 2013_05_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5701
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-Downloader.Win32.AutoIt.mj Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/downloads/IPFilter"; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/downloads\/IPFilter\.exe$/Ui"; content:"AutoIt"; depth:6; http_user_agent; reference:url,threatexpert.com/report.aspx?md5=c4e923564c564163620959f23691cc26; reference:md5,4a77d3575845cf24b72400816d0b95c2; classtype:trojan-activity; sid:2016844; rev:3; metadata:created_at 2013_05_14, updated_at 2013_05_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5712
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-RAVE UA"; flow:established,to_server; content:"User-Agent|3a| HTTP Mozilla/5.0(compatible+MSIE)|0d 0a|"; http_header; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:trojan-activity; sid:2016458; rev:3; metadata:created_at 2013_02_21, updated_at 2013_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5713
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Tosct.B UA Mandiant APT1 Related"; flow:established,to_server; content:"HTTP Mozilla/5.0(compatible+MSIE)"; http_user_agent; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:trojan-activity; sid:2016431; rev:4; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5714
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Hangover Campaign Keylogger Checkin"; flow:established,to_server; content:".php?fol="; fast_pattern:only; http_uri; content:"&ac="; http_uri; content:"AVs"; http_uri; content:"OS"; http_uri; content:"SystemDT"; http_uri; content:"AppVersion"; http_uri; content:"DropPath"; http_uri; reference:md5,023d82950ebec016cd4016d7a11be58d; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016861; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5720
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Win32.VB.cefz Checkin"; flow:established,to_server; content:"/hyper/fm.php?tp=in"; fast_pattern:only; http_uri; content:"&tg="; http_uri; reference:md5,0cace87b377a00df82839c659fc3adea; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016863; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5721
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Agent.bjjv Checkin"; flow:established,to_server; content:"/wakeup/access.php"; fast_pattern:only; http_uri; content:"UPHTTP"; depth:6; http_user_agent; reference:md5,06ba10a49c8cea32a51f0bbe8f5073f1; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016864; rev:3; metadata:created_at 2013_05_20, updated_at 2013_05_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5722
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TrojanSpy.KeyLogger.acqh User-Agent(EMSFRTCBVD)"; flow:established,to_server; content:"EMSFRTCBVD"; depth:10; http_user_agent; reference:md5,0e9e46d068fea834e12b2226cc8969fd; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016865; rev:2; metadata:created_at 2013_05_20, updated_at 2013_05_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5723
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-Spy.Win32.KeyLogger.acuj Checkin"; flow:established,to_server; content:".php"; http_uri; content:"MyHttpClient"; depth:12; http_user_agent; content:"tit="; fast_pattern; depth:4; http_client_body; content:"&cont="; http_client_body; reference:md5,078d12eb9fc2b1665c0cc3001448b69b; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016866; rev:4; metadata:created_at 2013_05_20, updated_at 2013_05_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5735
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Win32.Antavmu.guw Checkin"; flow:to_server,established; content:"/smadstat.php?mac="; fast_pattern:only; http_uri; content:"&key="; http_uri; content:"&name="; http_uri; content:"&os="; http_uri; content:"&build="; http_uri; content:"&old="; http_uri; content:"&comp="; http_uri; content:"Smart-RTP"; depth:9; http_user_agent; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; reference:url,www.securelist.com/en/descriptions/16150989/Trojan.Win32.Antavmu.guw?print_mode=1; reference:url,www.threatexpert.com/report.aspx?md5=a80f33c94c44556caa2ef46cd5eb863c; classtype:trojan-activity; sid:2016914; rev:3; metadata:created_at 2013_05_22, updated_at 2013_05_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5741
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Variant.Kazy.174106 Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?T="; content:"User-Agent|3a| Tesla"; http_header; fast_pattern:only; reference:md5,ff7a263e89ff01415294470e1e52c010; classtype:trojan-activity; sid:2016939; rev:2; metadata:created_at 2013_05_28, updated_at 2013_05_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5744
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET TROJAN Possible Win32.Bicololo Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/stat/"; nocase; http_uri; pcre:"/^\/stat\/[a-z]{3,4}\/\d{1,4}$/U"; flowbits:set,ET.Bicololo.Request; reference:md5,252c95327ce556a21bdd7e9a322e206c; reference:url,www.virusradar.com/Win32_Bicololo.A/description; classtype:trojan-activity; sid:2016946; rev:3; metadata:created_at 2013_05_31, updated_at 2013_05_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5747
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32.Bicololo Response 1"; flow:established,to_client; content:"ci_session="; http_cookie; file_data; content:"ne_unik"; fast_pattern; within:7; isdataat:!1,relative; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016947; rev:2; metadata:created_at 2013_05_31, updated_at 2013_05_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5748
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32.Bicololo Response 2"; flow:established,to_client; flowbits:isset,ET.Bicololo.Request; content:"ci_session="; http_cookie; file_data; content:"ok"; fast_pattern; within:2; isdataat:!1,relative; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016948; rev:2; metadata:created_at 2013_05_31, updated_at 2013_05_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5749
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN System Progressive Detection FakeAV (AuthenticAMD)"; flow:to_server,established; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"AuthenticAMD|3b|"; http_user_agent; fast_pattern:only; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+AuthenticAMD\x3b/V"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016960; rev:10; metadata:created_at 2013_05_31, updated_at 2013_05_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5752
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN System Progressive Detection FakeAV (GenuineIntel)"; flow:to_server,established; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"GenuineIntel|3b|"; http_user_agent; fast_pattern:only; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+GenuineIntel\x3b/V"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016961; rev:11; metadata:created_at 2013_05_31, updated_at 2013_05_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5753
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Win32/Travnet.A Internet Connection Check (microsoft.com)"; flow:to_server,established; content:"GET"; http_method; content:"/info/privacy_security.htm"; http_uri; content:!"Referer|3a 20|"; http_header; content:"microsoft.com|0d 0a|"; http_header; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; classtype:trojan-activity; sid:2016969; rev:5; metadata:created_at 2013_06_04, updated_at 2013_06_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5754
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Travnet.A Checkin"; flow:to_server,established; content:".asp?hostid="; http_uri; content:"&hostname="; http_uri; content:"&hostip="; http_uri; content:"&filename="; http_uri; content:"&filestart="; http_uri; content:!"Referer|3a 20|"; http_header; content:"&filetext=begin|3a 3a|"; fast_pattern:only; http_uri; pcre:"/\?hostid=[0-9A-F]+?&/U"; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; reference:url,www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; classtype:trojan-activity; sid:2016968; rev:5; metadata:created_at 2013_03_01, updated_at 2013_03_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5755
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Alina Server Response Code"; flow: established,from_server; content:" 666 OK|0d 0a|"; fast_pattern:only; content:"666"; http_stat_code; nocase; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; reference:md5,7d6ec042a38d108899c8985ed7417e4a; classtype:trojan-activity; sid:2016991; rev:4; metadata:created_at 2013_06_07, updated_at 2013_06_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5761
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Tobfy.S"; flow:established,from_client; content:"/upload/img.jpg"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]{3,}\/upload\/img\.jpg$/U"; content:!"Referer|3a|"; http_header; reference:md5,ac03c5980e2019992b876798df2df9ab; classtype:trojan-activity; sid:2017004; rev:4; metadata:created_at 2013_06_12, updated_at 2013_06_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5763
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Rovnix.I Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/ld.aspx?key="; depth:13; http_uri; content:"FWVersionTestAgent"; depth:18; http_user_agent; content:!"Accept|3a| "; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; reference:md5,605daaa9662b82c0d5982ad3a742d2e7; classtype:trojan-activity; sid:2017279; rev:3; metadata:created_at 2013_08_06, updated_at 2013_08_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5793
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET TROJAN Win32/Cridex Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/([a-z0-9+]+?\/){3}$/Ui"; content:"Accept|3a| */*|0d 0a|Host|3a| "; depth:19; http_header; pcre:"/^Accept\x3a \*\/\*\r\nHost\x3a \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a8080\r\nContent-Length\x3a \d{3}\r\nConnection\x3a Keep-Alive\r\nCache-Control\x3a no-cache\r\n$/H"; content:!"Referer"; http_header; content:!"User-Agent|3a| "; http_header; reference:md5,94e496decf90c4ba2fb3e7113a081726; classtype:trojan-activity; sid:2017305; rev:3; metadata:created_at 2013_08_08, updated_at 2013_08_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5794
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FortDisco Reporting Status"; flow:established,to_server; content:"POST"; http_method; content:"/cmd.php"; http_uri; fast_pattern:only; content:"|3b| Synapse"; http_header; content:"status="; http_client_body; depth:7; pcre:"/^status=\d$/P"; content:"/cmd.php HTTP/1.0|0d 0a|Host|3a|"; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017309; rev:3; metadata:created_at 2013_08_12, updated_at 2013_08_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5795
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Pift DNS TXT CnC Lookup ppidn.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|ppidn|03|net|00 00 10|"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2017312; rev:4; metadata:created_at 2013_08_12, updated_at 2013_08_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5797
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Yayih.A Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/search.asp?newsid="; http_uri; fast_pattern; content:"Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 5.0)|0d 0a|"; http_header; reference:md5,832f5e01be536da71d5b3f7e41938cfb; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:2017326; rev:2; metadata:created_at 2013_08_13, updated_at 2013_08_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5800
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Yayih.A Checkin 2"; flow:to_server,established; content:"POST"; http_method; content:"/bbs/search.asp"; http_uri; fast_pattern; content:"Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 5.0)|0d 0a|"; http_header; reference:md5,832f5e01be536da71d5b3f7e41938cfb; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:2017325; rev:4; metadata:created_at 2013_08_13, updated_at 2013_08_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5801
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.APT.9002 CnC Traffic"; flow:to_server,established; dsize:24; content:"|0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00|"; offset:4; depth:20; reference:md5,81687637b7bf2b90258a5006683e781c; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/08/the-sunshop-campaign-continues.html; classtype:trojan-activity; sid:2016398; rev:8; metadata:created_at 2012_06_28, updated_at 2012_06_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5818
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Troj.Cidox Checkin"; flow:established,to_server; content:".php?sign="; fast_pattern:only; http_uri; content:"&key="; http_uri; content:"&av="; http_uri; content:"&os="; http_uri; content:"&vm="; http_uri; content:"&digital="; http_uri; reference:md5,0ce7f9dde5c273d7e71c9f1301fe505d; classtype:trojan-activity; sid:2017349; rev:3; metadata:created_at 2013_05_14, updated_at 2013_05_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5821
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Napolar.A Getting URL"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36|0d 0a|Host"; fast_pattern:94,26; depth:126; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017362; rev:2; metadata:created_at 2013_08_21, updated_at 2013_08_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5822
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Win32/Napolar.A URL Response"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"!http|3a|//"; within:8; pcre:"/^[^\r\n]+?\$$/R"; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017367; rev:2; metadata:created_at 2013_08_22, updated_at 2013_08_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5836
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Avatar RootKit Yahoo Group Search"; flow:to_server,established; content:"/search?query="; http_uri; depth:14; content:"&sort=relevance"; distance:8; within:15; http_uri; content:"Host|3a 20|groups.yahoo.com|0d 0a|"; http_header; content:!"Referer|3a|"; pcre:"/^\/search\?query=[A-Z0-9]{8}&sort=relevance$/U"; reference:md5,7b6409fc32c70908a9468eaac845bdaa; reference:md5,b647a4af77b2fad3f40c6769c22ebf74; reference:url,www.welivesecurity.com/2013/08/20/avatar-rootkit-the-continuing-saga/; classtype:trojan-activity; sid:2017368; rev:2; metadata:created_at 2013_08_22, updated_at 2013_08_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5837
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Dirtjump Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"req="; depth:4; http_client_body; pcre:"/^req=[A-Za-z0-9]{15}([A-Za-z0-9]{19})?$/P"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; reference:md5,50a538221e015d77cf4794ae78978ce2; classtype:trojan-activity; sid:2017385; rev:2; metadata:created_at 2013_08_27, updated_at 2013_08_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5847
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Dipverdle.A Activity"; flow:to_server,established; content:"POST"; http_method; content:"/cp/?"; http_uri; nocase; fast_pattern:only; pcre:"/\/cp\/\?(?:logo\.jpg|adm)/Ui"; content:!"Referer|3a|"; http_header; content:"token="; nocase; http_client_body; depth:6; reference:md5,182ea2f564f6211d37a6c35a4bd99ee6; classtype:trojan-activity; sid:2017475; rev:2; metadata:created_at 2013_09_16, updated_at 2013_09_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5863
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Zzinfor.A Retrieving Instructions From CnC Server"; flow:established,to_server; content:"/static/hotkey.txt"; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Accept-"; http_header; reference:md5,7e37a407a8fb0df3b2835419ad16f500; reference:md5,422b926dbbe03d0e4555328282c8f32b; classtype:trojan-activity; sid:2017489; rev:2; metadata:created_at 2013_09_19, updated_at 2013_09_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5866
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"/is-sending"; http_uri; nocase; content:".exe"; http_uri; distance:0; reference:md5,d2e799904582f03281060689f5447585; classtype:trojan-activity; sid:2017517; rev:4; metadata:created_at 2013_08_27, updated_at 2013_08_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5871
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DATA-BROKER BOT Activity"; flow:established,to_server; content:"POST"; http_method; content:"g="; depth:2; http_client_body; content:"&cmd="; http_client_body; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^g=[A-Z0-9]+&cmd=/P"; reference:url,krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/; reference:md5,adcfe50aaaa0928adf2785fefe7307cc; classtype:trojan-activity; sid:2017524; rev:3; metadata:created_at 2013_09_25, updated_at 2013_09_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5878
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kovter Ransomware Check-in"; flow:established,to_server; content:".php?mode="; nocase; http_uri; content:"&OS="; nocase; http_uri; content:"&OSbit="; http_uri; nocase; fast_pattern:only; reference:url,www.botnets.fr/index.php/Kovter; reference:md5,82d0e4f8b34d6d39ee4ff59d0816ec05; classtype:trojan-activity; sid:2016690; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5887
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kuluoz Activity"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"name=|22|key|22|"; http_client_body; nocase; content:"filename=|22|key.bin|22|"; http_client_body; nocase; content:"name=|22|data|22|"; http_client_body; nocase; content:"filename=|22|data.bin|22|"; http_client_body; nocase; pcre:"/\/[A-F0-9]+$/U"; reference:md5,c71416a9ec5414fe487167b5bfd921ec; classtype:trojan-activity; sid:2017620; rev:3; metadata:created_at 2013_10_21, updated_at 2013_10_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5890
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FakeAV Install"; flow:established,to_server; content:"GET"; http_method; content:"/api/stats/debug/"; fast_pattern:only; http_uri; content:"/?ts="; http_uri; content:"&ver="; http_uri; content:"&group="; http_uri; content:"&token="; http_uri; reference:md5,d1663e13314a6722db7cb7549b470c64; classtype:trojan-activity; sid:2017647; rev:2; metadata:created_at 2013_10_30, updated_at 2013_10_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5893
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Badur.Spy User Agent lawl"; flow:established,to_server; content:"lawl"; depth:4; http_user_agent; reference:md5,4f5d28c43795b9c4e6257bf26c52bdfe; classtype:trojan-activity; sid:2017655; rev:3; metadata:created_at 2013_11_01, updated_at 2013_11_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5896
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransom.Win32.Birele.gsg Checkin"; flow:established,to_server; content:".html"; http_uri; content:"From|3a| "; depth:6; http_header; pcre:"/^\d+?\r\n/RHi"; content:"Via|3a| "; http_header; content:!"1|2e|"; within:2; http_header; content:!"User-Agent|3a| "; http_header; pcre:"/^\/\d+?\/\d+?\.html$/Ui"; reference:md5,116aaaa5765228d61501322b02a6a3b1; reference:md5,2e66f39a263cb2e95425847b60ee2a93; reference:md5,0ea9b34e9d77b5a4ef5170406ed1aaed; classtype:trojan-activity; sid:2015786; rev:3; metadata:created_at 2012_10_09, updated_at 2012_10_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5897
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Athena Bot Nick in IRC"; flow:established,to_server; content:"NICK "; content:"|5b|"; distance:1; within:1; pcre:"/^[A-Z]{3}\|[UA]\|[DL]\|W([78]|_XP|VIS)\|x(86|64)\|/R"; reference:url,arbornetworks.com/asert/2013/11/athena-a-ddos-malware-odyssey/; reference:md5,859c2fec50ba1212dca9f00aa4a64ec4; classtype:trojan-activity; sid:2017716; rev:3; metadata:created_at 2013_11_14, updated_at 2013_11_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5906
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop icmp any any -> any any (msg:"ET TROJAN PWS Win32/Lmir.BMQ checkin"; dsize:19; content:"This|27|s|20|Ping|20|Packet|21|"; reference:md5,0fe0cf9a2d8c3ccd1c92acbb81ff6343; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS%3AWin32%2FLmir.BMQ; classtype:trojan-activity; sid:2017724; rev:3; metadata:created_at 2013_11_14, updated_at 2013_11_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5912
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sisproc update"; flow:to_server,established; content:"/poll/update.txt"; http_uri; content:!"Referer|3A 20|"; http_header; reference:md5,f8b3fb4e5f8f1b3bd643e58f1015f9fc; classtype:trojan-activity; sid:2017725; rev:5; metadata:created_at 2013_11_15, updated_at 2013_11_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5914
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Trojan.Dropper.Win32.Dapato.braa.AMN CnC traffic"; flow:to_server,established; content:"9002"; depth:4; reference:md5,6ef66c2336b2b5aaa697c2d0ab2b66e2; classtype:trojan-activity; sid:2017728; rev:2; metadata:created_at 2013_11_19, updated_at 2013_11_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5915
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-Downloader Win32.Genome.AV"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/other.txt"; fast_pattern; http_uri; content:"User-Agent|3a 20|NSIS_Inetc|20|(Mozilla)"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; flowbits:set,et.GENOME.AV; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017746; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5918
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Darkness DDoS Common Intial Check-in Response wtf"; flow:from_server,established; file_data; content:"d3Rm"; within:4; pcre:"/^(?:\r\n|$)/R"; reference:md5,a9af388f5a627aa66c34074ef45db1b7; classtype:trojan-activity; sid:2017776; rev:7; metadata:created_at 2013_11_27, updated_at 2013_11_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5920
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WORM_VOBFUS Checkin Generic 2"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; fast_pattern:27,20; content:!"|0d 0a|Accept|3a|"; content:!"|0d 0a|Referer|3a|"; content:"GET "; depth:4; pcre:"/^\/[A-Za-z]{2,}\/\?[a-z]\sHTTP\/1\.[0-1]\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+?(?:\x3a(443|8080|900[0-9]))?\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?\r\n$/R"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2017784; rev:3; metadata:created_at 2013_11_27, updated_at 2013_11_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5921
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Trojan-Downloader Win32.Genome.AV server response"; flow:to_client,established; file_data; content:"|5b|Soft"; pcre:"/^\d+?\x5d/R"; content:"SoftTitle="; distance:0; flowbits:isset,et.GENOME.AV; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017747; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5924
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN WEBC2-QBP Checkin Response 1 - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!--<2010QBP"; content:" 2010QBP//-->"; within:150; reference:url,intelreport.mandiant.com; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,fcdaa67e33357f64bc4ce7b57491fc53; classtype:trojan-activity; sid:2016451; rev:3; metadata:created_at 2013_02_20, updated_at 2013_02_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5936
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/GMUnpacker.Downloader Download Instructions Response From CnC"; flow:established,to_client; file_data; content:"<AD>"; within:4; content:"<TIPAD>"; distance:0; content:"<POPUP>"; distance:0; content:"<REG>HKEY_LOCAL_MACHINE|5c|SOFTWARE|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|"; distance:0; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:trojan-activity; sid:2017891; rev:2; metadata:created_at 2013_12_19, updated_at 2013_12_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5942
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 7"; flow:to_server,established; dsize:>11; content:"|79 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x95/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:trojan-activity; sid:2017913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_02, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5943
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 8"; flow:to_server,established; dsize:>11; content:"|79 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,be92836bee1e8abc1d19d1c552e6c115; classtype:trojan-activity; sid:2017914; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_02, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5944
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 9"; flow:to_server,established; dsize:>11; content:"|7a 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:trojan-activity; sid:2017915; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_02, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5945
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 10"; flow:to_server,established; dsize:>11; byte_jump:4,0,from_beginning,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; fast_pattern:only; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:trojan-activity; sid:2017916; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_02, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5946
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zbot Variant SSL cert for whoismama.ru"; flow:established,to_client; content:"www.whoismama.ru"; fast_pattern:only; nocase; reference:md5,cca1713888b0534954234cf31dd5a7d4; classtype:trojan-activity; sid:2017940; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_01_07, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5947
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zbot Variant SSL cert for dewart.ru"; flow:established,to_client; content:"www.deweart.ru"; fast_pattern:only; nocase; reference:md5,6e0a6c4a06a446f70ae1463129711122; classtype:trojan-activity; sid:2017941; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_01_07, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5948
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zbot Variant SSL cert for anlogtewron.ru"; flow:established,to_client; content:"www.anlogtewron.ru"; fast_pattern:only; nocase; reference:md5,c13c3e331f05d61a7204fb4599b07709; classtype:trojan-activity; sid:2017942; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_01_07, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5949
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zbot Variant SSL cert for erjentronem.ru"; flow:established,to_client; content:"www.erjentronem.ru"; fast_pattern:only; nocase; reference:md5,05ddaa5b6b56123e792fd67bb03376bc; classtype:trojan-activity; sid:2017943; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_01_07, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5950
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 14"; flow:to_server,established; dsize:>11; byte_extract:4,0,c_size,little; byte_test:4,>,c_size,4,little; content:"|08 01|"; offset:2; depth:2; content:"|79 94|"; offset:13; depth:2; pcre:"/^.{8}[\x20-\x7e]+?\x79\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,9fae15fa8ab6bb8d78d609bdceafe28e; classtype:trojan-activity; sid:2017944; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_08, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5951
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kishop.A checkin"; flow:to_server; content:"POST"; http_method; content:".php?mark="; http_uri; content:"&type="; http_uri; content:"&theos="; http_uri; reference:md5,bad7cd3c534c95867f5dbe5c5169a4da; classtype:trojan-activity; sid:2017964; rev:2; metadata:created_at 2014_01_13, updated_at 2014_01_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5955
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Ferret DDOS Bot CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|Mozilla|20|"; fast_pattern; http_header; content:"m"; depth:1; http_client_body; pcre:"/^m(?:ode)?=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&h(?:wid)?=/P"; reference:md5,f582667d5ce743436fb24771eb22a0e8; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:trojan-activity; sid:2017917; rev:5; metadata:created_at 2014_01_02, updated_at 2014_01_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5956
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN StartPage jsp checkin"; flow:to_server,established; urilen:27<>40; content:"POST"; http_method; content:"/201"; http_uri; fast_pattern:only; content:".jsp"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.2|3b 20|.NET CLR 1.1.4322|3b 20|.NET CLR 2.0.50727|3b 20|InfoPath.1)|0d 0a|"; http_header; content:!"Accept-Language|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; pcre:"/^\/201\d{5,8}\/\d{6,11}\/\d{5,10}\.jsp$/U"; threshold:type both,track by_src,count 2,seconds 60; reference:md5,bb7bbb0646e705ab036d73d920983256; classtype:trojan-activity; sid:2017967; rev:3; metadata:created_at 2014_01_13, updated_at 2014_01_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5957
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 2012:2014 (msg:"ET TROJAN Win32.Morix.B checkin"; flow:to_server,established; content:"|00 00 42 42 43 42 43|"; offset:2; depth:7; reference:md5,25623fa3a64f6bed301822f8fe6aa9b5; classtype:trojan-activity; sid:2017922; rev:3; metadata:created_at 2014_01_02, updated_at 2014_01_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5958
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Kelihos.F Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:<13; content:".htm"; fast_pattern:only; http_uri; pcre:"/^\/[^\x2f]+?\.htm$/U"; content:!"BridgitAgent"; http_user_agent;  content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Content-Type"; http_header; content:"Content-Length|3a 20|"; http_header; content:!"0|0d 0a|"; within:3; http_header; content:"|0d 0a|"; distance:0; http_header; reference:md5,00db349caf2eefc3be5ee30b8b8947a2; classtype:trojan-activity; sid:2017191; rev:3; metadata:created_at 2013_07_24, updated_at 2013_07_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5964
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Java/Jacksbot Check-in"; flow:established,to_server; content:"|00 2d 00 68 00 20 00 32 00 66 00|"; pcre:"/^(?:4\x00[1-9a-f]|5\x00[\da])/Rs"; content:"|00 33 00 61 00|"; within:5; reference:md5,6d93fc6132ae6938013cdd95354bff4e; classtype:trojan-activity; sid:2017983; rev:3; metadata:created_at 2014_01_17, updated_at 2014_01_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5966
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 18"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1f46b1e0a7fe83d24352e98b3ab3fc3f; classtype:trojan-activity; sid:2018013; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5968
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Limitless Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|Limitless Logger|20 3a 20 3a|"; nocase; fast_pattern:9,20; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018015; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5969
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Limitless Logger Sending Data over SMTP 2"; flow:to_server,established; content:"Limitless Logger successfully ran on this computer."; nocase; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018016; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5970
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Win32/Antilam.2_0 Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|CigiCigi Logger"; fast_pattern:4,20; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018018; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5971
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/LockscreenBEI.Scareware Cnc Beacon"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/reboot/index.html"; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; reference:md5,04948b6045730d4ec626f79504c7f9ad; reference:md5,9fff65c23fe403d25c08a5cdd3dc775d; classtype:trojan-activity; sid:2018023; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5972
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 19"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-6,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2b0f0479b14069b378fb454c92086897; classtype:trojan-activity; sid:2018032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5976
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Banker.AALV checkin"; flow:to_server,established; content:"CHEGOU-NOIS"; fast_pattern; content:"|20 7c 20|PLUGIN|3a|"; distance:0; content:"|20 7c 20|BROWSER|3a|"; reference:md5,74bfd81b345a6ef36be5fcf6964af6e1; classtype:trojan-activity; sid:2018034; rev:1; metadata:created_at 2014_01_29, updated_at 2014_01_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5977
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Win32.Genome.boescz Checkin"; flow:to_server,established; content:"|0d 0a|Subject|3a 20|TenInfect"; fast_pattern:9,9; content:"|0d 0a 0d 0a|TenInfect"; distance:0; reference:md5,313535d09865f3629423cd0e9b2903b2; reference:url,www.virustotal.com/en/file/75c454bbcfc06375ad1e8b45d4167d7830083202f06c6309146e9a4870cddfba/analysis/; classtype:trojan-activity; sid:2018033; rev:3; metadata:created_at 2014_01_29, updated_at 2014_01_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5978
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3"; dsize:>11; content:"|7b 9e|"; fast_pattern:only; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2eed956920934a78200899ef05ace0d8; classtype:trojan-activity; sid:2017548; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2013_09_30, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5984
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 15"; flow:to_server,established; dsize:>11; content:"FWKJGH"; offset:8; depth:6; byte_jump:4,0,little,from_beginning,post_offset 5; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,edd8c8009fc1ce2991eef6069ae6bf82; classtype:trojan-activity; sid:2017974; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_16, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5985
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 20"; flow:to_server,established; dsize:>11; content:"|7d 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a037b3241c0b957efe6037b25570292f; classtype:trojan-activity; sid:2018054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5986
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 444 (msg:"ET TROJAN W32/FakeAlert.FT.gen.Eldorado Downloading DLL"; flow:to_server,established; content:"SIZE libcurl-4.dll|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018072; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5989
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/FakeAlert.FT.gen.Eldorado Downloading VBS"; flow:to_server,established; content:"SIZE explore.vbs|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018073; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5990
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/StoredBt.A Activity"; flow:to_server,established; content:".php?a1="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; pcre:"/\.php\?a1=\d+&a2=(?:[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}|(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4}))(?:&a\d+=[^&]+)+$/U"; reference:md5,e8e9eb1cd4be7ab27743887be2aa28e9; classtype:trojan-activity; sid:2018074; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5991
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 23"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-18,relative,little,from_beginning, post_offset 1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?.{2}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:trojan-activity; sid:2018075; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_05, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5992
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24"; flow:to_server,established; dsize:>11; content:"|7c 9f|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7c\x9f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,0be9e3f4507a8ee23bb0c2b6c218d1cc; classtype:trojan-activity; sid:2018076; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_05, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5993
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32.Blackshades/Shadesrat Backdoor CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; content:"crypt"; http_client_body; depth:5; content:"="; http_client_body; within:3; reference:md5,9d11cfb7799089823483b72daec5fd2b; reference:md5,a01451eae2d47872ce796bb85f116710; classtype:trojan-activity; sid:2018079; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5994
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 26"; flow:to_server,established; dsize:>11; content:"|71 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x71\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,b316680fd2578a2781ee9497888bd1e4; classtype:trojan-activity; sid:2018085; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_06, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5995
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DirtJumper Activity"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"&req="; http_client_body; pcre:"/^\d+?=\d+?(?:&ver=\d+?)?&req=\d+?(?:&r=)?$/P"; content:"Host|3a|"; http_header; depth:5; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,5474129345d9756649c871f9c8b46287; reference:md5,ff5608e00d5e6e81af9c993461479e43; classtype:trojan-activity; sid:2018094; rev:2; metadata:created_at 2014_02_06, updated_at 2014_02_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5996
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 25"; flow:to_server,established; dsize:>11; content:"|7a 5d|"; offset:8; byte_jump:4,-12,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{10}\x7a\x5d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,794eac549f98320b818037b8074da320; classtype:trojan-activity; sid:2018077; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_05, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5997
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<html><body>hi!<|2F|body><|2F|html>"; within:30; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:trojan-activity; sid:2018097; rev:2; metadata:created_at 2014_02_10, updated_at 2014_02_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5998
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Rshot.Backdoor File Upload CnC Beacon"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/uploadb.php?"; fast_pattern; http_uri; content:"name=|22|archivo|22|"; http_client_body; content:".dmp|22|"; http_client_body; distance:0; reference:md5,08881eb702a1525f7792c3fef19ae9ff; classtype:trojan-activity; sid:2018100; rev:2; metadata:created_at 2014_02_10, updated_at 2014_02_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 5999
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Woai.Dropper Config Request"; flow:established,to_server; content:"/client/config.ini"; http_uri; content:"|3B 29 0D 0A|"; http_header; pcre:"/User\x2DAgent\x3A\x20[^\r\n]*MSIE[^\r\n]*\x3B\x29\x0D\x0A/H"; reference:md5,0425a66e3b268ef8cbdd481d8e44b227; classtype:trojan-activity; sid:2018102; rev:5; metadata:created_at 2014_02_10, updated_at 2014_02_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6000
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Infostealer.Jackpos Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"something"; depth:9; http_user_agent; content:"mac="; fast_pattern; depth:4; http_client_body; content:"&t1="; http_client_body; content:"&t2="; http_client_body; pcre:"/^mac=([A-F0-9]{2}-){5}[A-F0-9]{2}&t1=/P"; reference:md5,aa9686c3161242ba61b779aa325e9d24; reference:md5,88e721f62470f8bd267810fbaa29104f; reference:url,intelcrawler.com/about/press10; classtype:trojan-activity; sid:2018108; rev:3; metadata:created_at 2014_02_12, updated_at 2014_02_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6002
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Known Chewbacca CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|5ji235jysrvwfgmb|05|onion|00|"; fast_pattern; distance:0; reference:md5,21f8b9d9a6fa3a0cd3a3f0644636bf09; reference:url,usa.visa.com/download/merchants/Alert-ChewbaccaMalware-030614.pdf; reference:url,symantec.com/security_response/earthlink_writeup.jsp?docid=2013-121813-2446-99; classtype:trojan-activity; sid:2018114; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6003
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Almanahe.B Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:1; content:"ClientUpdate"; fast_pattern:only; http_user_agent; content:!"Accept|3a 20|"; content:!"Referer|3a 20|"; reference:url,www.virustotal.com/en/file/f80fc95e44d90a8e02de4fde0ea5e58227cbbde7b6d3848c1f8afbd5ed0affe7/analysis/; reference:md5,1d331ef7d24f6316947e94f737d1f219; classtype:trojan-activity; sid:2018123; rev:3; metadata:created_at 2014_02_12, updated_at 2014_02_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6009
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan/Win32.FraudPack User-Agent (Downloader MLR 1.0.0)"; flow:to_server,established; content:"Downloader MLR 1.0.0"; http_user_agent; depth:20; reference:md5,c9d54e9086357491bd1fdf8d8d804dce; classtype:trojan-activity; sid:2018112; rev:4; metadata:created_at 2013_11_04, updated_at 2013_11_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6011
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Infostealer.Jackpos Checkin 2"; flow:to_server,established; content:"/post/echo"; fast_pattern:only; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/^\/post\/echo$/U"; reference:md5,aa9686c3161242ba61b779aa325e9d24; reference:md5,88e721f62470f8bd267810fbaa29104f; reference:url,intelcrawler.com/about/press10; classtype:trojan-activity; sid:2018128; rev:2; metadata:created_at 2014_02_12, updated_at 2014_02_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6012
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET TROJAN Win32/Tapazom.A"; flow:established,to_server; content:"GIVEME|7c|"; reference:md5,dc7284b199d212e73c26a21a0913c69d; classtype:trojan-activity; sid:2018133; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6013
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET TROJAN Win32/Tapazom.A 2"; flow:established,to_server; content:"GETSERVER|7c|"; reference:md5,030f3840d2729243280d3cea3d99d8e6; classtype:trojan-activity; sid:2018134; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6014
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.Zapchast Checkin"; flow:to_server,established; content:"/files/def"; http_uri; pcre:"/^\/files\/def$/U"; content:"AutoIt"; depth:6; http_user_agent; content:!"Accept|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,www.virustotal.com/en/file/9f41604b71d1c9a4c094d0aa2685ffa49cc0d4ba19b20b7c22467eafb671064c analysis/; reference:md5,63586aef2be494150a492d822147055a; classtype:trojan-activity; sid:2018142; rev:3; metadata:created_at 2014_02_14, updated_at 2014_02_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6018
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Dadobra.Downloader/DNSChanger Dnsmake CnC Beacon"; flow:established,to_server; content:"/dnsmake.txt"; fast_pattern; http_uri; content:"Indy Library"; http_user_agent; reference:md5,dd3e5b41238a73d627c6c48108a15452; classtype:trojan-activity; sid:2018150; rev:3; metadata:created_at 2014_02_17, updated_at 2014_02_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6019
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Blackbeard Downloader"; flow:established,to_server; content:"/load"; http_uri; content:"p="; http_uri; content:"&t="; http_uri; content:"User-Agent|3a| IE|0d 0a|"; http_header; fast_pattern; pcre:"/[\?&]p=\d&t=\d(&|$)/U"; reference:md5,2f6f13eced7fce495168059530246d77; reference:url,blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/; classtype:trojan-activity; sid:2018110; rev:5; metadata:created_at 2014_01_23, updated_at 2014_01_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6021
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 28"; flow:to_server,established; dsize:>11; content:"|7f 9b|"; offset:8; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,52849773bc0d08eb9dfcb0df2b7caf33; classtype:trojan-activity; sid:2018166; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_21, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6023
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Generic CnC"; flow:established,to_server; content:" Mini BackDoor|00|"; offset:9; depth:20; reference:md5,398b6622a2c86d472a4340d3e79e654b; classtype:trojan-activity; sid:2018167; rev:1; metadata:created_at 2014_02_21, updated_at 2014_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6024
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gh0st Trojan CnC 3"; flow:established,to_server; dsize:14; content:"Gh0st"; depth:5; reference:md5,6a814cacb0c4b464d85ab874f68a5344; classtype:trojan-activity; sid:2018165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_21, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6025
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 27"; flow:to_server,established; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7c\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,29aabeba14f6b5950edcd2a5d99acc94; classtype:trojan-activity; sid:2018153; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_18, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6026
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN W32/FakeFlash.Dropper Initial CnC Beacon"; flow:established,to_server; dsize:8; content:"PutToken"; depth:8; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:trojan-activity; sid:2018185; rev:1; metadata:created_at 2014_02_26, updated_at 2014_02_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6027
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN W32/FakeFlash.Dropper Initial CnC Beacon Acknowledgement"; flow:established,to_client; dsize:12; content:"TokenRecived"; depth:12; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:trojan-activity; sid:2018186; rev:1; metadata:created_at 2014_02_26, updated_at 2014_02_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6028
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN W32/FakeFlash.Dropper PutInformation CnC Beacon"; flow:established,to_server; dsize:18; content:"PutInformation_New"; depth:18; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:trojan-activity; sid:2018187; rev:1; metadata:created_at 2014_02_26, updated_at 2014_02_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6029
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN W32/FakeFlash.Dropper GetInformation CnC Beacon Acknowledgement"; flow:established,to_client; dsize:14; content:"GetInformation"; depth:14; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:trojan-activity; sid:2018188; rev:1; metadata:created_at 2014_02_26, updated_at 2014_02_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6030
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Trojan.Delf-5496 New Infection Report"; flow:established,to_server; dsize:<500; content:"|7c|OnConnect|7c|"; depth:20; pcre:"/^\d+?\x7cOnConnect\x7c/"; reference:url,doc.emergingthreats.net/2008908; reference:md5,3a7f11fbaf815cd2338d633de175e252; classtype:trojan-activity; sid:2008908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6032
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Kryptik.BSYO Checkin 2"; flow:to_server,established; content:"/cmd?version="; fast_pattern:only; http_uri; content:"&aid="; http_uri; content:"&id="; http_uri; content:"&os="; http_uri; pcre:"/&id=[a-f0-9]{8}(-[a-f0-9]{4}){4}[a-f0-9]{8}&os=/U"; reference:md5,494d0fb7efaabaf9c69edbc58360671f; reference:md5,1fd3e714669ac8a3bc4af33a3e6cf21f; reference:url,www.virusradar.com/en/Win32_Kryptik.BSYO/description; classtype:trojan-activity; sid:2018198; rev:4; metadata:created_at 2014_01_22, updated_at 2014_01_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6034
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Matsnu.L Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?text="; http_uri; content:"&img_url=http"; distance:0; http_uri; content:"&rpt=simage&pos="; distance:0; http_uri; fast_pattern; content:" Windows NT 5.0"; http_user_agent; nocase; content:!"Accept|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=TROJAN%3AWIN32/MATSNU.L; reference:md5,38b1862a42a6453d8ccdf1c2d2eff018; classtype:trojan-activity; sid:2018200; rev:3; metadata:created_at 2014_03_03, updated_at 2014_03_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6035
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader.Win32.Geral Checkin"; content:".asp?MAC="; nocase; http_uri; fast_pattern:only; content:"&ver="; nocase; http_uri; pcre:"/\.asp\?MAC=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&VER=[^&]+$/Ui"; content:!"Referer|3a|"; http_header; reference:md5,f01260fff3d6fb705fc8afaa3ea54564; classtype:trojan-activity; sid:2018201; rev:2; metadata:created_at 2014_03_03, updated_at 2014_03_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6036
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Qakbot.Bot Version 8 CnC Beacon"; flow:established,to_server; urilen:7<>32; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:"v="; http_client_body; depth:2; content:"&c="; http_client_body; fast_pattern; pcre:"/^\/[b-u][A-Za-z0-9]{6,25}\.php$/U"; reference:url,www.anubisnetworks.com/the-return-of-qakbot/; reference:md5,e9201c8b126ac40229e9ce3f82f5c608; reference:md5,749a7bf2ad84212bd78e46d240a4f434; classtype:trojan-activity; sid:2018204; rev:3; metadata:created_at 2014_03_03, updated_at 2014_03_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6037
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Kryptik.BSYO Checkin"; flow:to_server,established; content:"/log?"; http_uri; content:"|7c|aid="; fast_pattern:only; http_uri; content:"|7c|version="; http_uri; content:"|7c|id="; http_uri; content:"|7c|os="; http_uri; pcre:"/\/log\?(start|install)\x7caid=/U"; reference:md5,494d0fb7efaabaf9c69edbc58360671f; reference:md5,1fd3e714669ac8a3bc4af33a3e6cf21f; reference:url,www.virusradar.com/en/Win32_Kryptik.BSYO/description; classtype:trojan-activity; sid:2018205; rev:3; metadata:created_at 2014_03_04, updated_at 2014_03_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6038
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Hack.PcClient.g CnC (OUTBOUND) XOR b5"; flow:to_server,established; content:"|d0 cd d0 db d4 d8 d0|"; content:"|d9 da d2 dc db|"; distance:0; content:"|d1 da d6 d8 d1|"; distance:0; content:"|dd da c6 c1 db d4 d8 d0|"; fast_pattern; distance:0; content:"|c2 dc db d1 da c2 c6|"; distance:0; reference:md5,dfd6b93dac698dccd9ef565a172123f3; classtype:trojan-activity; sid:2018154; rev:3; metadata:created_at 2014_02_18, updated_at 2014_02_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6041
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SMSHoax Riskware checkin"; flow:to_server; content:"POST"; http_method; content:"/api.php"; http_uri; content:"YWx0X2FwaV9iYXNlX3Vy"; depth:20; http_client_body; reference:md5,4b779acb1a0e726cee73fc2ca8a6a0be; classtype:trojan-activity; sid:2018230; rev:2; metadata:created_at 2014_03_06, updated_at 2014_03_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6042
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Havex RAT CnC Server Response"; flow:established,from_server; file_data; content:"|3c 21 2d 2d|havexhavex|2d 2d 3e|"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:trojan-activity; sid:2018243; rev:2; metadata:created_at 2014_03_11, updated_at 2014_03_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6044
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Havex RAT CnC Server Response HTML Tag"; flow:established,from_server; file_data; content:"|3c|mega http|2d|equiv|3d|"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:trojan-activity; sid:2018244; rev:2; metadata:created_at 2014_03_11, updated_at 2014_03_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6045
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Citadel Activity POST"; flow:to_server,established; urilen:15; content:"POST"; http_method; content:"/pk/request.flv"; http_uri; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,a354873df6dbce59e801380cee39ac17; classtype:trojan-activity; sid:2017582; rev:4; metadata:created_at 2013_10_11, updated_at 2013_10_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6048
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN RDP Brute Force Bot Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/cmd.php"; http_uri; content:"Browser"; depth:7; http_user_agent; content:"name=|22|data|22|"; http_client_body; content:"{ |22|bad|22 20 3a 20|"; http_client_body; content:", |22|bruting|22 20 3a 20|"; fast_pattern:only; http_client_body; content:", |22|checked|22 20 3a 20|"; http_client_body; reference:md5,c0c1f1a69a1b59c6f2dab18135a73919; reference:md5,e310cf7385ae4d15956e461c6d118c91; reference:md5,d316d208a66248c09986896f671f1db1; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:trojan-activity; sid:2018253; rev:6; metadata:created_at 2014_02_14, updated_at 2014_02_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6049
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Expiro.CD Check-in"; flow:established,to_server; content:"/gate.php?user="; http_uri; fast_pattern:only; content:"&id="; http_uri; nocase; content:"&type="; http_uri; pcre:"/\.php\?user=[a-f0-9]{32}&id=\d+&type=\d+(?:$|&)/U"; content:!"User-Agent|3a|"; http_header; reference:md5,c6e161a948f4474849d5740b2f27964a; classtype:trojan-activity; sid:2018255; rev:2; metadata:created_at 2014_03_12, updated_at 2014_03_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6050
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Self-Signed Cert Observed in Various Zbot Strains"; flow:established,from_server; content:"|55 04 0a 13 02|XX"; content:"|55 04 0a 13 02|XX"; distance:0; reference:md5,00e7afce84c84cd70fe329d8bb8c0731; classtype:trojan-activity; sid:2018284; rev:2; metadata:created_at 2014_03_17, updated_at 2014_03_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6053
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BKDR_SLOTH.A Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:10; content:"/help.html"; http_uri; fast_pattern:only; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Mozilla/5.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.0)"; http_user_agent; reference:md5,185e930a19ad1a99c226d59ef563e28c; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/; reference:url,fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-examination-of-the-siesta-campaign.html; classtype:trojan-activity; sid:2018285; rev:4; metadata:created_at 2014_03_17, updated_at 2014_03_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6054
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 31"; flow:to_server,established; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7d\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:trojan-activity; sid:2018287; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_03_17, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6055
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Keep-Alive (INBOUND)"; flow:from_server,established; content:"P[endof]"; dsize:8; reference:md5,0ae2261385c482d55519be9b0e4afef3; reference:url,anubis.iseclab.org/?action=result&task_id=1043e1f5f61319b944d51d0d6d7e23f2e; reference:md5,41a0a4c0831dbcbbfd877c7d37b671e0; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2012/09/the-story-behind-backdoorlv.html; classtype:trojan-activity; sid:2017417; rev:9; metadata:created_at 2012_07_30, updated_at 2012_07_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6068
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.WinSpy.pob Sending Data over SMTP"; flow:to_server,established; content:"filename="; content:"PC_Active_Time.txt"; within:19; content:"|0d 0a|"; within:3; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018019; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6069
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN MultiThreat/Winspy.RAT Keep-Alive (flowbit set)"; flow:established,to_server; dsize:2; content:"/P"; depth:2; flowbits:set,WinSpy.KeepAlive; flowbits:noalert; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; reference:md5,815576890789003a7575c2948508c6b1; classtype:trojan-activity; sid:2018291; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6070
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zeus GameOver Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Host|3a| default"; http_header; fast_pattern:only; content:"X-ID|3a 20|"; http_header; pcre:"/^Host\x3a\x20default(?:\x3a\d{1,5})?\r?$/Hmi"; reference:md5,bd850c21254c33cd9f6be41aafc6bf46; classtype:trojan-activity; sid:2018296; rev:2; metadata:created_at 2014_03_18, updated_at 2014_03_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6074
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Stoberox.B"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"Host|3a|"; http_header; depth:5; content:"Connection|3a 20|Close|0d 0a|"; http_header; content:"Accept-Encoding|3a 20|none|0d 0a|"; http_header; fast_pattern:3,20; content:!"Referer"; http_header; pcre:"/^[a-zA-Z0-9\+\/]+={0,2}$/P"; reference:md5,6ca1690720b3726bc76ef0e7310c9ee7; classtype:trojan-activity; sid:2018300; rev:3; metadata:created_at 2014_03_20, updated_at 2014_03_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6075
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-CSON Checkin - APT1 Related"; flow:to_server,established; content:"/Default.aspx?INDEX="; http_uri;  pcre:"/\?ID=[A-Z]{10}$/U"; content:!"User-Agent|3a| Mozilla"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=ba45339da92ca4622b472ac458f4c8f2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:url,intelreport.mandiant.com/; reference:md5,8dd6a7fe83bd9682187d956f160ffb47; classtype:trojan-activity; sid:2016460; rev:7; metadata:created_at 2011_10_06, updated_at 2011_10_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6076
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dorkbot Loader Payload Request"; flow:established,to_server; content:"Mozilla/4.0|0D 0A|Host|3a|"; http_header; content:".exe"; http_uri; fast_pattern; urilen:<11; reference:md5,3452c20fd0df69ccfdea520a6515208a; classtype:trojan-activity; sid:2016578; rev:5; metadata:created_at 2013_03_15, updated_at 2013_03_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6077
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Sisproc"; flow:established,to_server; content:"/page_"; content:"Cookie|3a 20|XX=0|3b 20|BX=0"; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,aaf73666cbd750ed22b80ed836d2b1e4; classtype:trojan-activity; sid:2018320; rev:3; metadata:created_at 2014_03_26, updated_at 2014_03_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6079
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Known Sinkhole Response Header"; flow:established,from_server; content:"X-Sinkholed-Domain|3a|"; http_header; reference:md5,723a90462a417337355138cc6aba2290; classtype:trojan-activity; sid:2017662; rev:3; metadata:created_at 2013_11_04, updated_at 2013_11_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6080
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Bozok.RAT checkin"; flow:to_server; content:"|00 00 00|"; offset:1; depth:4; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:64; content:"|00 7C 00|"; within:12; content:"|00 7C 00|"; within:5; content:"|00 7C 00|0|00 7c 00|2|00|"; within:32; reference:md5,a45d3564d1fa27161b33712f035a5962; reference:url,www.fireeye.com/blog/technical/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html; classtype:trojan-activity; sid:2018325; rev:3; metadata:created_at 2014_03_26, updated_at 2014_03_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6081
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/SpeedingUpMyPC.Rootkit Install CnC Beacon"; flow:established,to_server; urilen:9; content:"POST"; http_method; content:"/install/"; http_uri; content:"q="; http_client_body; depth:2; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:trojan-activity; sid:2018331; rev:2; metadata:created_at 2014_03_28, updated_at 2014_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6082
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/SpeedingUpMyPC.Rootkit CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/get/?q="; http_uri; content:"win32"; depth:5; http_user_agent; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:trojan-activity; sid:2018332; rev:3; metadata:created_at 2014_03_28, updated_at 2014_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6083
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Dorkbot.AR Join IRC channel"; flow:to_server,established; content:"NICK n|7B|"; nocase; pcre:"/^\S{2,3}\x7c\S+?[au]\x7D\w{2,11}\x0d?\x0a/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,7e76c7db8706511fc59508af4aef27fa; classtype:trojan-activity; sid:2016768; rev:4; metadata:created_at 2013_04_17, updated_at 2013_04_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6084
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Hangover Campaign Keylogger 2 checkin"; flow:established,to_server; content:"/access.php"; fast_pattern; http_uri; content:"sendfile"; depth:8; nocase; http_user_agent; reference:md5,0b38f87841ed347cc2a5ffa510a1c8f6; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016862; rev:4; metadata:created_at 2013_05_20, updated_at 2013_05_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6085
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Mal/Ransom-CE Connectivity Check"; flow:established,to_server; content:"POST"; http_method; content:"/windows"; fast_pattern:only; http_uri; pcre:"/\/windows$/U"; content:"MSIE"; http_user_agent; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; depth:11; content:"Host|3a 20|www.microsoft.com|0d 0a|"; http_header; reference:md5,6faa7077de347ee0fa8c991934c2c3a5; reference:md5,a1fe3a7ff1ec997411b71212483eea33; reference:md5,97c0000473c5004d2e8c0464e322f429; classtype:trojan-activity; sid:2018295; rev:3; metadata:created_at 2014_03_18, updated_at 2014_03_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6086
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/SpeedingUpMyPC.Rootkit Successful Install GET Type CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/install/?q="; http_uri; content:"win32"; depth:5; http_user_agent; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:trojan-activity; sid:2018345; rev:6; metadata:created_at 2014_04_01, updated_at 2014_04_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6089
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/Trojan-Gypikon Server Check-in Response"; flow:established,from_server; dsize:16; content:"|85 19 00 00 25 04 00 00 00 00|"; content:"|40 00 00 00 00|"; distance:1; within:6; reference:md5,f27bf471d2f2c0a76331d25fc4761e10; reference:md5,792b725b6a2a52e4eecde846b39eea7d; classtype:trojan-activity; sid:2018130; rev:3; metadata:created_at 2014_02_13, updated_at 2014_02_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6101
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Trojan-Gypikon Sending Data"; flow:established,to_server; content:"@"; pcre:"/^(?:x(?:86|64)@)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; content:" OS|3a 20|Win"; within:8; content:" CPU|3a|"; distance:0; content:"Hz|2c|RAM|3a|"; distance:0; reference:md5,f27bf471d2f2c0a76331d25fc4761e10; reference:md5,792b725b6a2a52e4eecde846b39eea7d; classtype:trojan-activity; sid:2018129; rev:4; metadata:created_at 2014_02_13, updated_at 2014_02_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6102
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 SET"; flow:to_server,established; dsize:8; content:"|00 00|"; offset:2; depth:2; content:"|00 00|"; distance:2; within:2; flowbits:set,ET.gh0stFmly; flowbits:noalert; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:trojan-activity; sid:2017935; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_06, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6103
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.BAT.Qhost - SET"; flow:established,to_server; content:"GET"; http_method; content:"/stat/tuk/"; http_uri; flowbits:set,ETPRO.Trojan.BAT.Qhost; flowbits:noalert; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014758; rev:5; metadata:created_at 2012_05_16, updated_at 2012_05_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6104
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET 110 (msg:"ET TROJAN Gh0st_Apple Checkin"; flow:to_server,established; content:"GET"; http_method; content:".gif?pid"; fast_pattern; content:"&v="; content:"Mozilla/4.0("; http_user_agent; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; reference:md5,82644661f6639c9fcb021ad197b565f7; classtype:trojan-activity; sid:2017412; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2013_09_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6106
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32/Zegost.Q CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|55 60 67 6c 69 70 9a|"; offset:8; depth:7; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,4f0d365408b439eb9aaf0b2352abb662; classtype:trojan-activity; sid:2018390; rev:1; metadata:created_at 2014_04_15, updated_at 2014_04_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6107
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[A-F0-9]{24}$/U"; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; depth:13; pcre:"/^[A-Z]{4}/RH"; content:"1|3a 20|0|0d 0a|"; fast_pattern; http_header; within:6; content:!"Referer"; http_header; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:6; metadata:created_at 2013_11_13, updated_at 2013_11_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6108
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Fake/Short Google Search Appliance UA Win32/Ranbyus and Others"; flow:established,to_server; content:"User-Agent|3a 20|gsa-crawler|0d 0a|"; nocase; http_header; fast_pattern:5,20; reference:url,developers.google.com/search-appliance/documentation/50/help_mini/crawl_headers; reference:md5,98b58bd8a5138a31105e118e755a3773; reference:md5,c07a6035e9c7fed2467afab1a9dbcf40; classtype:trojan-activity; sid:2017937; rev:3; metadata:created_at 2014_01_07, updated_at 2014_01_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6111
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bifrose/Cycbot Checkin 2"; flow:established,to_server; content:"GET "; depth:4; content:"chrome/9.0"; http_user_agent; pcre:"/\x2E(p(hp|ng)|jpe?g|cgi|gif)\x3F(v\d{1,2}|pr)\x3D/U"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:trojan-activity; sid:2014163; rev:9; metadata:created_at 2012_01_27, updated_at 2012_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6112
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN GreenDou Downloader User-Agent (hello crazyk)"; flow:established,to_server; content:"User-Agent|3A 20|hello crazyk"; http_header; reference:md5,67d52ae285ac82f959b3675550de8a2d; reference:md5,e668a501bd107de161378a9fd9c5d1f2; classtype:trojan-activity; sid:2018404; rev:2; metadata:created_at 2014_04_21, updated_at 2014_04_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6115
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN hacker87 checkin"; flow:to_server,established; content:"POST"; http_method; content:"/AppEn.php"; fast_pattern:only; http_uri; content:"parameter="; depth:10; http_client_body; reference:md5,0d7dd2a6c69f2ae7e575ee8640432c4b; classtype:trojan-activity; sid:2018420; rev:2; metadata:created_at 2014_04_24, updated_at 2014_04_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6120
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Cutwail.BE Checkin 2"; flow:established,from_client; dsize:32; content:"|00 00 00 00 FF FF FF FF 3F 57|"; depth:10; content:"|FE FF FF FF FF FF FF FF FF FF FF|"; distance:3; within:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,c6d256edcc8879717539f348706061f2; reference:md5,8f17e2a9e7c6cbec772ae56dfffb13cb; classtype:trojan-activity; sid:2014272; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6122
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Cutwail.BE Checkin 1"; flow:established,from_client; dsize:234; content:"|16 03 00 00 37 01 00 00 33 03 00|"; depth:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,4352407efc8891215b514a54db5b8a1d; reference:md5,45ab3554f3d60d07fc5228faff7784e1; classtype:trojan-activity; sid:2014271; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6123
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop icmp $HOME_NET any -> any any (msg:"ET TROJAN Backdoor.Win32.RShot Ping Outbound"; icode:0; itype:8; icmp_id:512; dsize:32; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; reference:md5,34477e29f7408966d2703f3471741618; reference:md5,adf4c3a16f5f6d4baa634b2c50bf7454; classtype:trojan-activity; sid:2014270; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6124
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-Spy.Win32.Zbot.qgxi Checkin"; flow:to_server,established; content:".php?bot="; http_uri; fast_pattern:only; content:"bot="; depth:4; http_cookie; reference:md5,0b450a92f29181065bc6601333f01b07; reference:md5,548fbf4dde27e725c0a1544f61362b50; reference:url,arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising; classtype:trojan-activity; sid:2018412; rev:8; metadata:created_at 2013_10_31, updated_at 2013_10_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6127
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Win32.A.FakeAV Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/404.php?"; nocase; http_uri; content:"type=stats"; nocase; http_uri; content:"affid="; nocase; http_uri; content:"subid="; nocase; http_uri; reference:url,securelist.com/en/descriptions/24405309/Trojan.Win32.FakeAV.dlbc; reference:md5,ac0ba9e186aee9cf9889d71158485715; classtype:trojan-activity; sid:2014083; rev:5; metadata:created_at 2012_01_02, updated_at 2012_01_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6128
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:"User-Agent|3A| Opera/9.25 (Windows NT 6.0|3B| U|3B|"; http_header; fast_pattern:12,20; content:"Host|3A| windowsupdate.microsoft.com"; http_header; content:"Connection|3A| Close"; http_header; content:!"Referer|3A|"; http_header; content:!"Accept"; http_header; reference:md5,aa696180cd0369e264ed8e9137a4f254; classtype:trojan-activity; sid:2018419; rev:6; metadata:created_at 2014_04_24, updated_at 2014_04_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6136
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PandoraRat/Refroso.bsp Activity"; flow:established,to_server; content:"|c3 b8 ba ab a0 bc b0 b1 c1 7c|"; depth:10; content:"|7c|N|7c|"; within:200; reference:md5,9972e686d36f1e98ba9bb82b5528255a; classtype:trojan-activity; sid:2018467; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6138
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PandoraRat/Refroso.bsp Directory Listing Sent To Server"; flow:established,to_server; content:"|7C|DIR#0#bin|7C|DIR#0"; reference:md5,9972e686d36f1e98ba9bb82b5528255a; classtype:trojan-activity; sid:2018468; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6139
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Downloader.Win32.Tesch.A Server CnC Checkin Reply"; flow:established,to_client; content:"|02 00 06|"; depth:3; content:"|01 BB|"; distance:4; within:2; fast_pattern; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:trojan-activity; sid:2018477; rev:1; metadata:created_at 2014_05_15, updated_at 2014_05_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6142
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Downloader.Win32.Tesch.A Server CnC Sending Executable"; flow:established,to_client; content:"This Program must be"; fast_pattern:only; content:"|0B 00|"; depth:2; content:"|00|MZ"; distance:14; within:3; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,28173e257188ce3b3cc663be661bc2c4; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:trojan-activity; sid:2018479; rev:1; metadata:created_at 2014_05_15, updated_at 2014_05_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6143
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Hicrazyk.A Downloader Install CnC Beacon"; flow:established,to_server; content:"/setup/?name="; http_uri; fast_pattern:only; content:"&ini="; http_uri; content:"&v="; http_uri; content:"NSISDL/"; depth:7; http_user_agent; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FHicrazyk.A&ThreatID=-2147281007; reference:md5,ddb8110ec415b7b6f43c0ef2b4076d45; classtype:trojan-activity; sid:2018435; rev:7; metadata:created_at 2014_04_29, updated_at 2014_04_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6144
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Urausy.C Checkin 4"; flow:to_server,established; urilen:>80; content:"GET"; http_method; pcre:"/\/([^\x2f]+?\/)?[a-z-_]+?\.(php|html)$/Ui"; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| Trident/5.0)|0d 0a|"; fast_pattern:57,20; depth:77; http_header; content:!"Referer|3a| "; http_header; content:!"Accept|3a| "; http_header; reference:md5,0032856449dbef5e63b8ed2f7a61fff9; classtype:trojan-activity; sid:2017903; rev:3; metadata:created_at 2013_12_26, updated_at 2013_12_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6149
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Urausy.C response"; flow:from_server,established; file_data; content:"|0d 0a|<?xml version="; depth:16; content:"<interval>"; distance:0; content:"</interval>"; distance:0; content:"<timeout>"; distance:0; content:"</timeout>"; distance:0; content:"|d1 81 d1 81 d1 8b d0 bb d0 be d0 ba 20|c&c -->"; fast_pattern:only; reference:md5,6213597f40ecb3e7cf2ab3ee5c8b1c70; classtype:trojan-activity; sid:2018499; rev:3; metadata:created_at 2014_05_23, updated_at 2014_05_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6150
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Enosch.A gtalk connectivity check"; flow:to_server; content:"/index.html"; http_uri; content:"User-Agent|3A 20|gtalk|0d 0a|"; depth:19 ; http_header; pcre:"/^User-Agent\x3a\x20gtalk\r\nHost\x3a\x20www\.google\.com\r\n(?:\r\n)?$/H"; reference:md5,b13db8b21289971b3c88866d202fad49; classtype:trojan-activity; sid:2018508; rev:3; metadata:created_at 2014_05_30, updated_at 2014_05_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6154
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-Dropper.Win32.Agent.ksja"; flow:established,to_server; content:".php?m="; http_uri; fast_pattern:only; content:"User-Agent|3a| Mozilla/4.0 (Compatible|3b| MSIE 6.0|3b 29 0d 0a|Host|3a|"; depth:54; http_header; content:!"Accept|3a|"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?m=[A-F0-9]{12}/U"; reference:md5,3b440e052da726942763d11cf9e3f72c; classtype:trojan-activity; sid:2018507; rev:3; metadata:created_at 2014_05_29, updated_at 2014_05_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6155
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Observed with Unkown Trojan (statswas)"; flow:established,from_server; content:"|0c|statswas.com"; nocase; fast_pattern:only; reference:md5,9c087d528beefd22743666af772465fc; classtype:trojan-activity; sid:2018515; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_06_03, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6156
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Soraya C2 User-Agent"; flow:established,to_server; content:"rome0321"; http_user_agent; depth:8; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018519; rev:3; metadata:created_at 2014_06_04, updated_at 2014_06_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6158
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Soraya C2 User-Agent (SBTCM)"; flow:established,to_server; content:"User-Agent|3a 20|SBTCM|0d 0a|"; http_header; fast_pattern:12,7; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018524; rev:2; metadata:created_at 2014_06_04, updated_at 2014_06_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6159
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Soraya C2 User-Agent (x09)"; flow:established,to_server; content:"User-Agent|3a 20 09 0d 0a|"; http_header; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018529; rev:2; metadata:created_at 2014_06_04, updated_at 2014_06_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6160
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Soraya C2 User-Agent (rhyno321)"; flow:established,to_server; content:"rhyno321"; depth:8; http_user_agent; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018523; rev:3; metadata:created_at 2014_06_04, updated_at 2014_06_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6161
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Soraya C2 User-Agent (slayer)"; flow:established,to_server; content:"slayer"; http_user_agent; depth:6; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018525; rev:3; metadata:created_at 2014_06_04, updated_at 2014_06_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6162
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Soraya C2 User-Agent (Vulture)"; flow:established,to_server; content:"Vulture"; http_user_agent; depth:7; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018526; rev:3; metadata:created_at 2014_06_04, updated_at 2014_06_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6163
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Soraya C2 User-Agent (VHIbot/1.0)"; flow:established,to_server; content:"VHIbot/1.0"; http_user_agent; depth:10; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018527; rev:3; metadata:created_at 2014_06_04, updated_at 2014_06_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6164
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Soraya C2 User-Agent (xehanort321)"; flow:established,to_server; content:"xehanort321"; http_user_agent; depth:11; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018528; rev:3; metadata:created_at 2014_06_04, updated_at 2014_06_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6165
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Trojan.Agent.U3D7V0 Checkin"; flow:established, to_server; content: "GET"; http_method; content:"/getc"; http_uri; content:"/?c="; http_uri; fast_pattern:only; pcre:"/^\/getc(?:loud|onf)\/\?c=/Ui"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5, 97572a7a0690ba1643525bf6666b74c6; classtype:trojan-activity; sid:2018530; rev:3; metadata:created_at 2014_06_04, updated_at 2014_06_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6166
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EtumBot Registration Request"; flow:established,to_server; content:"GET"; http_method; content:"/image/"; http_uri; content:".jpg"; http_uri; pcre:"/^\x2fimage\x2f[A-Za-z0-9\+_-]+\x2ejpg$/Ui"; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; fast_pattern:55,20; http_header; content:"Referer|3a| http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018546; rev:6; metadata:created_at 2014_06_09, updated_at 2014_06_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6167
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EtumBot Ping"; flow:established,to_server; content:"GET"; http_method; content:"/history/"; fast_pattern; depth:9; http_uri; content:".asp"; http_uri; pcre:"/^\x2fhistory\x2f[A-Za-z0-9+_-]+\x2easp$/Ui"; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; http_header; content:"Referer|3a| http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018547; rev:3; metadata:created_at 2014_06_09, updated_at 2014_06_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6168
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EtumBot PUT File Response"; flow:established,to_server; content:"GET"; http_method; content:"/docs/name="; fast_pattern; depth:11; http_uri; pcre:"/^\x2fdocs\x2fname\x3d\x2f[A-Za-z0-9+_-]+$/Ui"; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; http_header; content:"Referer|3a| http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018549; rev:3; metadata:created_at 2014_06_09, updated_at 2014_06_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6169
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32/Etumbot.B Requesting RC4 Key"; flow:to_server,established; content:"/home/index.asp?typeid="; nocase; http_uri; fast_pattern:only; content:"Referer|3a| http|3a|//www.google.com/|0d 0a|"; http_header; pcre:"/^\/home\/index\.asp\?typeid=(?:1[13]?|[3579])$/Ui"; reference:md5,82d4850a02375a7447d2d0381b642a72; reference:md5,ff5a7a610746ab5492cc6ab284138852; reference:url,arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf; classtype:trojan-activity; sid:2018552; rev:3; metadata:created_at 2014_06_09, updated_at 2014_06_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6170
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EtumBot Command Status Message"; flow:established,to_server; content:"GET"; http_method; content:"/tech/s.asp?m="; fast_pattern; depth:14; http_uri; pcre:"/^\x2ftech\x2fs\x2easp\x3fm\x3d[A-Za-z0-9+_-]+$/Ui"; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; http_header; content:"Referer|3a| http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018548; rev:4; metadata:created_at 2014_06_09, updated_at 2014_06_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6173
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EtumBot GET File Initial Response"; flow:established,to_server; content:"GET"; http_method; content:"/manage/asp/item.asp?id="; fast_pattern; depth:24; http_uri; pcre:"/^\x2fmanage\x2fasp\x2fitem\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26mux\x3d[A-Za-z0-9+_-]+$/Ui"; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; http_header; content:"Referer|3a| http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018550; rev:4; metadata:created_at 2014_06_09, updated_at 2014_06_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6174
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EtumBot GET File Data Upload"; flow:established,to_server; content:"GET"; http_method; content:"/article/30441/Review.asp?id="; fast_pattern; depth:29; http_uri; pcre:"/^\x2farticle\x2f30441\x2fReview\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26data\x3d[A-Za-z0-9+_-]+$/Ui"; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; http_header; content:"Referer|3a| http|3a|//www.google.com/"; http_header; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018551; rev:4; metadata:created_at 2014_06_09, updated_at 2014_06_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6175
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Hangover related campaign Checkin"; flow:established,to_server; content:"post.php?filename="; fast_pattern; http_uri; content:"&folder="; http_uri; distance:0; pcre:"/\/\/?$/U"; content:!"Referer|3a|"; http_header; reference:md5,0392fb51816dd9583f9cb206a2cf02d9; reference:url,bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks; classtype:trojan-activity; sid:2018566; rev:2; metadata:created_at 2014_06_16, updated_at 2014_06_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6177
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/Citadel Download From CnC Server /files/ attachment"; flow:established,to_client; flowbits:isset,et.citadel; content:"Content-Disposition|3a| attachment|3b| filename=|22 25 32 65|/files/"; fast_pattern:33,20; http_header; reference:md5,280ffd0653d150906a65cd513fcafc27; reference:md5,f1c8cc93d4e0aabd4713621fe271abc8; reference:url,arbornetworks.com/asert/2014/06/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/; classtype:trojan-activity; sid:2018599; rev:7; metadata:created_at 2014_06_24, updated_at 2014_06_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6184
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Sharik Checkin"; flow:established,to_server; dsize:10; content:"34feGaeRAd"; fast_pattern:only; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:trojan-activity; sid:2018614; rev:1; metadata:created_at 2014_06_30, updated_at 2014_06_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6187
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Sharik C2 Incoming Traffic"; flow:established,from_server; dsize:18; content:"|0d 00 07 01 00 81 7c e4 04 c0 d4 01 00 19 c0 c2 04 00|"; fast_pattern:only; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:trojan-activity; sid:2018615; rev:1; metadata:created_at 2014_06_30, updated_at 2014_06_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6188
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Sharik C2 Incoming Crafted Request"; flow:established,from_server; content:"|4d 00 02 02 00|"; depth:5; fast_pattern; content:"/"; distance:4; within:5; content:" HTTP/1."; distance:0; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:trojan-activity; sid:2018616; rev:1; metadata:created_at 2014_06_30, updated_at 2014_06_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6189
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Downloader.Win32.Tesch.A Bot Command Checkin 1"; flow:established,to_server; dsize:51; content:"|03 00 30 01 01 00|"; fast_pattern; depth:6;  flowbits:set,ET.Tesch; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:trojan-activity; sid:2018478; rev:2; metadata:created_at 2014_05_15, updated_at 2014_05_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6192
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Antifulai.APT CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:".php?secue="; http_uri; fast_pattern:only; content:"&pro="; http_uri; content:"|2c|"; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:url,secureworks.com/resources/blog/research/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761/; reference:md5,1c29b24d4d4ef7568f519c470b51bbed; classtype:trojan-activity; sid:2018631; rev:4; metadata:created_at 2014_05_19, updated_at 2014_05_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6198
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 36"; flow:to_server,established; dsize:>11; content:"|79 da|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\xda/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5b50cc5215694841b9faea0fde472648; classtype:trojan-activity; sid:2018636; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_07_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6202
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 37"; flow:to_server,established; dsize:>11; content:"|79 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,f80fc82b5ff8f65f02ba7af363f84264; classtype:trojan-activity; sid:2018637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_07_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6203
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 38"; flow:to_server,established; dsize:>11; content:"|49 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x49\xa5/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,c8564898ab2598a075cbb478d104e750; classtype:trojan-activity; sid:2018638; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_07_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6204
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 39"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3134e62b117f9994e173c262b1bcbca5; classtype:trojan-activity; sid:2018639; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_07_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6205
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BANKER.WIN32.BANBRA.BEEC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/black/?"; fast_pattern:only; http_uri; content:"tipo="; depth:5; http_client_body; content:"&cliente="; http_client_body; reference:md5,ceb6684ffce35dcbfae4afde3b6fd4bd; classtype:trojan-activity; sid:2018641; rev:3; metadata:created_at 2014_07_03, updated_at 2014_07_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6206
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET TROJAN TrojanSpy.Win32/Banker.AMB SQL Checkin"; flow:established,to_server; content:"I|00|N|00|S|00|E|00|R|00|T"; content:"I|00|N|00|T|00|O"; distance:0; content:"B|00|R|00|O|00|W|00|S|00|E|00|R|00|L|00|O|00|G|00|U|00|S|00|B|00|"; reference:md5,dd141287cb45a2067592eeb9d3aa7162; classtype:trojan-activity; sid:2018645; rev:2; metadata:created_at 2014_07_07, updated_at 2014_07_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6208
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Infostealer.Bancos Checkin via SMTP"; flow:to_server,established; content:"Subject|3a| "; content:"Foi Instalado"; nocase; fast_pattern:only; pcre:"/^Subject\x3a [^\r\n]+?Foi Instalado/mi"; metadata: former_category TROJAN; reference:md5,7f5709c924bb1417a180a4fa8311a2e9; classtype:trojan-activity; sid:2018646; rev:1; metadata:tag Banking_Trojan, created_at 2014_07_07, malware_family Bancos, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6209
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Banload.BTQP Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:".asp?IDPC="; fast_pattern:only; http_uri; pcre:"/\.asp\?IDPC=[^\x26]*?\x26(?:Status=|Msg=)[^\x26]*?$/Ui"; content:"Mozilla/3.0 (compatible|3b| Indy Library)"; http_user_agent; content:!"Referer"; http_header; reference:md5,03092adccde639ba26ef2e192c49f62d; classtype:trojan-activity; sid:2018649; rev:4; metadata:created_at 2014_07_08, updated_at 2014_07_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6210
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader.Banload2.KZU Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"OPC="; nocase; fast_pattern:only; http_client_body; pcre:"/^OPC=\d/Pi"; content:"Accept-Encoding|3a| identity|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:!"Referer"; http_header; reference:md5,b67e23e4a0248c71b71e73e37d52c906; classtype:trojan-activity; sid:2018653; rev:2; metadata:created_at 2014_07_08, updated_at 2014_07_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6211
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader.Banload2.KZU Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:".hlp"; nocase; fast_pattern:only; http_uri; content:"Accept-Encoding|3a| identity|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:!"Referer"; http_header; pcre:"/^\/[^\x2f]+?\.hlp$/Ui"; reference:md5,b67e23e4a0248c71b71e73e37d52c906; classtype:trojan-activity; sid:2018654; rev:3; metadata:created_at 2014_07_08, updated_at 2014_07_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6212
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Banload.BTQP Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:".asp?IDPC="; fast_pattern:only; http_uri; content:"&so="; nocase; http_uri; content:"&user"; http_uri; nocase; content:"&versao"; http_uri; nocase; content:"&pcname="; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; content:!"Referer"; http_header; reference:md5,03092adccde639ba26ef2e192c49f62d; classtype:trojan-activity; sid:2018650; rev:3; metadata:created_at 2014_07_08, updated_at 2014_07_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6213
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CyberGate RAT Checkin"; flow:to_server,established; content:".php?"; http_uri; content:"email="; http_uri; content:"&serverid="; http_uri; content:"User|3a|"; http_uri; content:"PC|3a|"; http_uri; content:!"Referer"; http_header; reference:md5,24d9f082b849b4c698e6b012500d441a; classtype:trojan-activity; sid:2018659; rev:2; metadata:created_at 2014_07_09, updated_at 2014_07_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6214
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CyberGate RAT User-Agent (USER_CHECK)"; flow:to_server,established; content:"USER_CHECK"; depth:10; http_user_agent; reference:md5,24d9f082b849b4c698e6b012500d441a; classtype:trojan-activity; sid:2018660; rev:3; metadata:created_at 2014_07_09, updated_at 2014_07_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6215
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FakeAV.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; content:"GET"; http_method; content:"= HTTP/1.1|0D 0A|Host|3a| "; fast_pattern:only; content:!"User-Agent|3a| "; http_header; content:"|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; content:!"pandora.com"; http_header; content:!"wordpress.com"; http_header; reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:trojan-activity; sid:2014409; rev:5; metadata:created_at 2012_03_21, updated_at 2012_03_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6216
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Minirem"; flow: established,to_server; urilen:>18; content:"GET"; http_method; content:"/FC001/"; fast_pattern; depth:7; http_uri; content:"Microsoft Internet Explorer"; http_user_agent; reference:md5,d92075280872b9fe4f541f090bf0076c; classtype:trojan-activity; sid:2018664; rev:6; metadata:created_at 2014_01_22, updated_at 2014_01_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6217
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Zeus P2P Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url, blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4; metadata:created_at 2014_07_11, updated_at 2014_07_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6218
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Upatre Common URI Struct July 15 2014"; flow:established,to_server; content:"/0/"; http_uri; content:"Service Pack "; http_uri; distance:2; within:13; pcre:"/\/0\/$/U"; content:!"Referer|3a|"; http_header; reference:md5,79772d72082a082a0048569ba2dfe5a3; classtype:trojan-activity; sid:2018678; rev:3; metadata:created_at 2014_07_15, updated_at 2014_07_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6222
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any -> any 53 (msg:"ET TROJAN DNS Possible User trying to visit POSHCODER.A .onion link outside of torbrowser"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zpwibfsmoowehdsm|05|onion|00|"; nocase; distance:0; reference:md5,01f4b1d9b2aafb86d5ccfa00e277fb9d; classtype:trojan-activity; sid:2018679; rev:1; metadata:created_at 2014_07_15, updated_at 2014_07_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6223
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Aibatook checkin 2"; flow:established,to_server; content:"GET"; http_method; urilen:7; content:"/u.html"; http_uri; fast_pattern:only; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| Trident/6.0)"; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; reference:url,welivesecurity.com/2014/07/16/win32aibatook/; reference:md5,d5e8adfefbcc3667734b8df4ae066be6; classtype:trojan-activity; sid:2018687; rev:2; metadata:created_at 2014_07_17, updated_at 2014_07_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6225
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587,2525] (msg:"ET TROJAN Predator Pain Sending Data over SMTP"; flow:established,to_server; content:"Subject|3a 20|Predator Pain v"; fast_pattern:4,20; reference:md5,e774a7e6ca28487db649458f48230199; reference:url,stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html; classtype:trojan-activity; sid:2018688; rev:3; metadata:created_at 2014_07_17, updated_at 2014_07_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6227
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587,2525] (msg:"ET TROJAN Predator Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|Predator Logger|20|"; fast_pattern:5,20; reference:md5,91f885e08d627097fb1116a3d4634b82; reference:url,stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html; classtype:trojan-activity; sid:2018017; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6228
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|11|bloggershop.co.vu"; distance:1; within:19; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2018494; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_05_21, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6231
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Asterope Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/?ver="; http_uri; content:"&id="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&res="; distance:0; http_uri; content:"Accept-Asterope|3a|"; http_header; fast_pattern:only; reference:md5,19190ef53877979191f6889c6a795f31; classtype:trojan-activity; sid:2018750; rev:3; metadata:created_at 2014_06_23, updated_at 2014_06_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6234
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN XPSecurityCenter FakeAV Checkin"; flow:to_server,established; content:"/XPSecurityCenter/"; http_uri; content:"User-Agent|3a| Internet Explorer 6.0|0d 0a|"; http_header; reference:md5,1c5eb2ea27210cf19c6ab24b7cc104b9; classtype:trojan-activity; sid:2018761; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6235
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Hupigon.DF Checkin"; flow:to_server,established; content:"/ip.txt"; http_uri; urilen:7; content:"User-Agent|3a| Huai_Huai|0d 0a|"; http_header; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:trojan-activity; sid:2018762; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6236
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/Zbot.Variant CnC Response"; flow:established,from_server; flowbits:isset,ET.zbot.ua.2106509; content:"200"; http_stat_code; content:"Content-Length|3a| 0|0d 0a|Content-Type|3a| text/html|0d 0a|"; http_header; fast_pattern:11,20; pcre:"/^(\r\n)?$/HR"; reference:md5,0c4d7d9138de7d7919e3b3c33ac2f851; classtype:trojan-activity; sid:2018764; rev:4; metadata:created_at 2013_04_26, updated_at 2013_04_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6238
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Swizzor User-Agent (Swizz03r)"; flow:established,to_server; content:"GET"; http_method; content:"Swizz03r Download Agent"; nocase; depth:23; http_user_agent; reference:md5,5d232faca6d2b082b450b8ee4e238483; classtype:trojan-activity; sid:2018765; rev:4; metadata:created_at 2013_06_03, updated_at 2013_06_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6239
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|sslbl.abuse.ch"; distance:1; within:15; content:"|1b|we_love_selfsigned@abuse.ch"; distance:0; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:trojan-activity; sid:2018767; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_24, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6240
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Likely Malicious SSL Cert With Script Tags"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"<script>"; content:"</script>"; distance:0; content:"|55 04 03|"; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:trojan-activity; sid:2018768; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_24, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6241
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Soraya C2 User-Agent (default)"; flow:established,to_server; content:".php"; http_uri; content:"default"; depth:7; http_user_agent; content:"mode="; depth:5; http_client_body; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:trojan-activity; sid:2018522; rev:3; metadata:created_at 2014_06_04, updated_at 2014_06_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6242
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Kbot.Backdoor Variant CnC Beacon"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/stat.php"; nocase; http_uri; content:"id="; depth:3; http_client_body; content:"&build_id="; fast_pattern:only; http_client_body; pcre:"/&build_id=[A-F0-9]+$/Pi"; reference:md5,1df0ceab582ae94c83d7d2c79389e178; classtype:trojan-activity; sid:2018078; rev:3; metadata:created_at 2014_02_05, updated_at 2014_02_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6243
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Locker DL URI Struct Jul 25 2014"; flow:to_server,established; content:"/wp-content/themes/"; http_uri; depth:19; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^\/wp-content\/themes\/[^\x2f]+\/[a-z0-9]+$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?:MSIE|rv\x3a11\.0)[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,dc4d0bd7fb9e647501c3b0d75aa2be65; classtype:trojan-activity; sid:2018787; rev:2; metadata:created_at 2014_07_25, updated_at 2014_07_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6244
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Infostealer.KLPROXY Checkin via SMTP"; flow:to_server,established; content:"Subject|3a|"; content:"C-H-E-G-O A-V-I-S-O! |2e 3a 3a|Infect|3a 3a 2e|"; distance:5; within:33; reference:md5,422ce789b284eb5aa32124a6bbe86000; classtype:trojan-activity; sid:2018798; rev:2; metadata:created_at 2014_07_28, updated_at 2014_07_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6246
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DoS.Linux/Elknot.G Checkin"; flow:established,to_server; dsize:401; content:!"|00 00|"; depth:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|Linux|20|"; offset:2; depth:21; fast_pattern:1,20; pcre:"/^\d/R"; reference:md5,917a2a3d8c30282acbe7b1ff121a4336; classtype:trojan-activity; sid:2018808; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6248
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|badsokspad.in"; distance:1; within:14; reference:md5,c4fe829fc49bb9efec92fe4a8a5d29fc; classtype:trojan-activity; sid:2018852; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_07_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6249
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backoff POS Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php"; http_uri; content:"&op="; depth:4; http_client_body; content:"&id="; http_client_body; content:"&ui="; http_client_body; content:"&wv="; http_client_body; fast_pattern:only; content:"&bv="; http_client_body; pcre:"/^&op=\d{1,2}&id=\w+?&ui=.+?&bv=\d{1,2}\.\d{1,2}($|&)/P"; reference:md5,d0c74483f20c608a0a89c5ba05c2197f; classtype:trojan-activity; sid:2018857; rev:6; metadata:created_at 2014_03_05, updated_at 2014_03_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6250
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 40"; flow:to_server,established; dsize:>11; content:"|7c 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:trojan-activity; sid:2018880; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_08_01, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6251
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Troj/ReRol.A Checkin 1"; flow:established,to_server; urilen:18; content:"POST"; http_method; content:"/project/check.asp"; http_uri; fast_pattern:only; content:"Content-Length|3a 20|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0|20 28|compatible|3b 29 0d 0a|"; distance:0; http_header; content:!"Referer|3a 20|"; http_header; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; reference:md5,12854bb8d1e6a590e1bd578267e4f8c9; classtype:trojan-activity; sid:2018882; rev:4; metadata:created_at 2014_07_14, updated_at 2014_07_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6252
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Troj/ReRol.A Checkin 2"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"/dr.asp"; http_uri; fast_pattern:only; content:"Content-Length|3a 20|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0|20 28|compatible|3b 29 0d 0a|"; distance:0; http_header; content:!"Referer|3a 20|"; http_header; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; reference:md5,c0656b66b9f4180e59e1fd2f9f1a85f2; classtype:trojan-activity; sid:2018883; rev:3; metadata:created_at 2014_07_14, updated_at 2014_07_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6253
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Infostealer.Mysayad Checkin 1"; flow:established,to_server; content:"HEAD"; http_method; urilen:17; content:"/GlobalUpdate.upt"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:trojan-activity; sid:2018889; rev:2; metadata:created_at 2014_08_04, updated_at 2014_08_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6258
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Infostealer.Mysayad Checkin 2"; flow:established,to_server; content:"HEAD"; http_method; urilen:9; content:"/all.wipe"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:trojan-activity; sid:2018890; rev:2; metadata:created_at 2014_08_04, updated_at 2014_08_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6259
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kronos Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"/upfornow/connect.php"; http_uri; fast_pattern:only; content:"Content-Length|3a| "; http_header; reference:md5,f085395253a40ce8ca077228c2322010; reference:url,securityblog.s21sec.com/2014/08/kronos-is-here.html; classtype:trojan-activity; sid:2018891; rev:2; metadata:created_at 2014_08_04, updated_at 2014_08_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6260
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Pushdo.S CnC response"; flow:established,from_server; flowbits:isset,ET.Pushdo.S; content:"X-GeoIP-Country-Code|3a| "; http_header; content:"X-Real-IP|3a| "; http_header; reference:md5,27aef1d328da442d3bd02c50c1a6b651; classtype:trojan-activity; sid:2018897; rev:2; metadata:created_at 2014_08_05, updated_at 2014_08_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6264
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BITTERBUG Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php?compname="; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\.php\?compname=[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}_/U"; reference:md5,34c7f12b4e8f2b81143453af12442ee0; reference:md5,48bbae6ee277b5693b40ecf51919d3a6; classtype:trojan-activity; sid:2018900; rev:2; metadata:created_at 2014_08_06, updated_at 2014_08_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6265
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN  BITTERBUG Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/vtris"; fast_pattern:only; http_uri; content:".php?srs="; http_uri; content:!"User-Agent|3a| "; http_header; pcre:"/\/vtris\d?\.php\?srs=\d{1,10}$/U"; reference:md5,34c7f12b4e8f2b81143453af12442ee0; reference:md5,48bbae6ee277b5693b40ecf51919d3a6; classtype:trojan-activity; sid:2018901; rev:2; metadata:created_at 2014_08_06, updated_at 2014_08_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6266
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Zemot Config Download"; flow:established,to_server; content:"GET"; http_method; content:"/soft"; http_uri; content:".dll"; http_uri; fast_pattern:only; pcre:"/\/soft(?:32|64)\.dll$/Ui"; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; http_header; content:"User-Agent|3a|"; http_header; content:!"Referer"; http_header; reference:md5,5a99a6a6cd8600ea88a8fcc1409b82f4; classtype:trojan-activity; sid:2018661; rev:3; metadata:created_at 2014_07_09, updated_at 2014_07_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6268
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Trojan Dropped By Archie.EK"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; pcre:"/^\/[56]\d{4}\x2c.*?\x2c[A-Z]\x3a[\x2f\x5c].+?\.exe/Ui"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,e6c91ab176887e5c79bb59277c651dfd; classtype:trojan-activity; sid:2018928; rev:3; metadata:created_at 2014_08_13, updated_at 2014_08_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6273
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|12|alohafriends12.com"; distance:1; within:19; reference:md5,9c98ef776a651cc4269acde3755d3a5a; classtype:trojan-activity; sid:2018935; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_08_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6274
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious X-mailer Synapse"; flow:established,to_server; content:"produced by Synapse"; fast_pattern:only; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:md5,954acc71ffaa7010c603d74e76dfc70b; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2018936; rev:2; metadata:created_at 2014_08_14, updated_at 2014_08_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6275
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/PSW.Steam.NBP Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/data2.php?file="; fast_pattern:only; http_uri; content:"Mozilla/4.0 (compatible|3b| Synapse)"; depth:33; http_user_agent; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,17d2b62f2fa20f407485437de17787fb; reference:md5,bec091077138a1cac49db00495d456e7; classtype:trojan-activity; sid:2018949; rev:3; metadata:created_at 2014_08_18, updated_at 2014_08_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6282
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ShellBot.C retrieval"; flow:from_server,established; file_data; content:"my $processo"; content:"my @adms="; distance:0; content:"my @canais="; distance:0; content:"|23|gh|30|sts"; distance:0; within:10; reference:md5,3e44252394078c8fd792da1583525d0c; reference:url,pastebin.com/0dAciksC; reference:url,pastebin.com/C0arvGxU; classtype:trojan-activity; sid:2018953; rev:2; metadata:created_at 2014_08_18, updated_at 2014_08_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6283
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Python.Ragua Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/WebCam/Cam.txt"; nocase; http_uri; fast_pattern:only; content:"Python-urllib/"; depth:14; http_user_agent; nocase; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:url,securelist.com/blog/research/66108/el-machete/; reference:md5,a8602b4c35f426107c9667d804470745; classtype:trojan-activity; sid:2018968; rev:3; metadata:created_at 2014_08_20, updated_at 2014_08_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6287
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent (Asteria md5)"; flow:to_server,established; content:"d9d385b3522b242398af91fd425b386d"; depth:32; http_user_agent; reference:md5,56c16ad7da8cecb429dccb168aef46b7; classtype:trojan-activity; sid:2018985; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2014_08_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6296
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX variant"; flow:to_server,established; content:"GET"; http_method; content:"/p/"; depth:3; http_uri; pcre:"/^\/p\/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/U"; content:"code.google.com"; fast_pattern:only; http_header; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Connection|3a 20|"; http_header; threshold: type both, count 1, seconds 30, track by_src; reference:md5,f92e9e3e86856b5c0ee465f77a440abb; reference:url,researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; classtype:trojan-activity; sid:2018984; rev:7; metadata:created_at 2014_08_21, updated_at 2014_08_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6297
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Xema dropping file"; flow:to_server,established; content:"/pruebas.doc"; http_uri; fast_pattern:only; content:!"Referer"; http_header; reference:md5,f5fbdb120594f4da7f638122d6635933; classtype:trojan-activity; sid:2018994; rev:2; metadata:created_at 2014_08_25, updated_at 2014_08_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6298
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows net start Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"These Windows services are started|3a 0d|"; fast_pattern:8,16; content:"The command completed successfully|2e|"; distance:0; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019001; rev:1; metadata:created_at 2014_08_25, updated_at 2014_08_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6300
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows ipconfig Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Windows IP Configuration|0d|"; fast_pattern:8,16; content:"Ethernet adapter Local Area Connection|3a|"; distance:0; content:"Physical Address"; content:"IP Address"; content:"Subnet Mask"; content:"Default Gateway"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019000; rev:3; metadata:created_at 2014_08_25, updated_at 2014_08_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6301
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows systeminfo Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Host Name|3a|"; content:"OS Name|3a|"; content:"OS Version|3a|"; content:"OS Manufacturer|3a|"; content:"Microsoft Corporation"; distance:0; content:"OS Configuration|3a|"; content:"OS Build Type|3a|"; content:"Registered Owner|3a|"; content:"Registered Organization|3a|"; content:"Product ID|3a|"; content:"Original Install Date|3a|"; content:"System Up Time|3a|"; content:"System Manufacturer|3a|"; content:"System Model|3a|"; content:"System type|3a|"; content:"Processor|28|s|29 3a|"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019002; rev:1; metadata:created_at 2014_08_25, updated_at 2014_08_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6302
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dirt Jumper/Russkill3 Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.0"; content:"k="; fast_pattern; depth:2; http_client_body; pcre:"/k=\d{15}/P"; reference:md5,10e7af7057833a19097cb22ba0bd1b99; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; reference:url,www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html; classtype:trojan-activity; sid:2013439; rev:10; metadata:created_at 2011_08_03, updated_at 2011_08_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6304
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dyreza RAT Checkin"; flow:established,to_server; content:"GET"; http_method; content:"_W"; http_uri; content:"|2e|"; distance:6; within:1; http_uri; content:"/publickey/"; http_uri; fast_pattern:only; content:!"Accept|3a|"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,b61145a54698753cecf8748359c9d81e; classtype:trojan-activity; sid:2018579; rev:7; metadata:created_at 2014_06_12, updated_at 2014_06_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6307
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Dyreza RAT Checkin Response"; flow:established,to_client; content:"|a5 46 da 53 0a 00 68 00 65 00 6c 00 6c 00 6f|"; offset:4; depth:15; reference:md5,b61145a54698753cecf8748359c9d81e; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018596; rev:3; metadata:created_at 2014_06_12, updated_at 2014_06_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6308
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dyreza RAT Fake Server Header"; flow:established,to_client; content:"HTTP/1."; depth:7; content:"Server|3A| Stalin"; http_header; fast_pattern:only;  reference:md5,7e3e28320d209a586917668e3b8eac40; classtype:trojan-activity; sid:2018775; rev:3; metadata:created_at 2014_07_25, updated_at 2014_07_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6309
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dyreza RAT Checkin 3"; flow:established,to_server;  content:"GET"; http_method; content:"_W"; http_uri; content:"|2e|"; distance:6; within:1; http_uri; content:"/replace/"; http_uri; fast_pattern:only; content:!"Accept|3a|"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header;  reference:md5,4d1d43789e038c6a03c07083ca0b0809; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018749; rev:6; metadata:created_at 2014_07_21, updated_at 2014_07_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6310
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dyreza RAT Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"_W"; http_uri; content:"|2e|"; distance:6; within:1; http_uri; content:"/NAT/"; distance:0; http_uri; fast_pattern; content:"|20|NAT/"; distance:0; http_uri; content:!"Accept|3a|"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header;  reference:md5,2a835747b7442b1d58ab30abc90d3b0f; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018683; rev:6; metadata:created_at 2014_07_16, updated_at 2014_07_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6311
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dridex/Bugat/Feodo POST Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Length|3a 20|59|0d 0a|Host|3a 20|"; depth:26; http_header; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n(?:\r\n)?$/RH"; pcre:"/^\/[\/a-z0-9]+$/Ui"; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:trojan-activity; sid:2018771; rev:5; metadata:created_at 2014_07_24, updated_at 2014_07_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6312
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dridex/Bugat/Feodo Cookie"; flow:established,to_client; content:"tfardci_session="; depth:16; http_cookie; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:trojan-activity; sid:2018770; rev:4; metadata:created_at 2014_07_24, updated_at 2014_07_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6313
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Interface|3a|"; content:"--- 0x"; distance:0; content:"Internet Address"; content:"Physical Address"; fast_pattern; distance:0; content:"Type"; content:"dynamic"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019080; rev:1; metadata:created_at 2014_08_28, updated_at 2014_08_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6317
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows set Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"ALLUSERSPROFILE="; fast_pattern; content:"APPDATA="; distance:0; content:"CLIENTNAME="; content:"CommonProgramFiles="; distance:0; content:"COMPUTERNAME="; content:"ComSpec="; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019081; rev:1; metadata:created_at 2014_08_28, updated_at 2014_08_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6318
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 41"; flow:to_server,established; dsize:>11; content:"|c3 70|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\xc3\x70/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,23bb9c2ed95e942f886d544fefd20d70; classtype:trojan-activity; sid:2019083; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_08_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6320
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Syrian Malware Checkin"; flow:established,to_server; content:"|2f|j|7c|n|5c|"; offset:2; depth:5; content:"[endof]"; fast_pattern; distance:0; reference:url,fireeye.com/blog/technical/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html; reference:md5,a8cf815c3800202d448d035300985dc7; classtype:trojan-activity; sid:2019084; rev:1; metadata:created_at 2014_08_29, updated_at 2014_08_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6321
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12"; flow:to_server,established; flowbits:isset,ET.gh0stFmly; content:"|78 9c 0b cf cc|"; depth:5; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:trojan-activity; sid:2017936; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_06, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6323
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Popwin Checkin"; flow:to_server,established; content:"/soft/xiaomi"; fast_pattern:only; http_uri; content:".asp";  content:"API-Guide test program"; depth:22; http_user_agent; content:!"Referer|3a|"; content:!"Accept|3a 20|"; reference:url,www.virustotal.com/en/file/79dfb0ea0d788dd388a1d1856402f04ddcdc42b7134ffc80747b339937216cbb analysis/; reference:md5,dd762c69049fbd00c22f70f109baa26e; classtype:trojan-activity; sid:2018143; rev:5; metadata:created_at 2014_02_14, updated_at 2014_02_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6324
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN HighTide trojan Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?"; http_uri; depth:2; content:"Trident/5.0|29 0d 0a|"; fast_pattern; http_header; content:"Referer|3A| http|3A|//www.google.com/|0D  0A|"; http_header; pcre:"/^\/\?\d(?:[A-Za-z0-9~_]{4})*(?:[A-Za-z0-9~_]{2}--|[A-Za-z0-9~_]{3}-|[A-Za-z0-9~_]{4})$/U"; reference:md5,6e59861931fa2796ee107dc27bfdd480; reference:url,fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:trojan-activity; sid:2019113; rev:2; metadata:created_at 2014_09_04, updated_at 2014_09_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6329
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Bapy.Downloader PE Download Request"; flow:established,to_server; content:"GET"; http_method; urilen:9; content:"/tmps."; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/[a-z]\d{2}$/U"; reference:md5,e256976cedda8c9d07a21ca0e5c2f86c; classtype:trojan-activity; sid:2019127; rev:2; metadata:created_at 2014_09_05, updated_at 2014_09_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6333
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Bravix.Dropper CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/get.php?file=cmds/main"; http_uri; content:!"Referer|3A|"; http_header; reference:md5,19484a240a16c7faea84dcac0c38d118; classtype:trojan-activity; sid:2019128; rev:2; metadata:created_at 2014_09_05, updated_at 2014_09_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6334
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32/Dervec.gen Connectivity Check to Google"; flow:established,to_server; content:"HOST|3a|"; depth:5; http_header; content:"www.google.com|0d 0a|"; within:17; http_header; content:"|00 00 00 00 00 00 00 00 00 00|"; offset:35; depth:10; reference:md5,5eaae2d6a4b5d338b83ea5d97af93672; classtype:trojan-activity; sid:2019129; rev:10; metadata:created_at 2012_06_12, updated_at 2012_06_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6335
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Frosparf.B Downloading Hosts File"; flow:established,from_server; file_data; content:"9.9.9.9 "; within:8; pcre:"/^(?:[a-zA-Z0-9\x2d\x5f]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]*?9\.9\.9\.9\s+?(?:[a-zA-Z0-9\_\-]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]/R"; reference:md5,4ad55877464aa92e49231d913d00eb69; classtype:trojan-activity; sid:2019142; rev:2; metadata:created_at 2014_09_09, updated_at 2014_09_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6339
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Zeus GameOver Connectivity Check 2"; flow:established,to_server; urilen:1; content:"Connection|3a 20|Close"; http_header; fast_pattern:only; content:"Host|3a 20|windowsupdate.microsoft.com|0d 0a|"; http_header; content:!"Accept|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:md5,236bde81355e075e7ed6bcdc60daefcb; classtype:trojan-activity; sid:2019155; rev:2; metadata:created_at 2014_09_10, updated_at 2014_09_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6348
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TSPY_POCARDL.U Possible FTP Login"; flow:established,to_server; content:"USER user drupalzf"; reference:md5,ceb5b99c13b107cf07331bcbddb43b1f; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019159; rev:2; metadata:created_at 2014_09_11, updated_at 2014_09_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6349
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DecebalPOS Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?&co="; http_uri; fast_pattern:only; content:"&us="; http_uri; content:"&av="; http_uri; content:"&os="; http_uri; content:"&tr2="; http_uri; reference:md5,87cfa0addda5c0e0fc34f3847408e557; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019160; rev:2; metadata:created_at 2014_09_11, updated_at 2014_09_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6350
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DecebalPOS User-Agent"; flow:established,to_server; content:"Decebalv"; depth:8; http_user_agent; reference:md5,87cfa0addda5c0e0fc34f3847408e557; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019161; rev:3; metadata:created_at 2014_09_11, updated_at 2014_09_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6351
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win.Trojan.Chewbacca connectivity check"; flow:established,to_server; content:"GET"; http_method; content:"/ip/"; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3b| Synapse|29 0d 0a|"; http_header; fast_pattern:36,11; content:!"Accept"; http_header; content:!"Referer"; http_header; reference:md5,21f8b9d9a6fa3a0cd3a3f0644636bf09; reference:url,www.symantec.com/security_response/earthlink_writeup.jsp?docid=2013-121813-2446-99; classtype:trojan-activity; sid:2019162; rev:4; metadata:created_at 2014_08_18, updated_at 2014_08_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6352
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JackPOS XOR Encoded HTTP Client Body (key AA)"; flow:established,to_server; content:"|AB AB|"; depth:2; http_client_body; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; http_client_body; fast_pattern:only; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019164; rev:2; metadata:created_at 2014_09_11, updated_at 2014_09_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6354
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Stobox Connectivity Check"; flow:established,to_server; content:"/windowsupdate/v6/thanks.aspx?ln=en&&thankspage="; http_uri; fast_pattern:28,20; content:"Host|3a 20|update.microsoft.com|0d 0a|"; http_header; depth:28; content:!"Accept-Language|3a|"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"|0d 0a 0d 0a|"; threshold: type both, count 5, seconds 300, track by_src; reference:md5,aba20c8289b37b10d42979730674a2ca; classtype:trojan-activity; sid:2019166; rev:4; metadata:created_at 2014_09_11, updated_at 2014_09_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6356
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Tinba Server Response"; flow:established,to_client; flowbits:isset,ET.Tinba.Checkin; file_data; content:"|64 b4 dc a4|"; within:4; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019169; rev:4; metadata:created_at 2014_09_12, updated_at 2014_09_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6362
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DoS.Linux/Elknot.E Checkin"; flow:established,to_server; dsize:401; content:!"|00 00|"; depth:2; content:"|10 27 60 ea|Linux|20|"; offset:4; depth:64; reference:md5,9a2a00f4bba2f3e0b1211a1f0cb48896; classtype:trojan-activity; sid:2019171; rev:2; metadata:created_at 2014_09_12, updated_at 2014_09_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6369
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Query to Known CnC Domain msnsolution.nicaze.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"nicaze|03|net"; fast_pattern; distance:0; reference:md5,89332c92d0360095e2dda8385d400258; classtype:trojan-activity; sid:2014139; rev:4; metadata:created_at 2012_01_21, updated_at 2012_01_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6391
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Spy.RapidStealer.B Checkin"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/key/index.php"; http_uri; fast_pattern:only; content:"dir="; depth:4; http_client_body; content:"&data="; distance:0; http_client_body; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,c14690b90459744a300a02f45b32168a; reference:url,quequero.org/2014/09/win32-blackberrybbc-malware-analysis/; classtype:trojan-activity; sid:2019179; rev:2; metadata:created_at 2014_09_16, updated_at 2014_09_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6402
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Miras C2 Activity"; flow:established,to_server; content:"|36 36 36 36 58 36 36 36|"; offset:2; depth:8; reference:md5,98a3a68f76ed2eba763eb7bfb6648562; classtype:trojan-activity; sid:2018979; rev:2; metadata:created_at 2014_08_21, updated_at 2014_08_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6403
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kuluoz/Asprox Activity"; flow:established,to_server; content:"POST"; http_method; pcre:"/^\/(?:[A-Fa-f0-9]+|index\.php)$/U"; content:"|80 00 00 00|"; depth:4; http_client_body; content:!"Referer"; http_header; flowbits:set,ET.Kuluoz; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:trojan-activity; sid:2017895; rev:8; metadata:created_at 2013_12_23, updated_at 2013_12_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6404
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Infostealer.Banprox Proxy.pac Download 3"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"return |22|PROXY"; pcre:"/^[^\x3b]+\\x(?:[57][0-9a]|4[0-9a-f]|6[1-9a-f]|3[0-9])/Ri"; reference:md5,6f2dc4ba05774f3e5ebf6c502db48a71; classtype:trojan-activity; sid:2019191; rev:13; metadata:created_at 2014_09_18, updated_at 2014_09_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6405
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Infostealer.Banprox Proxy.pac Download 2"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; pcre:"/^(?P<q>[\x22\x27])(?:(?!(?P=q))[^\r\n\x2c])+?(?P=q)\s*?\+\s*?[\x22\x27][^\r\n\x2c]*?[cg][\x22\x27\+\s]*?[o][\x22\x27\+\s]*?[vm][\x22\x27\+\s]*?\.[\x22\x27\+\s]*?b[\x22\x27\+\s]*?r[\x22\x27\+\s]*?\x2c/m"; reference:md5,6e4a990b1540fa6b5896034b976ccecf; classtype:trojan-activity; sid:2019190; rev:14; metadata:created_at 2014_09_18, updated_at 2014_09_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6407
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NewPosThings Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 7.0b|3b| Windows NT 6.0)"; fast_pattern:7,20; http_header; content:"cs="; http_client_body; content:"&p="; http_client_body; content:"&m="; http_client_body; reference:md5,ae9899722707fc2c9716138580787026; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:trojan-activity; sid:2019197; rev:2; metadata:created_at 2014_09_19, updated_at 2014_09_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6408
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NewPosThings Data Exfiltration"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 7.0b|3b| Windows NT 6.0)"; fast_pattern:7,20; http_header; content:"cs="; http_client_body; content:"&m="; http_client_body; content:"&ls="; http_client_body; reference:md5,4196c67648003a18f61573a77b6d3be6; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:trojan-activity; sid:2019198; rev:2; metadata:created_at 2014_09_19, updated_at 2014_09_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6409
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NewPosThings POST with Fake UA and Accept Header"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 7.0b|3b| Windows NT 6.0)"; fast_pattern:7,20; http_header; content:"Accept|3a 20 3f 2a 0d 0a|"; depth:12; http_header; reference:md5,ae9899722707fc2c9716138580787026; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:trojan-activity; sid:2019199; rev:2; metadata:created_at 2014_09_19, updated_at 2014_09_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6410
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Georgian Targeted Attack - Trojan Checkin"; flow:established,to_server; content:"/index312.php?ver="; http_uri; content:"&cam="; http_uri; content:"&p=spy"; http_uri; content:"&id="; http_uri; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015850; rev:3; metadata:created_at 2012_10_31, updated_at 2012_10_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6421
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zeus.Downloader Campaign Unknown Initial CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/ppp/ta.php"; http_uri; fast_pattern:only; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/H"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:trojan-activity; sid:2018183; rev:4; metadata:created_at 2014_02_26, updated_at 2014_02_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6446
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zeus.Downloader Campaign Second Stage Executable Request"; flow:established,to_server; content:"2p/"; http_uri; content:".exe"; fast_pattern; http_uri; pcre:"/\/p?2p\/[0-9]{1,2}\.exe$/U"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:trojan-activity; sid:2018184; rev:5; metadata:created_at 2014_02_26, updated_at 2014_02_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6447
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zeus.Downloader Campaign Unknown Initial CnC Beacon 10/4/2014"; flow:established,to_server; content:"POST"; http_method; content:"/ccc/tab.php"; http_uri; fast_pattern:only; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/H"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:trojan-activity; sid:2018384; rev:3; metadata:created_at 2014_04_11, updated_at 2014_04_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6449
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014"; flow:established,to_server; urilen:<11; content:"/2p/"; http_uri; content:".exe"; fast_pattern; http_uri; pcre:"/^\x2F2p\x2F[a-z]{1,2}\.exe$/U"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:trojan-activity; sid:2018385; rev:3; metadata:created_at 2014_04_11, updated_at 2014_04_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6450
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/BillGates Checkin"; flow:established,to_server; content:"|01 00 00 00|"; depth:4; content:"|00 00 00 f4 01 00 00 32 00 00 00 e8 03|"; distance:0; content:"|01 01 02 00 00 00 01 00 00 00|"; distance:0; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:trojan-activity; sid:2019207; rev:1; metadata:created_at 2014_09_22, updated_at 2014_09_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6461
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Linux/BillGates Checkin Response"; flow:established,from_server; dsize:20; content:"|08 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 e8 fd 00 00|"; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:trojan-activity; sid:2019208; rev:1; metadata:created_at 2014_09_22, updated_at 2014_09_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6462
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/AES.DDoS Sending Real/Fake CPU&BW Info"; flow:established,to_server; content:"INFO|3a|"; depth:5; pcre:"/^\d/R"; content:"|25 7c|"; distance:0; threshold: type both, count 1, seconds 30, track by_src; reference:md5,d8059b555dde05e184c0b16bbff523f1; classtype:trojan-activity; sid:2019177; rev:3; metadata:created_at 2014_09_15, updated_at 2014_09_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6463
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3"; flow:to_server,established; content:"|33 33|"; offset:2; depth:2; content:!"|33 33|"; within:2; content:"|33 33|"; distance:2; within:2; content:!"|33 33|"; within:2; content:"|33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33|"; pcre:"/[^\x33][^\x6f\x19\x18\x0e\x4f\x09\x08\x11\x0c\x0f\x0d\x1f\x10\x39][\x00-\x07\x0b\x0a\x1e\x1d\x12\x13\x15\x10\x1b\x1a\x54-\x5f\x50-\x52\x40-\x4b\x4d\x4e\x70-\x7f\x60-\x67\x69-\x6d]{1,14}\x33/R"; reference:md5,c150f9738142278e2d39417a7ef53cae; classtype:trojan-activity; sid:2019203; rev:2; metadata:created_at 2014_09_22, updated_at 2014_09_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6465
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/Yangji.A Checkin"; flow:established,to_server; dsize:1024; content:"cngameanti|7c|"; depth:11; pcre:"/^\x2d?\d/R"; reference:md5,b5badeb16414cba66999742601c092b8; classtype:trojan-activity; sid:2019229; rev:1; metadata:created_at 2014_09_24, updated_at 2014_09_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6467
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [443,$HTTP_PORTS] (msg:"ET TROJAN Pushdo v3 Checkin"; flow:established,to_server; dsize:20; content:"|02 00 00 00|"; depth:4; reference:md5,776d6c20a7016cb0f0db354785fe0d71; classtype:trojan-activity; sid:2019235; rev:1; metadata:created_at 2014_09_24, updated_at 2014_09_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6469
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Kuluoz/Asprox CnC Response"; flow:from_server,established; flowbits:isset,ET.Kuluoz; content:"|0d 0a 0d 0a|"; content:"|0d 0a 80 00 00 00|"; distance:2; within:6; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:trojan-activity; sid:2019187; rev:5; metadata:created_at 2014_09_17, updated_at 2014_09_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6470
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BlackEnergy v2 POST Request"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; content:"&bid="; http_client_body; content:"&dv="; http_client_body; content:"&dpv="; http_client_body; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf; reference:md5,948cd0bf83a670c05401c8b67d2eb310; classtype:trojan-activity; sid:2019281; rev:2; metadata:created_at 2014_09_26, updated_at 2014_09_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6473
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BlackEnergy POST Request"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; depth:3; http_client_body; content:"&bid="; distance:0; http_client_body; fast_pattern; content:"&t="; distance:0; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:url,f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf; reference:md5,72372ffac0ee73dc8b6d237878e119c1; classtype:trojan-activity; sid:2019283; rev:2; metadata:created_at 2014_09_26, updated_at 2014_09_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6474
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Infostealer.Boleteiro checking stolen boleto payment information"; flow:to_server,established; content:"Vencimento="; fast_pattern:only; http_uri; content:"&Valor="; http_uri; content:"&Sacado="; http_uri; content:"&URL="; http_uri; content:"&Browser=Chrome"; http_uri; reference:md5,3cffb955c08f6c1546bfeae37a215787; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-091718-2034-99&tabid=2; classtype:trojan-activity; sid:2019243; rev:4; metadata:created_at 2014_09_25, updated_at 2014_09_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6475
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dyre SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 2d 8e ea 67 c4 08 ea|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edaaaa6527a6f42c96f27ce2e427cd39; classtype:trojan-activity; sid:2019305; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_29, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6477
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dyre SSL Cert 2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8b 77 b3 d1 92 8c 7d 48|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edaaaa6527a6f42c96f27ce2e427cd39; classtype:trojan-activity; sid:2019306; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_29, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6478
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dyre SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b f5 c0 6b 03 3a 00 3f|"; distance:0; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,510b4db9aa400583e7927afa5f956179; classtype:trojan-activity; sid:2019307; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_09_29, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6479
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Active Connections|0d|"; content:"Proto"; content:"Local Address"; content:"Foreign Address"; content:"State"; distance:0;  reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019003; rev:2; metadata:created_at 2014_08_25, updated_at 2014_08_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6486
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Cryptolocker Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:11; content:"/random.php"; http_uri; fast_pattern:only; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Mozilla/5."; http_user_agent; pcre:"/^\d{2,7}$/RV";  reference:md5,01be3fc3243d582d9f93d01401c4f95e; classtype:trojan-activity; sid:2019353; rev:3; metadata:created_at 2014_10_03, updated_at 2014_10_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6487
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SpyClicker.ClickFraud Query Instructions CnC Response"; flow:established,to_client; content:"|0D 0A 0D 0A|{|22|query|22 3A|"; content:"|22|tasks|22 3A|"; distance:0; content:"|22|referer|22 3A|"; distance:0; content:"|22|useragent|22 3A|"; distance:0; content:"|22|clickurl|22 3A|"; distance:0; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:trojan-activity; sid:2019357; rev:2; metadata:created_at 2014_10_06, updated_at 2014_10_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6489
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/SpyClicker.ClickFraud CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/feed.dll?pub_id="; http_uri; fast_pattern:only; content:"&ua="; offset:17; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:trojan-activity; sid:2019355; rev:3; metadata:created_at 2014_10_06, updated_at 2014_10_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6492
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; depth:27; reference:md5,06b522eacdfe51bed5d041fd672e880f; reference:url,doc.emergingthreats.net/2003603; classtype:trojan-activity; sid:2003603; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6493
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/PSW.Papras.CK file upload"; flow:established,to_server; content:"POST"; http_method; content:"name|3d 22|upload_file|22 3b 20|filename|3d 22|"; fast_pattern:6,20; http_client_body; pcre:"/^\x2f[a-zA-Z]{4,}\x2ephp\x3f[a-zA-Z]{2,10}\x3d(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/U"; reference:md5,5e7cbe7e62a6c5de45092ad0c4852d1a; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019379; rev:3; metadata:created_at 2014_10_09, updated_at 2014_10_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6497
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi/Ursnif/Papras Connectivity Check"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/usdeclar.txt"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,5f3530edbe1fce44e05ad0c96e54efb4; reference:md5,279fc5e6181d58f883a15d5089ce541b; reference:url,krebsonsecurity.com/2013/01/three-men-charged-in-connection-with-gozi-trojan/; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019380; rev:4; metadata:created_at 2014_10_09, updated_at 2014_10_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6498
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Ursnif Connectivity Check"; flow:established,to_server; content:"GET"; http_method; urilen:21; content:"/proto/netstrings.txt"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,9134651a7c642798414d867874bdfe2f; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019381; rev:3; metadata:created_at 2014_10_09, updated_at 2014_10_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6499
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|server4love|02|ru|00|"; nocase; fast_pattern:only; reference:md5,8d2e901583b60631dc333d4b396e158b; classtype:trojan-activity; sid:2019396; rev:2; metadata:created_at 2014_10_14, updated_at 2014_10_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6503
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN FrameworkPOS Covert DNS CnC Beacon 1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"dc"; nocase; distance:7; content:"|06|beacon"; nocase; offset:12; fast_pattern; pcre:"/^[\x0e-\x1e](?:[a-f0-9]{2}){1,3}(?:dc(?:[a-f0-9]{2}){1,3}){3}.[a-f0-9]{2}/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:trojan-activity; sid:2019454; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6506
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN FrameworkPOS Covert DNS CnC Beacon 2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"dc978a97"; nocase; distance:6; content:"|05|alert"; nocase; offset:12; fast_pattern; pcre:"/^[\x08-\xFF](?:[a-f0-9]{2})*?dc978a97/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:trojan-activity; sid:2019455; rev:1; metadata:created_at 2014_10_16, updated_at 2014_10_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6507
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Zemot Requesting PE"; flow:established,to_server; content:"GET"; http_method; content:"/mod_jshoppi"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^\/mod_jshoppi(?:-|ng|\/)/U"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019459; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6508
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dridex POST Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:>20; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; http_header; fast_pattern:7,20; content:!"Referer|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\nConnection\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\nContent-Type\x3a\x20octet\/binary\r\nAccept\x3a\x20\*\/\*\r\nAccept-Language\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d+?\r\n(?:\r\n)?$/H"; reference:md5,68459c32587e08d953d319ceb2d0888b; classtype:trojan-activity; sid:2019478; rev:2; metadata:created_at 2014_10_20, updated_at 2014_10_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6511
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dridex/Bugat/Feodo GET Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:>25; content:"Host|3a 20|"; depth:6; http_header; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; http_header; fast_pattern:7,20; content:!"Referer|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\nConnection\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\nContent-Type\x3a\x20octet\/binary\r\nAccept\x3a\x20\*\/\*\r\nAccept-Language\x3a[^\r\n]+?\r\n(?:\r\n)?$/H"; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:trojan-activity; sid:2018772; rev:5; metadata:created_at 2014_07_24, updated_at 2014_07_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6512
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible IRCBot.DDOS Common Commands"; flow:established,to_client; content:"PRIVMSG "; depth:8; pcre:"/^[^\r\n]*?\x3a[^\r\n]*?(?:port(?:scan)?|udp[1-3]|tcp|http|download)[^\r\n]+?(?:\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|https?\x3A\x2F\x2F)/Ri"; reference:md5,ef54080af1782dd29356032b7ff20849; classtype:trojan-activity; sid:2019471; rev:3; metadata:created_at 2014_10_20, updated_at 2014_10_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6513
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN vSkimmer.PoS Checkin"; flow:to_server,established; content:"/process.php?xy="; fast_pattern:only; http_uri; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,a99d5d1652dfcda190c3d412828dcf6d; reference:md5,82d9cab2692ae13fc5b835ea2cbb36d7; reference:url,anubis.iseclab.org/action=result&task_id=1b92f08cdbfb73e64450fd07ec88849b3; classtype:trojan-activity; sid:2018109; rev:4; metadata:created_at 2013_03_12, updated_at 2013_03_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6515
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/24x7Help.ScareWare CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/api/client.asmx/SendData"; http_uri; content:"User-Agent|3A| mFramework HTTPGet"; http_header; fast_pattern:12,18; content:"CFG="; http_client_body; depth:4; content:"&Lng="; http_client_body; distance:0; content:"&sinst="; http_client_body; distance:0; reference:md5,8d2dec745b9ac380beb2a0ea66427d06; classtype:trojan-activity; sid:2019498; rev:3; metadata:created_at 2014_10_23, updated_at 2014_10_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6516
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Wonton-JH Checkin"; flow:established,to_server; content:"POST"; http_method; content:".asp?M00="; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/4.0 (Compatible|3b| MSIE 6.0|3b 29 0d 0a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.asp\?M00=\d+$/U"; reference:url,blog.cylance.com/emerging-threat-alert-cve-2014-4114; reference:md5,37ca2ecb5e1fc89f73c6adc188ff685d; classtype:trojan-activity; sid:2019502; rev:2; metadata:created_at 2014_10_24, updated_at 2014_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6519
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JST Perl IrcBot download"; flow:to_client,established; file_data; content:"JST Perl IrcBot"; fast_pattern:only; content:!"<html"; reference:url,pastebin.com/HK8riv9Q; reference:url,www.binarydefense.com/bds/active-shellshock-smtp-botnet-campaign/; reference:md5,77a6c50a06b59df0f3d099b1819a01d9; classtype:trojan-activity; sid:2019509; rev:2; metadata:created_at 2014_10_27, updated_at 2014_10_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6523
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Siggen.Dropper CnC Beacon"; flow:established,to_server; content:".jpg?log="; fast_pattern:only; http_uri; content:"&ts="; offset:11; http_uri; content:"&act="; distance:0; http_uri; content:"client|3a 20|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,ee363de2168aab353c829434189350e4; classtype:trojan-activity; sid:2019515; rev:2; metadata:created_at 2014_10_27, updated_at 2014_10_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6524
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OLDBAIT Checkin sptr"; flow:established,to_server; content:"/~"; http_uri; depth:2; content:"/cgi-bin/sptr.cgi?"; http_uri; content:"_"; http_uri; reference:md5,3983c859a217740bf9c5dd67a4647a9d; reference:md5,771bfe5d64138ef4e11e969b408ee0d7; reference:url,thegoldenmessenger.blogspot.de/2012/12/3-disclosure-of-another-0day-malware.html; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019535; rev:3; metadata:created_at 2014_10_28, updated_at 2014_10_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6529
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OLDBAIT Checkin 2 brvc"; flow:established,to_server; content:"/~"; http_uri; depth:2; content:"/cgi-bin/brvc.cgi?"; http_uri; content:"_"; http_uri; reference:md5,3983c859a217740bf9c5dd67a4647a9d; reference:md5,771bfe5d64138ef4e11e969b408ee0d7; reference:url,thegoldenmessenger.blogspot.de/2012/12/3-disclosure-of-another-0day-malware.html; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019536; rev:2; metadata:created_at 2014_10_28, updated_at 2014_10_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6530
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Chopstick Checkin (APT28 Related)"; flow:to_server,established; content:"POST"; http_method; content:"/webhp?rel="; http_uri; fast_pattern; content:"ai="; http_uri; distance:0; pcre:"/^(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})+/URm"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:md5,6fc8602c8b3a18765bb6d2307d8a4ae1; classtype:trojan-activity; sid:2019537; rev:3; metadata:created_at 2014_10_28, updated_at 2014_10_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6532
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Coreshell Checkin (APT28 Related)"; flow:to_server,established; content:"POST"; http_method; content:"/~xh/sn.cgi?"; http_uri; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+?$/RUm"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:md5,272f0fde35dbdfccbca1e33373b3570d; classtype:trojan-activity; sid:2019539; rev:4; metadata:created_at 2014_10_28, updated_at 2014_10_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6552
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|b6 8b ac d3 d7 e0 e7 36 f0 b5 63 65 1e 1a 31 ae|"; offset:16; depth:16; reference:md5,184a9d13616702154fb10ff9c5d67041; classtype:trojan-activity; sid:2019589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2014_10_29, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6557
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|01 ec 7e 05 1d 5f 65 ab db 1c df 93 99 cd 06 21|"; offset:16; depth:16; reference:md5,09d4c2f1f24fbdcb1c286b2f4c5589d2; classtype:trojan-activity; sid:2019590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2014_10_29, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6558
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset:16; depth:16; reference:md5,2b825e46ae60a9d15b5a731e57410425; classtype:trojan-activity; sid:2019592; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2014_10_29, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6559
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|3e 5c d1 68 e7 8c 47 8c ea 2f da 02 fe 43 62 47|"; offset:16; depth:16; reference:md5,afc4d73bde2a536d7a9b7596288ce180; classtype:trojan-activity; sid:2019593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2014_10_29, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6560
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 43"; flow:to_server,established; dsize:>11; content:"|83 7f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x83\x7f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f0c10c1705783d3f32742bce3b2aea5; classtype:trojan-activity; sid:2019602; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_10_30, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6561
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Ropest.H CnC - INBOUND set"; flow:established,from_server; content:"|28 00 00 00 00 01 00 00|"; depth:8; flowbits:set,ET.Zberp; flowbits:noalert; metadata: former_category TROJAN; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:trojan-activity; sid:2025068; rev:1; metadata:created_at 2014_10_30, updated_at 2017_11_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6563
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Ropest.H CnC - INBOUND"; flow:established,from_server; flowbits:isset,ET.Zberp; dsize:24; content:"|10 00 00 00 00 01 00 00|"; depth:8; metadata: former_category TROJAN; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:trojan-activity; sid:2025069; rev:1; metadata:created_at 2014_10_30, updated_at 2017_11_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6564
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Tinba DGA NXDOMAIN Responses (2)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold:type both, track by_src, count 50, seconds 10; reference:md5,5808cc73c78263a8114eb205f510f6a7; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019609; rev:1; metadata:created_at 2014_10_31, updated_at 2014_10_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6567
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Variant.Strictor Dropper"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:"os="; http_uri; content:"&osbit="; http_uri; content:"&antiv="; http_uri; content:"Access"; depth:6; fast_pattern; http_user_agent; reference:md5,909b91071c60fc68c27789d912ccf68a; classtype:trojan-activity; sid:2018964; rev:6; metadata:created_at 2014_08_19, updated_at 2014_08_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6570
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backoff Variant Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?a=start&id="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/&id=[A-F0-9]+$/U"; reference:md5,d8e7983004c5545df6de868bc0c5a947; classtype:trojan-activity; sid:2019636; rev:2; metadata:created_at 2014_11_04, updated_at 2014_11_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6576
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $EXTERNAL_NET any (msg:"ET TROJAN Shellshock Backdoor.Perl.Shellbot.F C2"; flow:to_server,established; content:"JOIN #shock 777"; content:"PRIVMSG #shock|20 3a|uid="; distance:0; reference:url,pastebin.com/JpnznR3j; reference:md5,fc230c9f998c196ac6897a979e08c58d; classtype:trojan-activity; sid:2019637; rev:1; metadata:created_at 2014_11_04, updated_at 2014_11_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6577
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shellshock Backdoor.Perl.Shellbot.F retrieval"; flow:to_client,established; file_data; content:"#you got shellshocked???"; depth:24; reference:url,pastebin.com/JpnznR3j; reference:md5,fc230c9f998c196ac6897a979e08c58d; classtype:trojan-activity; sid:2019644; rev:2; metadata:created_at 2014_11_05, updated_at 2014_11_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6580
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Bedep SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; fast_pattern; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019645; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_05, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6581
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bedep SSL Cert"; flow:established,from_server; content:"|09 00 c9 80 9a 85 50 97 cc 97|"; fast_pattern:only; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019646; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_11_05, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6582
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Banker.ABCG Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"act="; depth:4; http_client_body; content:"&atom="; distance:0; fast_pattern; http_client_body; content:"&id="; distance:0; http_client_body; content:"Mozilla/3.0 (compatible|3b| Indy Library)"; depth:38; http_user_agent; content:!"Referer|3a|"; http_header; reference:md5,acad4be4c587b9db9f39268cc4c0c192; reference:md5,b07a6a590c729fcd47ebce37fdd6c90b; classtype:trojan-activity; sid:2019653; rev:3; metadata:created_at 2014_11_05, updated_at 2014_11_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6585
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.FakeMS Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:5; content:!"Referer"; http_header; content:"|20|(64|20|=|20|"; http_client_body; content:")|20|EXE|20|=|20|"; distance:1; within:8; http_client_body; pcre:"/^\x5b[^\r\n]+\(64\s=\s\d\)\sEXE\s=/P"; reference:md5,e606e56a222f788ab5cbcf40842cbc39; reference:md5,099dc535bdd09d6a7bc4edabc8ded5de; classtype:trojan-activity; sid:2019654; rev:6; metadata:created_at 2014_11_05, updated_at 2014_11_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6586
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Infostealer.Banprox Proxy.pac Download"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; pcre:"/(?:www\.(?:(?:b(?:an(?:co(?:dobrasil|hsbc)|espa)|radesco(?:prime)?|b)|hsbc(?:pr(?:ivatebank|emier)|ba(?:merindus|nk))?|s(?:antander(?:banespa|net)?|erasa(?:experian)?)|uolhost)\.com\.br|c(?:(?:aixa(?:(?:economica(?:federal)?|qui)\.gov|\.(?:com|gov))|onsultasintegradas\.rs\.gov|ef\.(?:com|gov))\.br|redicard\.com(?:\.br)?)|itau(?:p(?:ersonnalite|rivatebank)|uniclass)?\.com\.br,|ame(?:ricanexpress\.com(?:\.br)?|x\.com\.br))|(?:(?:b(?:an(?:co(?:dobrasil|hsbc)|risul)|radesco(?:prime)?|b)|hsbc(?:pr(?:ivatebank|emier)|ba(?:merindus|nk))?|s(?:erasa(?:experian)?|antander)|uolhost)\.com|c(?:aixa(?:(?:economica(?:federal)?|qui)\.gov|\.(?:com|gov))|onsultasintegradas\.rs\.gov|ef\.(?:com|gov)|redicard\.com))\.br|itau(?:(?:p(?:ersonnalite|rivatebank)|uniclass)\.com\.br|\.com\.br,)|ame(?:ricanexpress.com(?:\.br)?|x\.com\.br)|\*(?:linhadefensiva*|hsbc*))/"; reference:md5,3baae632d2476cbd3646c5e1b245d9be; reference:md5,ace343a70fbd26e79358db4c27de73db; classtype:trojan-activity; sid:2014435; rev:14; metadata:created_at 2012_02_28, updated_at 2012_02_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6588
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Smoke Loader Checkin r=gate"; flow:established,to_server; content:".php?r=gate&"; http_uri; content:"&group="; http_uri; distance:0; content:"&debug="; http_uri; distance:0; content:"5.0 (Windows|3b| U|3b| MSIE 9"; http_header; reference:md5,7ef1e61d9b394a972516cc453bf0ec06; classtype:trojan-activity; sid:2014728; rev:6; metadata:created_at 2012_05_09, updated_at 2012_05_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6589
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Archie EK Payload Checkin POST"; flow:established,to_server; content:"POST"; http_method; content:"integritylvl="; depth:13; http_client_body; content:"&osversion="; distance:0; http_client_body; content:"&iselevated="; distance:0; http_client_body; content:"&iever="; distance:0; http_client_body; content:"&isnet20inst="; http_client_body; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:trojan-activity; sid:2019679; rev:3; metadata:created_at 2014_11_07, updated_at 2014_11_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6595
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Miuref/Boaxxe Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"bB"; offset:2; depth:2; http_client_body; content:"MqrU"; within:20; http_client_body; content:"VAMU"; within:29; fast_pattern; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,79d1c8c33062324388d3d563f193a43b; reference:md5,ee3c562151cc9181c6d87602bbf0a285; reference:md5,a42797315c50e335f3de87f6cea61b77; classtype:trojan-activity; sid:2019683; rev:6; metadata:created_at 2014_11_07, updated_at 2014_11_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6596
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Emotet DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|eu|00|"; distance:19; within:4; fast_pattern; content:"|10|"; distance:-21; within:1; pcre:"/^[a-z]{16}/R"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019692; rev:1; metadata:created_at 2014_11_11, updated_at 2014_11_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6601
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Emotet CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"<email_accounts_list>"; http_client_body; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,e24831e3f808116b30d85731c545e3ee; classtype:trojan-activity; sid:2019704; rev:2; metadata:created_at 2014_11_12, updated_at 2014_11_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6602
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Alureon Checkin"; flow:established,to_server; content:"POST"; http_method; content:"winver="; depth:7; http_client_body; content:"&ver="; distance:0; http_client_body; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^winver=\d+&ver=\d+$/P";  reference:md5,2155b7942ddc6d7a82e7d96a8c594501; classtype:trojan-activity; sid:2019717; rev:2; metadata:created_at 2014_11_17, updated_at 2014_11_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6616
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Rogue.Win32/FakePAV Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/?0="; depth:4; http_uri; fast_pattern; content:"=i"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/\?0=(?:[^&]+?&\d+?=)+?[^=&]+?$/Ui"; reference:md5,6829306e92cfa811b12d9b028eb56a2d; classtype:trojan-activity; sid:2019767; rev:4; metadata:created_at 2014_11_21, updated_at 2014_11_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6628
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoinVault POST M1"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"hwid="; depth:5; http_client_body; content:"&func="; http_client_body; fast_pattern:only; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^hwid=[A-F0-9]{4}(?:-[A-F0-9]{4}){7}&func=/P"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/; reference:md5,8e1bdc1c484bc03880c67424d80e351d; classtype:trojan-activity; sid:2019776; rev:2; metadata:created_at 2014_11_24, updated_at 2014_11_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6630
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoinVault POST M2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer"; http_header; content:"func=getemailurl"; http_client_body; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/; reference:md5,8e1bdc1c484bc03880c67424d80e351d; classtype:trojan-activity; sid:2019777; rev:2; metadata:created_at 2014_11_24, updated_at 2014_11_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6631
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Urausy.C Checkin 2"; flow:to_server,established; urilen:>80; content:"GET"; http_method; content:".html"; http_uri; fast_pattern:only; content:!"Referer|3a| "; http_header; content:!"Accept|3a| "; http_header; pcre:"/\/[A-Za-z0-9-_]{75,}\.html$/U"; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE "; depth:42; http_header; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:trojan-activity; sid:2016567; rev:6; metadata:created_at 2013_03_13, updated_at 2013_03_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6645
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Hyteod.Downloader CnC Beacon"; flow:established,to_server; content:"/payment_gateway/"; http_uri; content:".gz"; http_uri; content:"OperaMini"; depth:9; http_user_agent; pcre:"/^\x2Fpayment_gateway\x2F[a-z0-9]{3,}\x2Egz$/U"; reference:md5,8258c3d8bab63cacf143cf034e2e7c1a; classtype:trojan-activity; sid:2019824; rev:3; metadata:created_at 2014_12_01, updated_at 2014_12_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6648
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Coinminer.Backdoor CnC Beacon"; flow:established,to_server; content:".php?id="; http_uri; content:"Mozzilla/4.0 (copmatible|3B|"; fast_pattern; http_user_agent; reference:md5,8e29a15caef546aab0f19a9a81732163; classtype:trojan-activity; sid:2019826; rev:4; metadata:created_at 2014_12_01, updated_at 2014_12_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6649
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Wadolin.Downloader CnC Beacon"; flow:established,to_server; content:"/upgrade-functions.php?v="; fast_pattern; http_uri; content:"&id="; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.1|3B| Windows XP)"; http_header; reference:md5,693c007d651bb5a8c6d2a4f5ed65a69c; classtype:trojan-activity; sid:2019827; rev:2; metadata:created_at 2014_12_01, updated_at 2014_12_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6650
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan/W32.KRBanker.60928.C Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/upload.php"; http_uri; content:"|0d 0a|Accept-Language|3a| zh-cn|0d 0a|"; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.0|29 0d 0a|"; http_header; content:"name=|22|upload_file1|22 3b 20|"; fast_pattern:only; http_client_body; content:".zip|22 0d 0a|"; http_client_body; content:"Content-Type|3a| application/x-zip-compressed|0d 0a|"; http_client_body; pcre:"/filename=\x22[A-Z]\x3a\\.+?\\[a-f0-9]{32}\.zip\x22\r\n/P"; reference:md5,ec5d7bc9d84551066fff51e36bc41d4d; reference:md5,13bd584bb12ee5dc15c35f5911912b09; classtype:trojan-activity; sid:2019828; rev:3; metadata:created_at 2014_12_01, updated_at 2014_12_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6651
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN HompesA Activity"; flow:established,to_server; content:"/me/"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; pcre:"/^\/me\/(?:get(?:ref|ua)\.php|videos\.txt)$/U"; reference:md5,8cc58bc4d63f4b78b635d45aa69108f7; classtype:trojan-activity; sid:2019838; rev:2; metadata:created_at 2014_12_02, updated_at 2014_12_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6654
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan/MSIL.bfsx Checkin"; flow:to_server,established; content:"/infect"; fast_pattern:only; http_uri; content:".php"; offset:7; http_uri; content:"User-Agent|3a 20|Microsoft|0d 0a|"; http_header; pcre:"/\/infect(?:-\d)?\.php$/U"; reference:md5,506cd65bdd06f41f8219cd1ed78eac7d; reference:md5,0c39b39ee4a59a8ac5fc1df500da2a88; classtype:trojan-activity; sid:2019840; rev:4; metadata:created_at 2014_12_02, updated_at 2014_12_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6656
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Enchanim C2 Client Check-in"; flow:established,to_server; content:"some_magic_code1"; depth:16; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016772; rev:2; metadata:created_at 2013_04_18, updated_at 2013_04_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6666
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN W32/SCKeyLog.InfoStealer Installation Confirmation Via SMTP"; flow:established,to_server; content:"Subject|3A 20|Installation of SC-KeyLog on host"; nocase; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=910563; reference:md5,cc439073eeb244e6bcecee8b6774b672; classtype:trojan-activity; sid:2014354; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6708
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 20000: (msg:"ET TROJAN Sourtoff Download Simda Request"; flow:established,to_server; dsize:18; content:"|0a 10|"; depth:2; flowbits:set,ET.TROJAN.Sourtoff; flowbits:noalert; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019312; rev:2; metadata:created_at 2014_09_29, updated_at 2014_09_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6715
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Destover RAT Check-in"; flow:established,to_server; content:"|17 03 01 00 0C E2 C4 Fd D9 E8 E3 F2 9F|"; reference:md5,d1c27ee7ce18675974edf42d4eea25c6; reference:url,www.symantec.com/connect/blogs/destover-destructive-malware-has-links-attacks-south-korea; classtype:trojan-activity; sid:2019878; rev:2; metadata:created_at 2014_12_05, updated_at 2014_12_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6716
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.cc)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|cc|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019882; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6719
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.ws)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ws|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019883; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6720
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.to)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|to|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019884; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6721
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.in)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|in|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019885; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6722
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.hk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|hk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019886; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6723
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.cn)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ck|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019887; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6724
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.tk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|tk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019888; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6725
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Dyre DGA NXDOMAIN Responses (.so)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|so|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019889; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6726
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:".php?i="; http_uri; content:"&data="; http_uri; distance:0; content:"&hash="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/&hash=[^&]+$/U"; flowbits:set,ET.Vawtrak; reference:md5,13c982c3b9c1ef714770820ffa278d2e; classtype:trojan-activity; sid:2019843; rev:3; metadata:created_at 2014_12_02, updated_at 2014_12_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6728
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Linux.Turla Download"; flow:from_server,established; flowbits:isset,ET.ELFDownload; content:"__we_are_happy__"; content:"__TREX__STOP__STRING__"; distance:0; content:"/dev/random"; distance:1; within:11; reference:url,securelist.com/blog/research/67962/the-penquin-turla-2/; reference:md5,19fbd8cbfb12482e8020a887d6427315; classtype:trojan-activity; sid:2019896; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6729
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN VirRansom/VirLock Checkin"; flow:established,to_server; dsize:4; content:"|94 00 00 00|"; fast_pattern:only; flowbits:set,ET.VirLock; flowbits:noalert; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:trojan-activity; sid:2019901; rev:1; metadata:created_at 2014_12_09, updated_at 2014_12_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6730
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN VirRansom/VirLock Checkin Response"; flow:established,from_server; dsize:4; content:"|74 01 00 00|"; fast_pattern:only; flowbits:isset,ET.VirLock; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:trojan-activity; sid:2019902; rev:1; metadata:created_at 2014_12_09, updated_at 2014_12_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6731
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Dalexis.A Possible SSL Cert (smartoptionsinc.com)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|05 11 32 08 1d 81|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019923; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6741
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Dalexis.A Possible SSL Cert (ppc.cba.pl)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 00 81 3d 59 00 8d f2 04 04 8c 3a d3 d0 8e 36 d4 2a|"; distance:9; within:40; content:"|55 04 03|"; distance:0; content:"|06|cba.pl"; distance:1; within:7; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019924; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6742
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Dalexis.A Possible SSL Cert (cargol.cat)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 a7 5c ad 38 d2 d7 fe|"; distance:9; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Tirabol Produccions"; distance:1; within:20; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019925; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2014_12_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6743
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN HawkEye Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| HawkEye Keylogger"; nocase; reference:md5,3bbd5ae250b2d912a701f8d74d85353b; classtype:trojan-activity; sid:2019926; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6744
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Beastdoor Keylogger Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; content:"Victim IP-"; reference:md5,ad99a0a85e1410559030464aac390969; classtype:trojan-activity; sid:2019927; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6745
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Net Crawler SMB Share Access unicode (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,!&,0x80,6,relative; content:"|00|_|00|A|00|u|00|t|00|o|00|S|00|h|00|a|00|r|00|e|00|$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019929; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6747
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> any [139,445] (msg:"ET TROJAN Possible Net Crawler SMB Share Access ascii (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,&,0x80,6,relative; content:"_AutoShare$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019930; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6748
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Trojan.SpamBanker Report via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|Keylogger"; fast_pattern:only; nocase; content:"X-Library|3a 20|Indy"; pcre:"/^Keylogger\r$/m"; reference:md5,9c1aac05bd3212a3abcd7cce9c6c4c77; classtype:trojan-activity; sid:2019931; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6749
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Trojan/Win32.Espy Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"SUBJECT|3a| I Q - S P Y KeyLogger ["; content:"victim computer name"; reference:md5,1a9a06b11aa537734931f8098bae6b00; classtype:trojan-activity; sid:2019932; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6750
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Trojan/Downloader.Fosniw.sap Reporting via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|keylogger(v0."; fast_pattern:only; nocase; content:"@UserName"; content:"@ComputerName"; reference:md5,e36469241764b8c954a700146ca4c43f; classtype:trojan-activity; sid:2019933; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6751
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for Known OphionLocker Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|smu743glzfrxsqcl"; fast_pattern; nocase; distance:0; reference:url,f-secure.com/weblog/archives/00002777.html; reference:md5,e17da8702b71dfb0ee94dbc9e22eed8d; classtype:trojan-activity; sid:2019934; rev:1; metadata:created_at 2014_12_12, updated_at 2014_12_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6752
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Infostealer.Bancos Sending Stolen info SMTP"; flow:to_server,established; content:"X-Library|3a| Indy"; content:"BIGFONE TOCOU"; fast_pattern:only; content:"Nome Comp"; metadata: former_category TROJAN; reference:md5,f71c41b816eadf221e188f6618798969; classtype:trojan-activity; sid:2019938; rev:1; metadata:tag Banking_Trojan, created_at 2014_12_15, malware_family Bancos, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6754
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 10001 (msg:"ET TROJAN Win32.Bumrat.B Checkin"; flow:established,to_server; dsize:19; content:"|0f 00 00 00|"; depth:4; content:"mconfig_10"; reference:md5,647edeb30a04eeb30b7f8921645c7369; classtype:trojan-activity; sid:2019941; rev:1; metadata:created_at 2014_12_15, updated_at 2014_12_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6755
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/TinyZBot Checkin (Operation Cleaver)"; flow:established,to_server; content:"POST"; http_method; content:"/checkupdate.asmx"; http_uri; fast_pattern:only; content:"SOAPAction|3a 20 22|http|3a|//tempuri.org/GetServerTime|22 0d 0a|"; http_header; content:"GetServerTime xmlns=|22|http|3a|//tempuri.org/"; http_client_body; content:!"|0d 0a|Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,68cfc418c72b58b770bdccf19805703e; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019942; rev:3; metadata:created_at 2014_12_15, updated_at 2014_12_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6756
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Agent.AIXD Checkin"; flow:to_server,established; content:"/cnc.php?id="; fast_pattern:only; http_uri; content:"&uid="; http_uri; content:"User-Agent|3a| AppleMac|0d 0a|"; http_header; reference:md5,801e450679e9d60f8c64675c432aab33; reference:md5,ad2e8210ca7c2b4b433b3fba65e87b94; reference:md5,f6ea10f719885fbcfb6743724faa94f7; classtype:trojan-activity; sid:2019945; rev:3; metadata:created_at 2014_12_16, updated_at 2014_12_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6757
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Farfli.BHQ!tr Dropper CnC Beacon"; flow:established,to_server; content:"GET"; http_method; urilen:8; content:"/php.php"; fast_pattern; content:"User-Agent|3A| Mozilla/4.0 (compatible)"; pcre:"/^Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/Hmi"; reference:md5,cb53a6e8d65d86076fc0c94dac62aa77; classtype:trojan-activity; sid:2019946; rev:2; metadata:created_at 2014_12_16, updated_at 2014_12_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6758
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/TRCrypt.ULPM Downloader CnC Beacon"; flow:established,to_server; content:".aspx?id="; http_uri; content:"&macaddress="; http_uri; content:"&pcname="; http_uri; content:"&username="; http_uri; content:"&osversion="; http_uri; content:"&versaoatual="; http_uri; fast_pattern; content:"&winkey="; http_uri; reference:md5,3b4f77eefd208f699e6a540878e753a8; classtype:trojan-activity; sid:2019947; rev:2; metadata:created_at 2014_12_16, updated_at 2014_12_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6759
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Symmi.46846 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/notify.php"; http_uri; fast_pattern:only; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MyApp)"; http_header; content:!"Referer|3A|"; http_header; reference:md5,fe5dc2a4ee8aa084c9da42cd2d1ded2e; classtype:trojan-activity; sid:2019948; rev:2; metadata:created_at 2014_12_16, updated_at 2014_12_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6760
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Banker.AAXV Retrieving key from Pinterest"; flow:established,to_server; content:"GET"; http_method; content:"/pin/"; depth:5; http_uri; content:"User-Agent|3a 20|Internet Explorer 6.0|0d 0a|"; http_header; fast_pattern:15,20; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,f25a8e3f5265a57269590b84a506b672; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/malware-campaign-targets-south-korean-banks-uses-pinterest-as-cc-channel/; classtype:trojan-activity; sid:2019961; rev:3; metadata:created_at 2014_12_17, updated_at 2014_12_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6762
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Syrian.Slideshow Sending Information via SMTP"; flow:established,to_server; content:"Subject|3a 20|repo|0d 0a|"; content:"filename=|22|mxtd|22|"; reference:md5,f8bfb82aa92ea6a8e4e0b378781b3859; reference:url,citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics; classtype:trojan-activity; sid:2019975; rev:1; metadata:created_at 2014_12_18, updated_at 2014_12_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6767
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tendrit CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/css.ashx?"; depth:10; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/css\.ashx\?[a-z]{2,}=(?:%[A-F0-9]{2})+&/I"; reference:md5,755dad1f37a9d3fae1352dbbc409102c; reference:url,pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html; classtype:trojan-activity; sid:2019985; rev:2; metadata:created_at 2014_12_22, updated_at 2014_12_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6771
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tendrit CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/favicon?"; depth:9; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/favicon\?[a-z]{2,}=(?:%[A-F0-9]{2})+&/I"; reference:md5,755dad1f37a9d3fae1352dbbc409102c; reference:url,pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html; classtype:trojan-activity; sid:2019986; rev:2; metadata:created_at 2014_12_22, updated_at 2014_12_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6772
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Nurjax Downloading PE"; flow:established,to_server; content:".exe?dummy="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.exe\?dummy=\d+$/U"; reference:md5,6b7759565454fb7d02fb5bc638136f31; classtype:trojan-activity; sid:2020032; rev:2; metadata:created_at 2014_12_23, updated_at 2014_12_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6808
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS query for known Anunak APT Domain (update-java.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|update-java|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; reference:md5,0ad4892ead67e65ec3dd4c978fce7d92; classtype:trojan-activity; sid:2020041; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6816
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dridex Post Check-in Activity"; flow:established,to_server; content:"POST "; depth:5; content:!"Referer|3a|"; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| Trident/7.0|3b| rv|3a|10.0) like Gecko|0d 0a|"; fast_pattern:53,20; content:"Connection|3a 20|Close|0d 0a|"; content:"HTTP/1.1|0d 0a|Host|3a 20|"; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/R"; threshold:type limit,track by_src,count 1,seconds 60; reference:md5,ac6ea1e500de772341a2075a7d916d63; classtype:trojan-activity; sid:2020064; rev:2; metadata:created_at 2014_12_23, updated_at 2014_12_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6838
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Dropped by RIG EK"; flow:established,to_server; content:"/Prack"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|InetURL/1.0|0d 0a|"; http_header; reference:md5,18fa3ab45c6fa9da218dd4c35688c5f4; classtype:trojan-activity; sid:2020070; rev:3; metadata:created_at 2014_12_26, updated_at 2014_12_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6840
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Andromeda Checkin Dec 29 2014"; flow:established,to_server; content:"POST"; nocase; http_method; content:"EPF#"; depth:4; fast_pattern; http_client_body; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http_header; content:!"Referer"; http_header; content:!"Accept"; http_header; content:"Connection|3a 20|close|0d 0a|"; reference:md5,7a1ad388bdcebcbc4cc48a2eff71775f; classtype:trojan-activity; sid:2020076; rev:2; metadata:created_at 2015_12_29, updated_at 2015_12_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6842
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 9090 (msg:"ET TROJAN Win32.Akdoor Reporting MAC Address"; flow:to_server,established; dsize:20; content:"|01 00 00 00 0c 00 00 00|"; fast_pattern; pcre:"/^[0-9A-F]{12}$/R"; reference:md5,f5ba42117dd02f50b12542131dcd8b5f; classtype:trojan-activity; sid:2020081; rev:1; metadata:created_at 2015_12_29, updated_at 2015_12_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6846
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.Win32.Ngrbot.lof Join IRC channel"; flow:to_server,established; content:"NICK New|7B|"; nocase; pcre:"/^\S{2,3}\x2d(XP|2K3|VIS|2K8|W7|ERR)\w?\x2d\w+?\x7D\w+?\r\n?/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,dd05fcd2368d8d410a5b85e8d504a435; classtype:trojan-activity; sid:2016849; rev:3; metadata:created_at 2013_05_14, updated_at 2013_05_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6848
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Steam Stealer"; flow:to_server,established; content:"GET"; http_method; content:"/uploads/images/201"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:!"User-Agent|3a 20|"; http_header; pcre:"/\.png$/U"; reference:md5,5f50e810668942e8d694faeabab08260; reference:url,blog.0x3a.com/post/107195908164/analysis-of-steam-stealers-and-the-steam-stealer; classtype:trojan-activity; sid:2020095; rev:3; metadata:created_at 2015_01_05, updated_at 2015_01_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6851
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.A Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 32 32|"; fast_pattern:only; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020150; rev:1; metadata:created_at 2015_01_07, updated_at 2015_01_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6854
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.A Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 64 32|"; fast_pattern:only; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020151; rev:1; metadata:created_at 2015_01_07, updated_at 2015_01_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6855
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 9000:10000 (msg:"ET TROJAN Win32/Recslurp.D C2 Request (no alert)"; flow:established,to_server; dsize:4; content:"|e8 03 00 00|"; fast_pattern:only; flowbits:set,ET.Reslurp.D.Client; flowbits:noalert; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:trojan-activity; sid:2020154; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6856
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 9000:10000 -> $HOME_NET any (msg:"ET TROJAN Win32/Recslurp.D C2 Response"; flow:established,from_server; flowbits:isset,ET.Reslurp.D.Client; content:"|e8 03 00 00|"; depth:4; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:trojan-activity; sid:2020155; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6857
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Emotet.C Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:1; content:"MASE|0d 0a|"; http_header; content:"name=|22|c1|22 0d 0a 0d 0a|c"; http_client_body; reference:md5,37d530ffa0bf1129f2db63b75fccce28; classtype:trojan-activity; sid:2020156; rev:7; metadata:created_at 2015_01_07, updated_at 2015_01_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6858
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Emotet.C Variant Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/download.php?listfiles="; http_uri; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,cd74438c04b09baa5c32ad0e5a0306e7; classtype:trojan-activity; sid:2020157; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6859
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vawtrak/NeverQuest Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/0000"; offset:2; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[^\x2f]+\/0000[A-F0-9]{4}\/0[0-2]\/[A-F0-9]{8}$/Ui"; flowbits:set,ET.Vawtrak; metadata: former_category TROJAN; reference:md5,1a5ee37a6075b5a95faf8f07ad060cc9; classtype:trojan-activity; sid:2025087; rev:2; metadata:created_at 2015_01_08, updated_at 2017_11_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6861
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/DDoS.M distributed via CVE-2014-6271 Checkin"; flow:established,to_server; content:"BUILD "; depth:6; pcre:"/^(?:MIPS(?:EL)?|POWERPC|ARM|X86)\x0a$/R"; flowbits:set,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; classtype:trojan-activity; sid:2019242; rev:2; metadata:created_at 2014_09_26, updated_at 2014_09_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6863
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Linux/DDoS.M JUNK command"; flow:established,to_client ; content:"JUNK "; depth:5; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020162; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6864
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Linux/DDoS.M GETLOCALIP command"; flow:established,to_client ; content:"GETLOCALIP "; depth:11; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020163; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6865
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Linux/DDoS.M SCANNER command"; flow:established,to_client ; content:"SCANNER "; depth:8; pcre:"/^(?:ON|OFF)/R"; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020164; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6866
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Linux/DDoS.M KILLATTK command"; flow:established,to_client ; content:"KILLATTK "; depth:9; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020165; rev:1; metadata:created_at 2015_01_12, updated_at 2015_01_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6867
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Linux/DDoS.M LOLNOGTFO command"; flow:established,to_client ; content:"LOLNOGTFO "; depth:10; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020166; rev:2; metadata:created_at 2015_01_12, updated_at 2015_01_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6868
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Brontok User-Agent Detected (Rivest)"; flow:established,to_server; content:"User-Agent|3a| Rivest|0d 0a|"; http_header; nocase; reference:md5,c83b55ab56f3deb60858cb25d6ded8c4; classtype:trojan-activity; sid:2020179; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6875
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern:only; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; pcre:"/^Host\x3a[^\r\n]+?\r\nContent-Length\x3a\x20\d{2,}\r\n(?:\r\n)?$/H"; flowbits:set,ET.Tinba.Checkin; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019168; rev:4; metadata:created_at 2014_09_12, updated_at 2014_09_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6880
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qtrudrukmurps7tc"; nocase; distance:0; fast_pattern; reference:md5,35a7f70c5e0cd4814224c96e3c62fa42; classtype:trojan-activity; sid:2020206; rev:1; metadata:created_at 2015_01_19, updated_at 2015_01_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6886
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Win32.ChinaZ.DDoSClient Checkin"; flow:established,to_server; content:"Windows "; depth:8; content:"|20|MHZ|00|"; fast_pattern; distance:0; content:"|00|Win"; distance:0; content:"|00|"; distance:2; within:2; reference:md5,8643a44febdf73159b2d5c437dc40cd3; classtype:trojan-activity; sid:2020209; rev:2; metadata:created_at 2015_01_19, updated_at 2015_01_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6887
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tzsvejrzduo52siy"; nocase; distance:0; fast_pattern; reference:md5,49e988b04144b478e3f52b2abe8a5572; classtype:trojan-activity; sid:2020210; rev:1; metadata:created_at 2015_01_19, updated_at 2015_01_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6888
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32/PcClient.AA Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/2015"; http_uri; depth:5; fast_pattern; pcre:"/^\d+?\/(?:\d+?\/-?\d+?\.(?:php|jsp))?$/URi"; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.2|3b| .NET CLR 1.1.4322|3b| .NET CLR 2.0.50727|3b| InfoPath.1|29 0d 0a|"; http_header;  reference:md5,33439543cae709aa7efa58f94e4b2a62; classtype:trojan-activity; sid:2019201; rev:11; metadata:created_at 2014_01_31, updated_at 2014_01_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6890
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 44"; flow:to_server,established; dsize:>11; content:"|96 71|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]{5}.{4}\x96\x71/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a09c176351398922770153bdd54c594; classtype:trojan-activity; sid:2020214; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_01_20, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6895
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.A Checkin 2"; flow:from_client,established; dsize:260; content:"MB|00 00|"; content:"Windows|20|"; distance:0; content:"V1.0|00 00|"; offset:180; fast_pattern; reference:md5,b9096b87cf643c5f86789d995e9e773d; classtype:trojan-activity; sid:2020222; rev:1; metadata:created_at 2015_01_21, updated_at 2015_01_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6897
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall CryptoWall 3.0 Check-in"; flow:established,to_server; content:"POST"; http_method; content:"http|3a 2f 2f|proxy"; depth:12; http_raw_uri; fast_pattern; content:"i2p|0d 0a|"; http_header; content:!"|0d 0a|Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020233; rev:2; metadata:created_at 2015_01_21, updated_at 2015_01_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6904
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Adrom.Backdoor CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?page="; http_uri; content:"&enckey="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\x26enckey\x3D[A-F0-9]+$/U"; reference:md5,c621055803c68e89f3cb141608fd0894; reference:md5,3c2be5202d2d68047c76bdf7e1dfc2be; classtype:trojan-activity; sid:2020293; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6953
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Scieron Retrieving Information Response"; flow:established,from_server; file_data; content:"system"; within:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})system$/R"; flowbits:isset,ET.Trojan.Scieron.Ret; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020297; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6955
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Scieron-A UA (HTClient)"; flow:established,to_server; content:"User-Agent|3a 20|HTClient|3b|"; http_header; fast_pattern:12,9; reference:md5,15deb1167a383d20b4232503b2f22b24; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020298; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6956
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Scieron-A Checkin via HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|HTClient|3b|"; http_header; fast_pattern:12,9; pcre:"/^\/\d+$/U"; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,15deb1167a383d20b4232503b2f22b24; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020299; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6957
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/AGENT.NXNX Checkin 2"; flow:to_server,established; dsize:200; content:"D|3a 00 00 00|"; offset:7; depth:13; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}D\x3a\x00+?$/"; reference:md5,fdcf0e3e3ad69cdd570387c4ce9aa8b3; reference:url,ahnlabasec.tistory.com/1007; reference:url,global.ahnlab.com/global/upload/download/asecreport/ASEC Report_Vol.58_Eng.pdf; classtype:trojan-activity; sid:2020303; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6958
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1025 -> $HOME_NET any (msg:"ET TROJAN Possible Mailer Dropped by Dyre SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02 41 55|"; distance:0; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; reference:md5,dbcdaf617e19d2a35f763ac996cf8cd7; classtype:trojan-activity; sid:2020205; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_01_19, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6960
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KL-Remote / Cryp_Banker14 RAT connection"; flow:established,to_server; dsize:13; content:"|3c 7c|PRINCIPAL|7c 3e|"; fast_pattern:only; flowbits:set,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020315; rev:1; metadata:created_at 2015_01_27, updated_at 2015_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6966
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN KL-Remote / Cryp_Banker14 RAT response"; flow:established,from_server; dsize:6; content:"|3c 7c|OK|7c 3e|"; fast_pattern:only; flowbits:isset,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020316; rev:1; metadata:created_at 2015_01_27, updated_at 2015_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6967
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Mailer CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/action.php?action=get_"; http_uri; fast_pattern:only; content:"Send Mail"; depth:9; http_user_agent; content:!"Referer|3a|"; http_header; pcre:"/^\/action\.php\?action=get_(?:mails|red)$/U"; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:trojan-activity; sid:2020330; rev:2; metadata:created_at 2015_01_29, updated_at 2015_01_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6969
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Mailer CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/action.php?action="; http_uri; fast_pattern:only; content:"&sent_all="; http_uri; content:"&sent_success="; distance:0; http_uri; content:"&active_connections="; distance:0; http_uri; content:"&queue_connections="; distance:0; http_uri; content:"Send Mail"; depth:9; http_user_agent; content:!"Referer|3a|"; http_header;  reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:trojan-activity; sid:2020329; rev:3; metadata:created_at 2015_01_29, updated_at 2015_01_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6970
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN f0xy Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/hello.php"; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\r\n(?:\r\n)?$/Hi"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:trojan-activity; sid:2020339; rev:2; metadata:created_at 2015_01_30, updated_at 2015_01_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6977
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN f0xy Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?admin="; fast_pattern:only; content:"&id="; http_uri; content:"&nat="; http_uri; content:"&os="; http_uri; content:"&video="; http_uri; content:"&arch_type="; http_uri; content:"&v="; http_uri; content:"&av_list="; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\r\n(?:\r\n)?$/Hi"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:trojan-activity; sid:2020340; rev:5; metadata:created_at 2015_01_30, updated_at 2015_01_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6978
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN f0xy Download"; flow:to_server,established; content:"/bn_versions/"; http_uri; fast_pattern:only; content:".exe"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/\/bn_versions\/\d+?\.exe$/U"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:trojan-activity; sid:2020341; rev:4; metadata:created_at 2015_01_30, updated_at 2015_01_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6979
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ArcDoor User-Agent (ALIZER)"; flow:established,to_server; content:"User-Agent|3a 20|ALIZER|0d 0a|"; http_header; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:trojan-activity; sid:2020344; rev:2; metadata:created_at 2015_02_02, updated_at 2015_02_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6980
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ArcDoor Intial Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Accept"; http_header; content:"Content-Length|3a 20|28|0d 0a|"; fast_pattern:only; pcre:"/^[a-z0-9]{11}=\d{16}$/P"; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:trojan-activity; sid:2020345; rev:2; metadata:created_at 2015_02_02, updated_at 2015_02_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6981
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dropper YABROD Downloading Files"; flow:from_client,established; urilen:11; content:"/Yabrod.pdf"; content:"User-Agent|3a 20|n1|0d 0a|"; fast_pattern:12,4; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,44df02ac28d80deb45f5c7c48b56a858; reference:url,fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020346; rev:2; metadata:created_at 2015_02_02, updated_at 2015_02_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6982
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN BePush/Kilim Checkin response"; flow:established,from_server; file_data; content:"Server_ok"; depth:9; flowbits:isset,ET.FB.troj; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:trojan-activity; sid:2020349; rev:2; metadata:created_at 2015_02_03, updated_at 2015_02_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6983
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Critroni Tor DNS Proxy lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|23bteufi2kcqza2l"; distance:0; nocase; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019909; rev:3; metadata:created_at 2014_12_10, updated_at 2014_12_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6984
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|3fdzgtam4qk625n6"; nocase; distance:0; fast_pattern; reference:md5,adb0de790bd3fb88490a60f0dddd90fa; classtype:trojan-activity; sid:2020358; rev:1; metadata:created_at 2015_02_04, updated_at 2015_02_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6986
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 45"; flow:to_server,established; dsize:>11; content:"|7a 9a|"; offset:13; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]{5}.{4}\x7a\x9a/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,eb7909105fd05064b14a21465742952c; classtype:trojan-activity; sid:2020371; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_02_05, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6990
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sakula/Mivast C2 Activity"; flow:established,to_server; content:"POST"; http_method; content:".asp?cstring="; http_uri; fast_pattern:only; content:"&tom="; http_uri; content:"&id="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"|00 00 00 00|"; depth:4; http_client_body; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020378; rev:2; metadata:created_at 2015_02_06, updated_at 2015_02_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 6993
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.KeyLogger.ODN Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:19; content:"/newage.txt"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:trojan-activity; sid:2019467; rev:3; metadata:created_at 2014_10_17, updated_at 2014_10_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7008
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Rovnix.J Checkin 2"; flow:established,to_server; content:"[0]|0d 0a|LP="; http_client_body; content:"|0a|VID="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; content:"POST"; http_method; reference:md5,9471e926eda81b4f797b6cfe273e4e79; classtype:trojan-activity; sid:2020396; rev:2; metadata:created_at 2015_02_11, updated_at 2015_02_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7010
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN MSIL/Golroted.B Keylogger FTP"; flow:established,to_server; content:"STOR Logger_"; reference:md5,b2b82fd662dd0ddf53aa37bb9025bf92; classtype:trojan-activity; sid:2020411; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7011
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Predator Pain Keylogger FTP"; flow:established,to_server; content:"STOR Predator_Pain"; reference:md5,c9025c9835d1b7d6f0dd2390ea7d5e18; classtype:trojan-activity; sid:2020412; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7012
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Gulcrypt.B Downloading components - set"; flow:established,to_server; urilen:8; content:"GET"; http_method; content:"/manager"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; flowbits:set,ET.Gulcrypt; flowbits:noalert; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020420; rev:2; metadata:created_at 2015_02_13, updated_at 2015_02_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7014
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Gulcrypt.B Downloading components"; flow:established,from_server; flowbits:isset,ET.Gulcrypt; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020421; rev:2; metadata:created_at 2015_02_13, updated_at 2015_02_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7015
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dridex POST CnC Beacon 2"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Referer|3A|"; http_header; content:"Host|3a 20|"; depth:6; http_header; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r?$/RHmi"; content:"Content-Type|3a 20|text/css|0d 0a|Accept|3a 20|image/**|0d 0a|"; distance:0; http_header; fast_pattern:21,20; content:"|0d 0a 0d 0a|"; byte_extract:1,0,Dridex.Pivot,relative; byte_test:1,!=,Dridex.Pivot,0,relative; byte_test:1,=,Dridex.Pivot,7,relative; reference:md5,b9de687cdae55d3c9fcfe6fc8bcdd28f; classtype:trojan-activity; sid:2020301; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7016
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Arid Viper APT Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"_rtemp.php?n="; http_uri; fast_pattern:only; content:"|0d 0a|REMOTE_USER|3a 20|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,5efc02d416b15554b25d9acec362148e; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:trojan-activity; sid:2020436; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7037
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Chanitor Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ukzo73z4inzpenmq"; nocase; distance:0; fast_pattern; reference:md5,53752a41ed21172343f678423d6c9a44; classtype:trojan-activity; sid:2020458; rev:1; metadata:created_at 2015_02_17, updated_at 2015_02_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7039
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dridex Post Checkin Activity 2"; flow:established,to_server; urilen:20<>100; content:!"Referer|3a|"; http_header; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; pcre:"/^Host\x3a\x20(?=[a-z0-9]{0,19}[A-Z])(?=[A-Z0-9]{0,19}[a-z])[a-zA-Z0-9]{4,20}\.[a-z]{2,3}/H"; content:"|0d 0a|Connection|3a 20|Close|0d 0a|User-Agent|3a 20|Mozilla/"; http_header; within:41; fast_pattern:4,20; reference:md5,b9de687cdae55d3c9fcfe6fc8bcdd28f; classtype:trojan-activity; sid:2020302; rev:6; metadata:created_at 2015_01_23, updated_at 2015_01_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7052
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Beaugrit.gen.AAAA"; flow:established,to_server; content:"GET"; http_method; content:"/attach/1759CB3B5124F217143044"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; reference:md5,fbfe6c2673aec9098e1fc9bf6d7fc059; classtype:trojan-activity; sid:2020479; rev:2; metadata:created_at 2015_02_19, updated_at 2015_02_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7053
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.NSIS.Comame.A Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/9.php?safe="; http_uri; fast_pattern:only; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla|29 0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; reference:md5,6a15f19a3ccd05f74537464e6df64dab; classtype:trojan-activity; sid:2020480; rev:3; metadata:created_at 2015_02_19, updated_at 2015_02_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7054
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Carbanak APT CnC Beacon 1"; flow:established,to_server; dsize:24; content:"|08|"; depth:1; byte_extract:1,1,Carbanak.Pivot,relative; byte_test:1,!=,Carbanak.Pivot,0,relative; byte_test:1,=,Carbanak.Pivot,3,relative; content:"|00 00 00 02 00 00 00 00 00 00 00 00 00|"; distance:4; within:13; fast_pattern; content:!"|00 00 00|"; within:3; reference:md5,6ae1bb06d10f253116925371c8e3e74b; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:trojan-activity; sid:2020455; rev:2; metadata:created_at 2015_02_17, updated_at 2015_02_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7062
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; urilen:8; content:"/cou.php"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Host|3a|"; depth:5; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:md5,046e4b3ff7b323f2147f2d5d43b7e5f4; reference:md5,e4ab12da8828a7f1e6c077a2999f8320; classtype:trojan-activity; sid:2020504; rev:2; metadata:created_at 2015_02_23, updated_at 2015_02_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7063
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Sality.3 Checkin"; flow:to_server,established; content:"/?f"; http_uri; fast_pattern:only; content:!"User-Agent|3a| "; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Cache-Control|3a 20|"; http_header; pcre:"/\/\?f$/U"; reference:md5,df9516919e75853742e63db318e7d346; classtype:trojan-activity; sid:2020505; rev:2; metadata:created_at 2015_02_23, updated_at 2015_02_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7064
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Athena DDoS Bot Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer|3a|"; http_header; content:"a=%"; depth:3; http_client_body; fast_pattern; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; pcre:"/^a=(%[0-9A-Fa-f]{2})+\x26b=[0-9A-Za-z]+(%3[dD]){0,2}\x26c=(%[0-9A-Fa-f]{2})+$/P";  reference:md5,19ca0d830cd7b44e5de1ab85f4e17d82; classtype:trojan-activity; sid:2017633; rev:4; metadata:created_at 2013_04_26, updated_at 2013_04_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7067
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET !1433 (msg:"ET TROJAN Unknown Trojan Downloading PE via MSSQL Connection to Non-Standard Port"; flow:from_server,established; flowbits:isset,ET.MSSQL; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,754b48c57a00b7c9f0e0640166ac7bb5; classtype:trojan-activity; sid:2020569; rev:1; metadata:created_at 2015_02_25, updated_at 2015_02_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7068
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Chanitor .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|brk7tda32wtkxjpa"; nocase; distance:0; fast_pattern; reference:md5,34ad24860495397c994f8ae168d0e639; classtype:trojan-activity; sid:2020581; rev:1; metadata:created_at 2015_02_27, updated_at 2015_02_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7069
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 46"; flow:to_server,established; dsize:>11; content:"|84 60|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x84\x60/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,019ab136fd79147b10ddb3e4162709db; classtype:trojan-activity; sid:2020586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7071
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Xunpf.A Retrieving DLL"; flow:established,to_server; content:"GET"; http_method; content:"/web_"; http_uri; fast_pattern:only; content:".jpg"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/\/web_[0-9A-F]{12}\.jpg$/U"; reference:md5,dfb7dd8b6975b73dc9c731319a05f86d; classtype:trojan-activity; sid:2020601; rev:2; metadata:created_at 2015_03_03, updated_at 2015_03_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7072
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Andromeda Downloading Module"; flow:to_server,established; content:"GET"; http_method; content:".pack"; nocase; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.pack$/Ui"; content:"Mozilla"; http_header; pcre:"/^User-Agent\x3a\x20Mozilla(?:\/4\.0)?\r?$/Hmi"; reference:md5,65125129418e07ce1000aa677b66b72f; classtype:trojan-activity; sid:2018604; rev:5; metadata:created_at 2014_06_24, updated_at 2014_06_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7074
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 55"; flow:to_server,established; dsize:>11; content:"|39 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x39\xdd/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f42a5b709bf9a1377d2464f936fc841; classtype:trojan-activity; sid:2020614; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7075
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 47"; flow:to_server,established; dsize:>11; content:"|79 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5ad0bb62806297fb8bf159d94f82dbb9; classtype:trojan-activity; sid:2020606; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7076
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 48"; flow:to_server,established; dsize:>11; content:"|da 41|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\xda\x41/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,69ffa441a8c3cf4d8fe643174bebb51d; classtype:trojan-activity; sid:2020607; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7077
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 49"; flow:to_server,established; dsize:>11; content:"|79 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\xdd/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2e99b9462f95154e9f5b94eeed33a6e3; classtype:trojan-activity; sid:2020608; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7078
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 50"; flow:to_server,established; dsize:>11; content:"|7b 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1701f8c71b5861a2f2890dc609ef6eda; classtype:trojan-activity; sid:2020609; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7079
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 51"; flow:to_server,established; dsize:>11; content:"|7a 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4b70f302c72c94d0b9214808d9f72419; classtype:trojan-activity; sid:2020610; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7080
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 53"; flow:to_server,established; dsize:>11; content:"|70 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5a0e030383c472f7d94c0bcd6af71a90; classtype:trojan-activity; sid:2020612; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7081
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 54"; flow:to_server,established; dsize:>11; content:"|70 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4d6e0de81f57461337ccfbcce6dc1056; classtype:trojan-activity; sid:2020613; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7082
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Emotet Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"/"; offset:1; http_uri; content:"/"; distance:0; http_uri; content:"MSIE 7.0|3b|"; http_user_agent; fast_pattern; content:"Windows NT 6.0"; within:15; http_user_agent; pcre:"/^\/[A-Za-z0-9]+\/[A-Za-z0-9]+\/$/U"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019693; rev:5; metadata:created_at 2014_11_11, updated_at 2014_11_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7086
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Bayrob Keepalive"; flow:established,to_server; content:"GET"; http_method; urilen:9; content:"/isup.php"; http_uri; fast_pattern:only; content:"Accept-Encoding|3a 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http_raw_header; content:!"Referer|3a|"; http_header;  reference:md5,a4a3fab712b04ee901f491d4c704b138; classtype:trojan-activity; sid:2020621; rev:3; metadata:created_at 2015_03_05, updated_at 2015_03_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7087
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Trapwot FakeAV Post Infection CnC Beacon"; flow:established,to_server; content:"/rp?"; http_uri; fast_pattern:only; content:"v="; http_uri; content:"a="; http_uri; content:"u="; http_uri; content:"d="; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^\/(?:[^\x2f]+\/)?rp\?[a-z]=/U"; reference:md5,fc962cb08f62e3d6368500a8e747cf73; classtype:trojan-activity; sid:2020645; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7089
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Onkods.A Downloader Checkin"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|"; depth:12; http_header; pcre:"/^User-Agent\x3a\x20(?=\d*[a-z])[a-z0-9]+\r\nHost\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; pcre:"/^\/(?:[a-z]+\/)*?[a-z]+\.exe$/U"; reference:md5,fb570e6d68e708daeceae5dfc544fba2; classtype:trojan-activity; sid:2018121; rev:4; metadata:created_at 2014_02_12, updated_at 2014_02_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7091
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zbot POST Request to C2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:!"Accept-"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^Accept\x3a \*\/\*\r\nUser-Agent\x3a[^\r\n]+?\r\nHost\x3a[^\r\n]+?\r\nContent-Length\x3a[^\r\n]+?\r\n(?:Proxy-)?Connection\x3a[^\r\n]+?\r\n(?:Pragma|Cache-Control)\x3a[^\r\n]+?\r\n(?:\r\n)?$/H"; reference:md5,c86f7ec18b78055a431f7cd1dca65b82; classtype:trojan-activity; sid:2019141; rev:3; metadata:created_at 2014_09_08, updated_at 2014_09_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7092
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Cryptolocker .onion Proxy Domain (juf5pjk4sl7uojh4)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|juf5pjk4sl7uojh4"; fast_pattern; distance:0; nocase; reference:md5,499a46c23afe23de49346adf1b4f3a4f; reference:url,www.mogozobo.com/?p=2371; classtype:trojan-activity; sid:2020670; rev:1; metadata:created_at 2015_03_11, updated_at 2015_03_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7101
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gamarue/Andromeda Downloading Payload"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern:5,20; http_header; pcre:"/^\/[a-z]+\/[a-z]+\.exe$/U";  reference:md5,85d925a76909f29c3f370f35faedb9ea; classtype:trojan-activity; sid:2020683; rev:2; metadata:created_at 2015_03_11, updated_at 2015_03_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7102
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Trapwot FakeAV Checkin"; flow:established,to_server; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"v="; http_uri; content:"a="; http_uri; content:"u="; http_uri; content:"i=0"; http_uri; fast_pattern:only; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; pcre:"/^\/(?:[a-z]+\/)?[a-z_]+\?[a-z]=/U"; reference:md5,baf71ace207afd3f330c4aba3784e074; classtype:trojan-activity; sid:2020646; rev:4; metadata:created_at 2015_03_09, updated_at 2015_03_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7103
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vicepass CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?data="; depth:16; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Host|3a|"; depth:5; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/Hmi"; reference:md5,5f1997927e94b98982e5ee2cea095956; classtype:trojan-activity; sid:2020690; rev:2; metadata:created_at 2015_03_13, updated_at 2015_03_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7110
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 56"; flow:to_server,established; dsize:>11; content:"|2e 96|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x2e\x96/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fc4f20426ab1da2c705a4523d3baa0b; classtype:trojan-activity; sid:2020691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_13, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7111
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 57"; flow:to_server,established; dsize:>11; content:"|7b 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,06be359c6e6396fe105e8b59ac5a992e; classtype:trojan-activity; sid:2020692; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_13, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7112
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 58"; flow:to_server,established; dsize:>11; content:"|31 ad|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x31\xad/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,20a72c5af06e054ff840915b6632965f; classtype:trojan-activity; sid:2020693; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_13, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7113
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 59"; flow:to_server,established; dsize:>11; content:"|44 df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x44\xdf/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6a263de8d3f6d82e73330c84a83057bf; classtype:trojan-activity; sid:2020694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_13, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7114
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 60"; flow:to_server,established; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fbca8d9f71265f44513e4f885587301; classtype:trojan-activity; sid:2020695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_13, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7115
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 61"; flow:to_server,established; dsize:>11; content:"|3f a6|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x3f\xa6/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0045ce5ce7d697ecc86f1e44398bf404; classtype:trojan-activity; sid:2020696; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_13, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7116
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"Content-Length|3a 20|13|0d 0a|"; http_header; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"|00 04 00 00 00|"; offset:4; depth:5; http_client_body; content:!"|00 00 00 00|"; depth:4; http_client_body; reference:md5,e610d3c383a4f1c8a27aaf018b12c370; classtype:trojan-activity; sid:2020568; rev:4; metadata:created_at 2015_02_25, updated_at 2015_02_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7117
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FakeAV Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?id="; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Content-T"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=\d+$/U"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,693ca229558aab99e0a9d3385cacc40c; classtype:trojan-activity; sid:2020706; rev:2; metadata:created_at 2015_03_18, updated_at 2015_03_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7125
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Agent.WMN CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent"; depth:59; http_header; fast_pattern:31,20; content:"="; offset:4; depth:9; http_client_body; content:"=&"; distance:55; within:2; http_client_body; pcre:"/^[a-z]{4,12}=(?:[A-Za-z0-9+/]{4})*[A-Za-z0-9+/]{3}=&[a-z]{4,12}=[A-Za-z0-9+/]{4}/P"; reference:md5,3031604f1cf95ee4ccc339c9e4d5b92f; classtype:trojan-activity; sid:2020708; rev:2; metadata:created_at 2015_03_18, updated_at 2015_03_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7126
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN RocketKitten APT Checkin"; flow:to_server,established; content:"/index.php?c="; http_uri; content:"&r="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; fast_pattern:5,20; http_header; content:!"Referer|3a 20|"; http_header; reference:url,isc.sans.edu/forums/diary/Rocket+Kitten+Is+it+still+APT+if+you+can+buy+it+off+the+shelf/19123; reference:md5,f89a4d4ae5cca6d69a5256c96111e707; classtype:trojan-activity; sid:2020078; rev:3; metadata:created_at 2015_12_29, updated_at 2015_12_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7127
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M2"; flow:established,to_server; content:"GET"; http_method; content:".php?U3ViamVjdD1"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,c075fa8484d52c3978826c2f07ce9a9c; classtype:trojan-activity; sid:2020718; rev:3; metadata:created_at 2015_03_20, updated_at 2015_03_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7129
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FindPOS Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"oprat="; http_client_body; fast_pattern:only; content:"&uid="; http_client_body; content:"&uinfo="; http_client_body; content:"&win="; http_client_body; content:"&vers="; http_client_body; reference:md5,fe0f997d81d88bc11cc03e4d1fd61ebe; classtype:trojan-activity; sid:2020723; rev:3; metadata:created_at 2015_03_20, updated_at 2015_03_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7130
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyLogger related to FindPOS CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"uid="; depth:4; http_client_body; content:"&win="; distance:0; http_client_body; content:"&vers="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,593af622a90f2038e35ee980e09c1c3c; reference:url,researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:2020724; rev:2; metadata:created_at 2015_03_20, updated_at 2015_03_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7131
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Adwind SSL Cert (assylias.Inc)"; flow:established,from_server; content:"|0b|"; content:"|04 1f 23 9d bd|"; distance:18; within:20; content:"|55 04 0a|"; distance:0; content:"|0c|assylias.Inc"; distance:1; within:13; fast_pattern; reference:md5,4e5c28fab23b35dea2d48a1c2db32b56; classtype:trojan-activity; sid:2020728; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_23, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7133
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux.DDoS Checkin"; flow:established,to_server; dsize:1024; content:"VERSONEX|3a|"; depth:9; content:"|7c|Hacker|00 00 00|"; distance:0; reference:md5,0eab12cebbf1c8f25d82c65f34aab9d7; classtype:trojan-activity; sid:2019172; rev:4; metadata:created_at 2014_08_19, updated_at 2014_08_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7134
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kazy Checkin"; flow:to_server,established; content:"/get_"; http_uri; content:"did="; http_uri; content:"Downloader"; depth:10; http_user_agent; reference:md5,73d2dd466df92b77a4c34adcd13e8b50; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/28/new-kazy-variant-kazy-forces; classtype:trojan-activity; sid:2018341; rev:7; metadata:created_at 2013_09_11, updated_at 2013_09_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7137
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/TrojanProxy.JpiProx.B CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/sync"; depth:5; http_uri; content:"/?ext="; within:7; http_uri; fast_pattern; content:"&pid="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,aa9542f02b26a554650a9649d2239181; classtype:trojan-activity; sid:2020737; rev:2; metadata:created_at 2015_03_24, updated_at 2015_03_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7138
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (iezqmd4s2fflmh7n)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iezqmd4s2fflmh7n"; fast_pattern; distance:0; nocase; reference:md5,1d578c11069c7446ca6d05ff7623a972; classtype:trojan-activity; sid:2020740; rev:1; metadata:created_at 2015_03_24, updated_at 2015_03_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7140
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32.Chroject.B Receiving ClickFraud Commands from CnC 2"; flow:from_server,established; file_data; content:"<html><title>"; within:13; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title><\/html>$/R"; content:"</title></html>"; fast_pattern:only; flowbits:isset,ET.Chroject; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020749; rev:4; metadata:created_at 2015_03_25, updated_at 2015_03_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7150
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B ClickFraud Request"; flow:to_server,established; content:"GET"; http_method; content:"/item/fmt?ct="; depth:13; http_uri; fast_pattern; content:"Referer|3a 20|http|3a|//"; http_header; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\r?$/RHmi"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020750; rev:4; metadata:created_at 2015_03_25, updated_at 2015_03_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7151
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Teslacrypt Ransomware HTTP CnC Beacon M1"; flow:established,to_server; content:"GET"; http_method; content:"/state"; http_uri; fast_pattern:only; content:".php?"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/state[^\x2f]*\.php\?[A-Za-z0-9+/]*={0,2}$/U"; reference:md5,c075fa8484d52c3978826c2f07ce9a9c; classtype:trojan-activity; sid:2020717; rev:5; metadata:created_at 2015_03_20, updated_at 2015_03_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7152
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32.Chroject.B Receiving ClickFraud Commands from CnC 1"; flow:from_server,established; file_data; content:"/title><script>window.setTimeout(function () { window.location="; fast_pattern:14,20; content:"<title>"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title/R"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020748; rev:7; metadata:created_at 2015_03_25, updated_at 2015_03_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7153
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 62"; flow:to_server,established; dsize:>11; content:"|7b 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,bcb626c7cca304f927ec97450008e600; classtype:trojan-activity; sid:2020763; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7154
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 63"; flow:to_server,established; dsize:>11; content:"|71 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x95/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,00d4c1faeacaf45cfb02c592efe61a1d; classtype:trojan-activity; sid:2020764; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7155
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 64"; flow:to_server,established; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2a6c1f4e14533d9f2af8d9e4fcf53338; classtype:trojan-activity; sid:2020765; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7156
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 65"; flow:to_server,established; dsize:>11; content:"|40 a3|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x40\xa3/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a2ae5eada44872675561a97ea56c0df; classtype:trojan-activity; sid:2020766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7157
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 66"; flow:to_server,established; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ec6b10b55732f68a174bb5b751bff840; classtype:trojan-activity; sid:2020767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7158
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 67"; flow:to_server,established; dsize:>11; content:"|7d 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,142b8df89b9ae5019c1f1855d2212e9f; classtype:trojan-activity; sid:2020768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7159
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 68"; flow:to_server,established; dsize:>11; content:"|7b 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x95/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8026990bea6f95613f6111b9a5506941; classtype:trojan-activity; sid:2020769; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7160
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 69"; flow:to_server,established; dsize:>11; content:"|7a 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,262d04177c4bec3215db085fc4c44493; classtype:trojan-activity; sid:2020770; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7161
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 70"; flow:to_server,established; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,d9d1fd5025f47caaaa276d747657e01b; classtype:trojan-activity; sid:2020771; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7162
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 71"; flow:to_server,established; dsize:>11; content:"|79 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8b69118f7c25f79c4c7de5b0830dda39; classtype:trojan-activity; sid:2020772; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7163
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 72"; flow:to_server,established; dsize:>11; content:"|78 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x78\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1bb5562b08bae781086095c439fc9e8b; classtype:trojan-activity; sid:2020773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7164
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 73"; flow:to_server,established; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9c44da3c6326deb5b802b1494b202a1d; classtype:trojan-activity; sid:2020774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7165
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 74"; flow:to_server,established; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,178f7f122f1de5c759a6538d78d67277; classtype:trojan-activity; sid:2020775; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7166
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 75"; flow:to_server,established; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9a3309620c23d821ea4e2f41538454a7; classtype:trojan-activity; sid:2020776; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7167
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 76"; flow:to_server,established; dsize:>11; content:"|3b df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x3b\xdf/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1e3f91c46410d5205c7b6f6b53a45cff; classtype:trojan-activity; sid:2020777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7168
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 77"; flow:to_server,established; dsize:>11; content:"|70 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,010c49cb69591e1738b7bdd78a54d8f8; classtype:trojan-activity; sid:2020778; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7169
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 79"; flow:to_server,established; dsize:>11; content:"|7d 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6168f11bb42ff767a224396c2656ea87; classtype:trojan-activity; sid:2020780; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7170
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 81"; flow:to_server,established; dsize:>11; content:"|7e 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7e\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,733d252921fa9b74b268c1e451d2e0c8; classtype:trojan-activity; sid:2020782; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7171
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 83"; flow:to_server,established; dsize:>11; content:"|47 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x47\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4bd54550a23cb5bf40e0924dea7bad76; classtype:trojan-activity; sid:2020784; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7172
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 86"; flow:to_server,established; dsize:>11; content:"|70 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4af85987c9aca11196eb1a603b40b18d; classtype:trojan-activity; sid:2020787; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7173
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 87"; flow:to_server,established; dsize:>11; content:"|7a 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,32652a6c74e5358549a7c536c3080d58; classtype:trojan-activity; sid:2020788; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7174
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 88"; flow:to_server,established; dsize:>11; content:"|7c 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,e3ac512a1978cec5eb8bc12fbb384e1f; classtype:trojan-activity; sid:2020789; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7175
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 89"; flow:to_server,established; dsize:>11; content:"|30 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x30\xa5/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3fb6b63928996a2fab06ba634710740b; classtype:trojan-activity; sid:2020790; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7176
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 91"; flow:to_server,established; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3d10b1c4471c7d29e968d9059f844aab; classtype:trojan-activity; sid:2020792; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7177
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 92"; flow:to_server,established; dsize:>11; content:"|7f 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1dabf462f9c07878f6cd0b58cabf6538; classtype:trojan-activity; sid:2020793; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7178
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 93"; flow:to_server,established; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,29ac81a0607f6456bc886f6099fdb5c8; classtype:trojan-activity; sid:2020794; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7179
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 94"; flow:to_server,established; dsize:>11; content:"|7b 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,7403a3a7c924a50cb205c5936cb57821; classtype:trojan-activity; sid:2020795; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7180
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 95"; flow:to_server,established; dsize:>11; content:"|71 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9d/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,599fc172ebcd9f41557ba1293522f424; classtype:trojan-activity; sid:2020796; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7181
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 96"; flow:to_server,established; dsize:>11; content:"|49 a2|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x49\xa2/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0928c98b9702e3c8df4e44f31bea56ac; classtype:trojan-activity; sid:2020797; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7182
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 97"; flow:to_server,established; dsize:>11; content:"|7d 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0c014b17729784f905f55e43347469ed; classtype:trojan-activity; sid:2020798; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7183
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 98"; flow:to_server,established; dsize:>11; content:"|79 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,79dd610cc7a62ad237d21c050eae32ec; classtype:trojan-activity; sid:2020799; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7184
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 99"; flow:to_server,established; dsize:>11; content:"|39 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x39\x99/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2499b8a890b084b9d4eb76d2bfaeff56; classtype:trojan-activity; sid:2020800; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7185
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Volatile Cedar Win32.Explosive CnC Beacon 1"; flow:established,to_server; content:"==gKg5XI+BmK"; depth:12; reference:md5,11657162940dcc1c124e607b0f248039; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020807; rev:1; metadata:created_at 2015_03_31, updated_at 2015_03_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7187
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Volatile Cedar Win32.Explosive Fake User-Agent"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| MSIE 6.0|3b| Windows NT 5.1|3b| .NET CLR 2.0.50727)"; depth:80; http_user_agent; fast_pattern:25,20; reference:md5,cefed502aaf38ee0089c527e7f537eda; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020810; rev:3; metadata:created_at 2015_03_31, updated_at 2015_03_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7190
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Volatile Cedar Win32.Explosive External IP Leak"; flow:established,from_server; file_data; content:"<span id=|22|lblIPBehindProxy|22|>{"; within:29; fast_pattern:9,20; reference:md5,cefed502aaf38ee0089c527e7f537eda; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020811; rev:3; metadata:created_at 2015_03_31, updated_at 2015_03_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7191
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Hyteod CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"|5f 5e 5b 8b e5 5d|"; http_header; fast_pattern:only; content:!"Accept-"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; http_header; reference:md5,f2ad19a08063171b039accd24b0c27ca; classtype:trojan-activity; sid:2020821; rev:2; metadata:created_at 2015_03_31, updated_at 2015_03_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7201
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen.BW Payment Info"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//mysticnews.ru"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"spShopId="; http_client_body; content:"&spShopPaymentId="; fast_pattern; http_client_body; distance:0; content:"&spCurrency="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020827; rev:2; metadata:created_at 2015_04_02, updated_at 2015_04_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7203
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen.BW Payment Info 2"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//mysticnews.ru"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"action=showPaymentForm&"; fast_pattern:3,20; http_client_body; content:"psAgreement="; http_client_body; distance:0; content:"&paymentSystemId="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020828; rev:2; metadata:created_at 2015_04_02, updated_at 2015_04_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7204
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen.BW Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Referer|3a| http|3a|//mysticnews.ru"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|11.0)"; http_header; content:"locker_ver="; fast_pattern; http_client_body; content:"&i_firstboot="; http_client_body; distance:0; content:"&harddiskserial="; http_client_body; distance:0; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020829; rev:2; metadata:created_at 2015_04_02, updated_at 2015_04_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7205
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Mikey Variant HTTP CnC Beacon 1"; flow:established,to_server; content:!"Accept-"; http_header; content:"Referer|3a 20|HTTP/1.0|0d 0a|"; depth:19; http_header; fast_pattern; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:trojan-activity; sid:2020833; rev:2; metadata:created_at 2015_04_02, updated_at 2015_04_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7206
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Mikey Variant HTTP CnC Beacon 2"; flow:established,to_server; content:"Accept|3a 20|*/*, "; http_header; pcre:"/^Accept\x3a\x20\*\/\*,[^\r\n]+, MZ/Hmi"; content:", MZ"; http_header; fast_pattern:only; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:trojan-activity; sid:2020834; rev:2; metadata:created_at 2015_04_02, updated_at 2015_04_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7207
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Mikey Variant HTTP CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"/index.php?N="; http_uri; content:"["; distance:0; http_uri; content:"]"; distance:0; http_uri; content:"["; distance:0; http_uri; content:"]"; distance:0; http_uri; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:trojan-activity; sid:2020835; rev:2; metadata:created_at 2015_04_02, updated_at 2015_04_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7208
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET TROJAN IRC Bot dropped by Mikey Variant CnC Beacon"; flow:established,to_server; content:"["; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; content:"|0d 0a|NICK|20|"; pcre:"/^[a-z0-9]+\[\d+\]/R"; content:"-"; distance:0; content:"["; distance:0; pcre:"/^\d+\]\r\n$/R"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:trojan-activity; sid:2020836; rev:1; metadata:created_at 2015_04_02, updated_at 2015_04_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7209
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Kelihos.F exe Download 2"; flow:to_server,established; content:"GET"; http_method; urilen:<13; content:".exe"; fast_pattern:only; http_uri; pcre:"/^\/[^\x2f]+?\.exe$/Ui"; content:"User-Agent|3a| "; depth:12; http_header; content:"|0d 0a|Host|3a| "; distance:0; http_header; content:".ru|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; distance:0; http_header; pcre:"/^User-Agent\x3a [^\r\n]+?\r\nHost\x3a [^\r\n]+?\.ru\r\nCache-Control\x3a no-cache\r\n$/H"; content:!"Accept"; http_header; content:!"Referer"; http_header; reference:md5,1303188d039076998b170fffe48e4cc0; classtype:trojan-activity; sid:2017190; rev:6; metadata:created_at 2013_07_24, updated_at 2013_07_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7210
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Hangover related campaign Response"; flow:established,to_client; content:"200"; http_stat_code; content:!"Referer|3a|"; http_header; file_data; content:"|3a 5c|Bootfile|5c|firewall|5c|1"; pcre:"/^[C-J]\r\n/R"; reference:md5,f761060ced467394a6f87fd2204c6a74; reference:url,bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks; classtype:trojan-activity; sid:2018567; rev:3; metadata:created_at 2014_06_16, updated_at 2014_06_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7211
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Ursnif Checkin"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Length|3a 20|2|0d 0a|Connection|3a 20|"; fast_pattern:10,20; http_header; content:!"Referer|3a|"; http_header; content:"no-cache|0d 0a 0d 0a 0d 0a|"; isdataat:!1,relative; pcre:"/^(?:\/\w{3,12}){2,4}\?[a-z]{3,12}=(?:[A-Za-z0-9+/\x20]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$/U"; reference:md5,dfeaae9cb1bc24ac467411955e48483b; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019377; rev:5; metadata:created_at 2014_10_09, updated_at 2014_10_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7212
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Chorns/PoisonIvy related Backdoor Initial Connection"; flow:established; dsize:12; content:"/FIRSTINF/|0d0a|"; reference:url,doc.emergingthreats.net/2010344; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010344; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2010_07_30, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7214
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Chorns/PoisonIvy related Backdoor Keep Alive"; flow:established; dsize:12; content:"/AVAILABL/|0d0a|"; reference:url,doc.emergingthreats.net/2010345; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010345; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2010_07_30, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7215
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.2013Jan04 victim beacon"; flow:established,to_server; dsize:48; content:"|1e de 5c f1 1f f6 94 12 d1 fa f1 42 8c fe 8d f7|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016167; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_01_04, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7216
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN PoisonIvy.2013Jan04 server response"; flow:established,from_server; dsize:48; content:"|48 3A E9 78 C0 B9 2E 3F 9A 49 C5 56 65 5F CE 22|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016168; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2013_01_04, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7217
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Miniduke variant FTP upload"; flow:to_server,established; content:"USER "; pcre:"/^(?:(?:menelao|ho[mr]u)s|adair|johan|kweku)\r\n/R"; reference:md5,e175be029dd2b78c059278a567b3ada1; reference:url,www.f-secure.com/static/doc/labs_global/Whitepapers/cosmicduke_whitepaper.pdf; classtype:trojan-activity; sid:2023911; rev:4; metadata:created_at 2014_07_03, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7222
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Miniduke variant C&C activity"; flow:to_server,established; content:"&Auth="; http_uri; content:"&Session="; http_uri; distance:0; content:"&DataID="; http_uri; distance:0; content:"&FamilyID="; http_uri; distance:0; reference:md5,8bbc55ec1a7e86cb21d3cda5ccb43e1e; reference:url,www.f-secure.com/static/doc/labs_global/Whitepapers/cosmicduke_whitepaper.pdf; classtype:trojan-activity; sid:2023909; rev:3; metadata:created_at 2014_07_03, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7223
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Enchanim C2 Injection Download"; flow:established,to_client; content:"set_url "; content:"|0d 0a|data_before|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_inject|0d 0a|"; distance:0; fast_pattern; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_after|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016771; rev:5; metadata:created_at 2013_04_18, updated_at 2013_04_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7225
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Win32/SillyFDC WordPress Traffic"; flow:established,to_server; content:"GET"; http_method; content:"/?dm=6b2280e30391615dcaa18e533ccb99a9"; fast_pattern; depth:37; http_uri; reference:md5,3c10f65f8c1a84c53d94c331a63cad06; classtype:trojan-activity; sid:2020845; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2015_04_06, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7226
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.A Sending UUID and Processes x86"; content:"|00 00 00 02 00 00 00 00 00 00 32 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020152; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7227
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.A Sending UUID and Processes x64"; content:"|00 00 00 02 00 00 00 00 00 00 64 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020153; rev:3; metadata:created_at 2015_01_07, updated_at 2015_01_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7228
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.B1 Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 32|"; fast_pattern:only; reference:md5,bd69714997e839618a7db82484819552; classtype:trojan-activity; sid:2020849; rev:2; metadata:created_at 2015_04_07, updated_at 2015_04_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7229
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.B1 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 86|"; fast_pattern:only; reference:md5,bd69714997e839618a7db82484819552; classtype:trojan-activity; sid:2020850; rev:1; metadata:created_at 2015_04_07, updated_at 2015_04_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7230
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.B2 Checkin no architecture"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 84|"; fast_pattern:only; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:trojan-activity; sid:2020851; rev:1; metadata:created_at 2015_04_07, updated_at 2015_04_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7231
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.B1 Sending Processes"; content:"Sy|5c|"; content:"wininit|5c|"; distance:0; content:"winlogon|5c|"; fast_pattern:only; reference:md5,bd69714997e839618a7db82484819552; classtype:trojan-activity; sid:2020852; rev:1; metadata:created_at 2015_04_07, updated_at 2015_04_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7232
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kriptovor Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/loader.php?name="; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; content:"Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US|3b| rv|3a|x.xx) Gecko/20030504 Mozilla Firebird/0.6"; depth:92; http_user_agent; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,7e47a518561c46123d4facd43effafbf; classtype:trojan-activity; sid:2020883; rev:5; metadata:created_at 2015_04_09, updated_at 2015_04_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7234
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,465,587] (msg:"ET TROJAN Kriptovor SMTP Traffic"; flow:established,to_server; content:"|0d 0a|PC|3a 20|"; content:"|0d 0a|Text|3a 20|"; distance:0; content:"|0d 0a|IP|3a 20|"; distance:0; content:"|0d 0a|TS|3a 20|"; distance:0; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020884; rev:1; metadata:created_at 2015_04_09, updated_at 2015_04_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7235
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kriptovor Retrieving RAR Payload"; flow:established,to_server; content:"GET"; http_method; content:".rar"; http_uri; content:!"Referer|3a|"; http_header; content:!"Connection|3a|"; http_header; content:"Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.1|3b| en-us|3b| rv:1.9.2.3) Gecko/20100401 YFF35 Firefox/3.6.3"; depth:94; http_user_agent; fast_pattern:74,20; pcre:"/\.rar$/U";  reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020885; rev:3; metadata:created_at 2015_04_09, updated_at 2015_04_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7236
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kriptovor External IP Lookup checkip.dyndns.org"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:!"Connection|3a|"; http_header; content:"Host|3a 20|checkip.dyndns.org|0d 0a|"; depth:26; http_header; fast_pattern; content:"Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US|3b| rv:x.xx) Gecko/20030504 Mozilla Firebird/0.6"; depth:92; http_user_agent; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,00e3b69b18bfad7980c1621256ee10fa; classtype:trojan-activity; sid:2020886; rev:4; metadata:created_at 2015_04_09, updated_at 2015_04_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7237
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Operation Buhtrap CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; fast_pattern:only; content:"Mozilla/4.0 (compatible|3b| Synapse)"; depth:33; http_user_agent; content:"id="; depth:3; http_client_body; pcre:"/^[A-F0-9]+$/RP"; pcre:"/\/gate\.php$/U"; reference:url,welivesecurity.com/2015/04/09/operation-buhtrap/; reference:md5,24fac66b3a6d55a83e1309bc530b032e; classtype:trojan-activity; sid:2020890; rev:3; metadata:created_at 2015_04_10, updated_at 2015_04_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7240
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Maldoc Retrieving Dridex from pastebin"; flow:established,to_server; content:"GET"; http_method; content:"/raw.php?i="; depth:11; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"Host|3a 20|pastebin.com|0d 0a|"; http_header; content:"Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; depth:57; http_user_agent;  reference:md5,07523de32e43f67b1bbd5edc87803d5c; classtype:trojan-activity; sid:2020892; rev:4; metadata:created_at 2015_04_10, updated_at 2015_04_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7241
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN LankerBoy HTTP CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".txt"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|us|0d 0a|Host"; depth:20; http_header; fast_pattern; pcre:"/\.txt$/U"; reference:md5,db2c617a6e53a24fa887e6ecf60a076d; classtype:trojan-activity; sid:2020902; rev:2; metadata:created_at 2015_04_13, updated_at 2015_04_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7247
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoinVault Mailer CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/redirect.php?loc=mail"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/redirect\.php\?loc=mail$/U"; reference:md5,af0e5a5df0be279aa517e2fd65cadd5c; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:trojan-activity; sid:2020906; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7248
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoinVault CnC Beacon M1"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"hwid="; depth:5; http_client_body; content:"&knock="; distance:0; http_client_body; content:"&keylog="; http_client_body; fast_pattern:only; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:trojan-activity; sid:2020907; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7249
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoinVault CnC Beacon M2"; flow:established,to_server; content:"POST"; http_method; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"eyJib3RpbmZvIjp7InVwbG9hZElkIjo"; http_client_body; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:trojan-activity; sid:2020908; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7250
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN CoinVault CnC Beacon Response"; flow:established,from_server; file_data; content:"eyJrbm9ja3RpbWUiOj"; within:18; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:trojan-activity; sid:2020909; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7251
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Ruckguv.A Requesting Payload"; flow:established,to_server; content:"GET"; http_method; content:"/id.exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"MSIE"; http_user_agent; reference:md5,227365242cc97fa611fdac295b732d82; reference:md5,b9eec5be1d2f5d0007bd94fdd8c7ea57; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3801; classtype:trojan-activity; sid:2020910; rev:3; metadata:created_at 2015_04_14, updated_at 2015_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7252
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET TROJAN W32/Farfli.BHQ!tr Dropper CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/do.asp?search="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{1,5}\r?$/Hmi";  reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:trojan-activity; sid:2020913; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7253
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptoLocker .onion Proxy Domain (33p5mqkaj22irv4z)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|33p5mqkaj22irv4z"; fast_pattern; distance:0; nocase; reference:md5,1c6269fe48cba5f830a64a50bdf4ffe5; reference:url,www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/page-13; classtype:trojan-activity; sid:2020915; rev:1; metadata:created_at 2015_04_15, updated_at 2015_04_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7254
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FighterPOS CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/command.php?id="; http_uri; fast_pattern:only; content:"&os="; http_uri; content:"&com="; http_uri; content:"&ver="; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:trojan-activity; sid:2020918; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7256
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FighterPOS CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/log.php?id=|5b|"; http_uri; fast_pattern; content:"|7c|"; distance:0; http_uri; content:"|5d|"; distance:0; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:trojan-activity; sid:2020919; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7257
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FighterPOS CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:"/keylogger.php?id="; http_uri; fast_pattern:only; content:"&com="; http_uri; content:"&key="; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:trojan-activity; sid:2020920; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7258
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bioazih RAT Checkin"; flow:to_server,established; content:"User-Agent|3a| Pass|3a|"; http_header; content:"Hostname|3a|"; http_header; content:"Ip|3a|"; http_header; content:"Os|3a|"; http_header; content:"Proxy|3a|"; fast_pattern:only; http_header; content:"Vm|3a|"; http_header; reference:md5,7bc5451341a684aca80a59a463bad973; reference:md5,5443cf2b6c010c57cf740356c9167b77; reference:url,blogs.technet.com/b/mmpc/archive/2015/04/13/bioazih-rat-how-clean-file-metadata-can-help-keep-you-safe.aspx; classtype:trojan-activity; sid:2020927; rev:3; metadata:created_at 2015_04_15, updated_at 2015_04_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7265
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Malicious Office Doc CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/im"; http_uri; content:"g"; distance:0; http_uri; content:".php?id="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"MSOffice"; http_header; content:!"Outlook"; http_header; pcre:"/\/im(?:age|g)\.php\?id=\d+$/U";  reference:md5,27cd0a3db18fbb6d316fb4542c3a51f3; classtype:trojan-activity; sid:2020860; rev:4; metadata:created_at 2015_04_07, updated_at 2015_04_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7266
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zacom/NFlog Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:".asp?HostID="; fast_pattern:only; http_uri; content:"Windows NT 5.0|3b| .NET CLR 1.1.4322|29 0d 0a|"; http_header; pcre:"/\?HostID=([A-F0-9]{2}(?:-|<>)){5}[A-F0-9]{2}$/U"; reference:md5,e397a68bf4fbb7a9b4d1b6da1fe2172b; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020928; rev:3; metadata:created_at 2015_04_15, updated_at 2015_04_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7267
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon Fake UA"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla Firefox/4.0|0d 0a|"; http_header; fast_pattern:13,20; content:!"Referer|3a|"; http_header; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:trojan-activity; sid:2020934; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7272
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"key="; depth:4; http_client_body; fast_pattern; pcre:"/^key=[A-Z]+$/P"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:trojan-activity; sid:2020935; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7273
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"bit="; depth:4; http_client_body; fast_pattern; pcre:"/^bit=(?:32|64)$/P"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:trojan-activity; sid:2020937; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7274
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 4"; flow:established,to_server; content:"POST"; http_method; content:"/"; offset:1; http_uri; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"unkey="; depth:6; http_client_body; fast_pattern; content:!"&"; distance:0; http_client_body; pcre:"/\/$/U"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:trojan-activity; sid:2020938; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7275
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 5"; flow:established,to_server; content:"GET"; http_method; content:"/?bit="; http_uri; fast_pattern:only; content:"&version="; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/\?bit=(?:32|64)&version=\d{4}-\d{1,2}-\d{1,2}$/U"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,b1fe4120e3b38784f9fe57f6bb154517; classtype:trojan-activity; sid:2020939; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7276
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 6"; flow:established,to_server; content:"GET"; http_method; content:"/?check"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Example|0d 0a|"; http_header; pcre:"/\/\?check$/U"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,b1fe4120e3b38784f9fe57f6bb154517; classtype:trojan-activity; sid:2020940; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7277
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic CnC Beacon 5"; flow:established,to_server; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Length|3a 20|0|0d 0a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; content:"/ HTTP/1.1"; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|Mozilla/6."; depth:35; http_header; pcre:"/^[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\nConnection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/RHmi"; reference:md5,97369af278cc004ce390f68ae94013b6; classtype:trojan-activity; sid:2020944; rev:5; metadata:created_at 2015_04_17, updated_at 2015_04_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7281
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN  Win32/Tesch.B CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Internet  Explorer|0d 0a|"; http_header; fast_pattern:4,20; pcre:"/^[a-f0-9]+(?:\x20[a-f0-9]+)+$/P"; reference:md5,0032395c3a980e09c511b6b41ab3da48; classtype:trojan-activity; sid:2020945; rev:3; metadata:created_at 2015_04_17, updated_at 2015_04_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7282
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic CnC Beacon 6"; flow:established,to_server; content:"POST"; http_method; content:!"Accept-"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Length|3a 20|0|0d 0a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; content:"/ HTTP/1.1"; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|Mozilla/7."; depth:35; http_header; pcre:"/^[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\nConnection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/RHmi"; reference:md5,97369af278cc004ce390f68ae94013b6; classtype:trojan-activity; sid:2020946; rev:3; metadata:created_at 2015_04_17, updated_at 2015_04_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7283
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Chanitor .onion Proxy Domain (l7gbml27czk3kvr5)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|l7gbml27czk3kvr5"; fast_pattern; distance:0; nocase; reference:md5,83c0b99427c026aad36b0d8204377702; classtype:trojan-activity; sid:2020739; rev:2; metadata:created_at 2015_03_24, updated_at 2015_03_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7284
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Graftor Downloading Dridex"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"MSIE"; http_user_agent; content:"Host|3a|"; depth:5; http_header; content:"Connection|3a 20|close|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^\/\d+\/\d+\.exe$/U"; pcre:"/^Host\x3a[^\r\n]+\r\nAccept-Language\x3a[^\r\n]+\r\nAccept\x3a[^\r\n]+\r\nAccept-Encoding\x3a[^\r\n]+\r\nConnection\x3a\x20close\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:md5,5d9d5b9089ad464e51ff391b14da1953; classtype:trojan-activity; sid:2020960; rev:2; metadata:created_at 2015_04_22, updated_at 2015_04_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7293
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CozyDuke APT HTTP GET CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|"; depth:12; http_header; pcre:"/[A-Z]{100}(?:&\w+=[a-zA-Z0-9/+=]+){0,2}$/U"; flowbits:set,ET.CozyDuke.HTTP; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:trojan-activity; sid:2020963; rev:2; metadata:created_at 2015_04_22, updated_at 2015_04_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7294
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CozyDuke APT HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:61; http_header; pcre:"/\.php\?$/U"; pcre:"/^\w+=(?:[a-zA-Z0-9/+=]{1,30}&\w+=)?[a-zA-Z0-9+/]{0,13}[A-Z]{200}/P"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:trojan-activity; sid:2020964; rev:2; metadata:created_at 2015_04_22, updated_at 2015_04_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7295
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT HTTP CnC Beacon Response"; flow:established,from_server; file_data; content:"<--"; within:3; pcre:"/^[A-F0-9]{8,12}/R"; content:"-->|0a|<"; fast_pattern; within:5; flowbits:isset,ET.CozyDuke.HTTP; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:trojan-activity; sid:2020965; rev:2; metadata:created_at 2015_04_22, updated_at 2015_04_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7296
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 1"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 31 d5|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,d5a82520ebf38a0c595367ff0ca89fae; classtype:trojan-activity; sid:2020966; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7297
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 2"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 65 5d|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,859f167704b5c138ed9a9d4d3fdc0723; classtype:trojan-activity; sid:2020967; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7298
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 3"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 1b 3c|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,181a88c911b10d0fcb4682ae552c0de3; classtype:trojan-activity; sid:2020968; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7299
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 4"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 0f 0d|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,0e0182694c381f8b68afc5f3ff4c4653; classtype:trojan-activity; sid:2020969; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7300
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 5"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 03 5f|"; distance:9; within:20; content:"|55 04 0a|"; distance:0; content:"|1b|*.corp.utilitytelephone.com"; distance:1; within:28; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,4121414c63079b7fa836be00f8d0a93b; classtype:trojan-activity; sid:2020970; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7301
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 6"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 a9|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,1dde02ff744fa4e261168e2008fd613a; classtype:trojan-activity; sid:2020971; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7302
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 7"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|02 2c 2f|"; distance:9; within:20; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|09|SomeState"; distance:1; within:10; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,9ad55b83f2eec0c19873a770b0c86a2f; classtype:trojan-activity; sid:2020972; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7303
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN CozyDuke APT Possible SSL Cert 8"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 5f 31|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|--"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|SomeCity"; distance:1; within:9; content:"|0d 01 09 01|"; distance:0; content:"|1a|root@localhost.localdomain"; fast_pattern; distance:1; within:27; reference:md5,f58a4369b8176edbde4396dc977c9008; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-030500-0430-99; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; classtype:trojan-activity; sid:2020974; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7305
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 100"; flow:to_server,established; dsize:>11; content:"|78 9c|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]{5}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:trojan-activity; sid:2021012; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_04_27, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7313
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN TorrentLocker SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a3 3c b6 6e 62 16 33|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,8b2b618a463b906a1005ff1ed7d5f875; classtype:trojan-activity; sid:2021014; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_27, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7314
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|10 05 86 8b f3 dc 2c ad 1f 00 dd ad fa 27 3c ea d0|"; content:"|55 04 03|"; distance:0; content:"|12|thewinesteward.com"; distance:1; within:19; reference:md5,331bec58cb113999f83c866de4976b62; classtype:trojan-activity; sid:2021015; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_27, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7315
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|terriblekira.su"; distance:1; within:16; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:trojan-activity; sid:2021031; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_29, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7323
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lidline.com"; distance:1; within:112; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:trojan-activity; sid:2021032; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_04_29, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7324
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BePush/Kilim payload retrieval"; flow:established,to_server; content:"GET"; http_method; content:"/app.exe"; http_uri; fast_pattern:only; content:"Wget"; depth:4; http_user_agent; content:!"Accept-"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/\/app\.exe$/U"; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:trojan-activity; sid:2020350; rev:4; metadata:created_at 2015_02_03, updated_at 2015_02_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7325
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BePush/Kilim Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/ok.txt"; http_uri; content:"AutoHotkey"; depth:10; http_user_agent; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; pcre:"/\/ok\.txt$/U"; flowbits:set,ET.FB.troj; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:trojan-activity; sid:2020348; rev:4; metadata:created_at 2015_02_03, updated_at 2015_02_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7326
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Teerac/CryptoFortress .onion Proxy Domain (cld7vqwcvn2bii67)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cld7vqwcvn2bii67"; fast_pattern; distance:0; nocase; reference:url,www.hybrid-analysis.com/sample/650d5a7d247fbe9c7f4d92e901319fec8c83fd07d4f5291f23c30f338a2e2974?environmentId=2#extracted-strings; reference:md5,4a20784de661675d281edbd48a6e2485; classtype:trojan-activity; sid:2021041; rev:1; metadata:created_at 2015_04_30, updated_at 2015_04_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7327
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux.Trojan.IptabLex Variant Checkin"; flow:to_server,established; dsize:157; content:"|77|"; depth:1; pcre:"/^[\x01\x03\x08\x09\x0b]\x00/R"; content:"|20 40 20|"; distance:0; content:"Hz"; nocase; within:15; reference:md5,019765009f7142a89af15aaaac7400cc; reference:url,blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html; classtype:trojan-activity; sid:2021050; rev:1; metadata:created_at 2015_05_04, updated_at 2015_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7328
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Linux.Mumblehard Spam Command CnC"; flow:to_server,established; content:"POST / HTTP/1."; depth:14; content:"|0d 0a 0d 0a 0f 0f|"; pcre:"/^\d{1,3}[0-2]/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:trojan-activity; sid:2021053; rev:1; metadata:created_at 2015_05_04, updated_at 2015_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7329
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dyre Downloading Mailer 2"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0E|3b 20|.NET4.0C|3b 20|rv|3a|11.0) like Gecko|0d 0a|Host|3a|"; http_header; depth:195; pcre:"/^[^\r\n]+\r\n(?:\r\n)?$/RHi"; pcre:"/\.tar$/U"; reference:url,www.seculert.com/blog/2015/04/new-dyre-version-evades-sandboxes.html; reference:md5,999bc5e16312db6abff5f6c9e54c546f; classtype:trojan-activity; sid:2021056; rev:5; metadata:created_at 2015_05_04, updated_at 2015_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7330
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Carbon FormGrabber/Retgate.A/Rombertik Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:"name="; http_client_body; content:"&host="; http_client_body; content:"&browser="; http_client_body; content:"&post="; http_client_body; fast_pattern:only; pcre:"/\.php$/U"; reference:url,symantec.com/connect/blogs/european-automobile-businesses-fall-prey-carbon-grabber; reference:md5,72bab43e406c9e325e49e27b22853b60; reference:url,blogs.cisco.com/security/talos/rombertik; reference:md5,f504ef6e9a269e354de802872dc5e209; classtype:trojan-activity; sid:2021055; rev:4; metadata:created_at 2015_05_04, updated_at 2015_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7331
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 101"; flow:to_server,established; dsize:>11; content:"|71 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8776e617b59da52bcac43b380a354aa0; classtype:trojan-activity; sid:2021065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_05_07, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7335
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (is6xsotjdy4qtgur)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|is6xsotjdy4qtgur"; fast_pattern; distance:0; nocase; reference:url,www.malware-traffic-analysis.net/2015/05/06/index.html; reference:url,www.hybrid-analysis.com/sample/99fc04d82877aea0247286d41186b985ab773b19c8cef8786ffc1fa50e35af29?environmentId=1; reference:md5,a08784f5691a0a8ce6249e1981dea82c; classtype:trojan-activity; sid:2021077; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7336
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enfal CnC GET"; flow:to_server,established; content:"GET"; http_method; content:"docs/"; http_uri; fast_pattern:only; pcre:"/^\/(?:tran|http)docs\//U"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/Hmi"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:trojan-activity; sid:2021080; rev:2; metadata:created_at 2015_05_08, updated_at 2015_05_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7337
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (iq3ahijcfeont3xx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iq3ahijcfeont3xx"; fast_pattern; distance:0; nocase; reference:md5,c3e567e9f45d0b4c1396f3d646598204; classtype:trojan-activity; sid:2021084; rev:1; metadata:created_at 2015_05_08, updated_at 2015_05_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7338
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux.Mumblehard Initial Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:1; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|7.0.1) Gecko/20100101 Firefox/7.0.1"; fast_pattern:59,20; pcre:"/^Host\x3a (?:\d{1,3}\.){3}\d{1,3}\r\nUser-Agent\x3a[^\r\n]+?\r\nAccept\x3a[^\r\n]+?\r\nAccept-Language\x3a[^\r\n]+?\r\nAccept-Encoding\x3a[^\r\n]+?\r\nAccept-Charset\x3a[^\r\n]+?\r\nConnection\x3a close(?:\r\n)*$/Hi"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:trojan-activity; sid:2021051; rev:3; metadata:created_at 2015_05_04, updated_at 2015_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7341
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux.Mumblehard Command Status CnC"; flow:to_server,established; content:"GET"; http_method; urilen:1; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|7.0.1) Gecko/"; fast_pattern:37,20; pcre:"/^\d{1,5}\.[2-5]0[0-5]\.\d+? Firefox\/7\.0\.1/Ri"; pcre:"/^Host\x3a (?:\d{1,3}\.){3}\d{1,3}\r\nUser-Agent\x3a[^\r\n]+?\r\nAccept\x3a[^\r\n]+?\r\nAccept-Language\x3a[^\r\n]+?\r\nAccept-Encoding\x3a[^\r\n]+?\r\nAccept-Charset\x3a[^\r\n]+?\r\nConnection\x3a close(?:\r\n)*$/Hi"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:trojan-activity; sid:2021052; rev:3; metadata:created_at 2015_05_04, updated_at 2015_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7342
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN VaultCrypt Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:6; content:"/v.vlt"; http_uri; fast_pattern:only; content:"|0d 0a|UA-CPU|3a 20|"; http_header; reference:md5,d8bd77eebee2e74ea74679bf3f1f7210; classtype:trojan-activity; sid:2021091; rev:2; metadata:created_at 2015_05_12, updated_at 2015_05_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7343
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Putty SSH Credential Stealer"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; content:"=c3NoOi8v"; http_uri; fast_pattern:only; pcre:"/=c3NoOi8v[A-Za-z0-9+/]+={0,2}$/U"; content:!"Referer|3a|"; http_header; reference:md5,b5c88d5af37afd13f89957150f9311ca; classtype:trojan-activity; sid:2021095; rev:2; metadata:created_at 2015_05_13, updated_at 2015_05_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7345
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 21 e9 a1 69 3a 6e e9 a8 fb a3 ba 5b ee 9d 6e 60 02|"; fast_pattern; content:"|55 04 03|"; content:"|15|elyseeinvestments.com"; distance:1; within:22; reference:md5,1225b8c9b52d4828b9031267939e8260; classtype:trojan-activity; sid:2021097; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_14, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7347
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Rofin.A CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|dd aa 99 66|"; depth:4; byte_jump:4,4,relative,little,from_beginning, post_offset -2; isdataat:!2,relative; reference:md5,6b71398418c7c6b01cf8abb105bc884d; classtype:trojan-activity; sid:2020671; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7348
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Generic Dropper Installing PUP 2"; flow:to_server,established; content:"GET"; http_method; content:"/ohupdate.php?"; http_uri; content:"localip="; http_uri; distance:0; content:"&macaddr="; http_uri; distance:0; content:"&program="; http_uri; distance:0; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| ICS)"; http_header; fast_pattern:21,20; reference:md5,9bfae378e38f0eb2dfff87fffa0dfe37; classtype:trojan-activity; sid:2021100; rev:2; metadata:created_at 2015_05_15, updated_at 2015_05_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7349
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|07|Glasgow"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|06|Glasgo"; distance:1; within:7; content:"|55 04 0a|"; distance:0; content:"|0b|Green Peace"; distance:1; within:12; reference:md5,3cecc935eb92ed03dc9908fc96b0f795; classtype:trojan-activity; sid:2021102; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_15, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7351
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FrauDrop Checkin"; flow:established,to_server; content:".asp?sn="; http_uri; content:"&tmac="; http_uri; distance:0; content:"&action="; http_uri; distance:0; content:"&ver="; http_uri; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x30442e9d036a40c8cbd41f8f4c9afab1ba\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021103; rev:2; metadata:created_at 2015_05_15, updated_at 2015_05_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7352
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FrauDrop UA LETITGO"; flow:established,to_server; content:"User-Agent|3a 20|LETITGO|0d 0a|"; http_header; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021104; rev:2; metadata:created_at 2015_05_15, updated_at 2015_05_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7353
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FrauDrop UA single"; flow:established,to_server; content:"User-Agent|3a 20|single|0d 0a|"; http_header; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021105; rev:2; metadata:created_at 2015_05_15, updated_at 2015_05_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7354
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Zemot Fake Search Page"; flow:established,from_server; file_data; content:"background|3a 20|url(btn_search.png|29 2f 2a|tpa=http"; fast_pattern:15,20; reference:md5,38cad3170f85c4f9903574941bd282a8; classtype:trojan-activity; sid:2021107; rev:2; metadata:created_at 2015_05_15, updated_at 2015_05_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7355
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT Hellsing Proxy Checker Checkin"; flow:established,to_server; content:"/common.asp?action="; http_uri; content:"&uid="; http_uri; distance:0; content:"&lan="; http_uri; distance:0; content:"&hname="; http_uri; distance:7; within:22; content:"&uname="; http_uri; distance:1; within:22; content:"&os="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:md5,b7e7186d962d562af6a5d10a25d19b02; reference:url,securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/; classtype:trojan-activity; sid:2021108; rev:3; metadata:created_at 2015_05_15, updated_at 2015_05_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7358
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CTB-Locker .onion Proxy Domain (tlunjscxn5n76iyz)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tlunjscxn5n76iyz"; fast_pattern; distance:0; nocase; reference:url,www.hybrid-analysis.com/sample/3aed0cac4a7f3053e324276c72bbf3aead783da2eb8b53bf99134a0adbcd3267?environmentId=2; reference:md5,2df314974722ef6b5a66d81292679cb4; classtype:trojan-activity; sid:2021115; rev:1; metadata:created_at 2015_05_18, updated_at 2015_05_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7362
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Fsysna.Downloader CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:"Mozilla/4.0 (compatible|3B| MSIE "; http_user_agent; content:".0|3B| Win32|29 3B 20|"; http_user_agent; distance:1; within:15; fast_pattern; pcre:"/^\d+$/VR"; content:"Content-Type|3a 20|*/*|0d 0a|"; http_header; depth:19;  reference:url,blogs.mcafee.com/mcafee-labs/targeted-attacks-japanese-firm-use-old-activex-vulnerability; reference:md5,2b91011e122364148698a249c2f4b7fe; reference:md5,6c040be9d91083ffba59405f9b2c89bf; classtype:trojan-activity; sid:2018462; rev:5; metadata:created_at 2014_05_09, updated_at 2014_05_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7365
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SPEAR CnC Beacon"; flow:to_server,established; content:"GET"; http_method; content:".asp?"; http_uri; fast_pattern:only; content:" MSIE "; http_user_agent; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.asp\?(?:[A-Za-z0-9+*]{4})*(?:[A-Za-z0-9+*]{2}==|[A-Za-z0-9+*]{3}=|[A-Za-z0-9+*]{4})$/U"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,e09c8cd6ad3b99f46e083916c5371b6e2acc050d; classtype:trojan-activity; sid:2021118; rev:3; metadata:created_at 2015_05_20, updated_at 2015_05_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7367
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SPEAR CnC Beacon 2"; flow:to_server,established; content:"GET"; http_method; content:"?wd="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\?wd=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})$/U"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,e09c8cd6ad3b99f46e083916c5371b6e2acc050d; classtype:trojan-activity; sid:2021119; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7368
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Blue Bot DDoS Blog Request"; flow:to_server,established; content:"GET"; http_method; content:"/blog"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; pcre:"/\/blog$/U"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021129; rev:2; metadata:created_at 2015_05_21, updated_at 2015_05_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7372
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Blue Bot DDoS Target Request"; flow:to_server,established; content:"GET"; http_method; content:"/target"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; pcre:"/\/target$/U"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021130; rev:2; metadata:created_at 2015_05_21, updated_at 2015_05_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7373
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Blue Bot DDoS Logger Request"; flow:to_server,established; content:"GET"; http_method; content:"/botlogger.php"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; pcre:"/\/botlogger\.php$/U"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021131; rev:2; metadata:created_at 2015_05_21, updated_at 2015_05_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7374
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaScriptBackdoor HTTP GET CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/?action="; http_uri; fast_pattern:only; content:"&guid="; http_uri; content:"&version="; distance:0; http_uri; content:"WinHttp.WinHttpRequest."; http_header; content:!"Referer|3a|"; http_header; pcre:"/&version=\d+$/U"; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:trojan-activity; sid:2021132; rev:2; metadata:created_at 2015_05_21, updated_at 2015_05_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7375
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaScriptBackdoor HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; content:!"Referer|3a|"; http_header; content:"username="; http_client_body; content:"memory_total="; http_client_body; content:"os_caption="; http_client_body; content:"os_serialnumber="; http_client_body; fast_pattern:only; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:trojan-activity; sid:2021133; rev:2; metadata:created_at 2015_05_21, updated_at 2015_05_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7376
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaScriptBackdoor SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b7 2f ae e8 e2 55 b5 bf|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,2a63b3a621d8e555734582d83b5e06a5; classtype:trojan-activity; sid:2021134; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_21, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7377
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bancos URL Structure"; flow:to_server,established; content:"GET"; http_method; content:"/infects/"; http_uri; fast_pattern:only; pcre:"/\/[a-z]\/infects\/[a-z]\?[a-z]=[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Ui"; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,www.virustotal.com/en/file/65335e9df2d4cb5267bdab0dd9e3d1bcdff957fa4d40e3219fc9267af94a318e/analysis; reference:md5,9766c5eca8d229f1af9dfb9bd97f02a0; classtype:trojan-activity; sid:2021142; rev:2; metadata:tag Banking_Trojan, created_at 2015_05_22, malware_family Bancos, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7381
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Autorun.AD Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:14; content:"/loglogin.html"; http_uri; fast_pattern:only; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Accept"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\n(?:\r\n)?$/H"; reference:md5,3d652375fd511878f410fb1048e47f83; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AMSIL/Autorun.AD; reference:md5,3d652375fd511878f410fb1048e47f83; classtype:trojan-activity; sid:2021143; rev:4; metadata:created_at 2015_05_22, updated_at 2015_05_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7382
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Montana"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|09|Liverpool"; distance:1; within:10; content:"|55 04 03|"; distance:0; content:"|0e|southnorth.org"; distance:1; within:15; fast_pattern; reference:md5,440e5c0aee33cba3c4707ada0856ff6d; classtype:trojan-activity; sid:2021145; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_26, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7384
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall Check-in M2"; flow:established,to_server; urilen:<110; content:!"|0d 0a|Accept-"; nocase; http_header; pcre:"/[\/=][a-z0-9]{8,}$/U"; content:!"Referer|3a|"; http_header; content:"="; offset:1; depth:1; http_client_body; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; content:" rv|3a|11.0"; fast_pattern; http_header; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020855; rev:3; metadata:created_at 2015_04_07, updated_at 2015_04_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7392
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Yakes CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bd 4b 4b 98 c9 8b 2f 20|"; within:35; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|webmaster@localhost"; distance:1; within:20; reference:md5,6cdd93dcb1c54a4e2b036d2e13b51216; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021155; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7394
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (wdthvb6jut2rupu4)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wdthvb6jut2rupu4"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021163; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7396
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (xwxwninkssujglja)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xwxwninkssujglja"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021164; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7397
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to TOX Ransomware onion (7fa6gldxg64t5wnt)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|7fa6gldxg64t5wnt"; fast_pattern; distance:0; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021165; rev:1; metadata:created_at 2015_05_28, updated_at 2015_05_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7398
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 7"; flow:established,to_server; content:"GET"; http_method; content:"/?action=getuid"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:trojan-activity; sid:2021166; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7399
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 8"; flow:established,to_server; content:"GET"; http_method; content:"/?action="; http_uri; fast_pattern:only; content:"&uid="; http_uri; content:"&bit="; http_uri; content:"&version="; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:trojan-activity; sid:2021167; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7400
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 9"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"action="; depth:7; http_client_body; content:"&uid="; distance:0; http_client_body; content:"key="; distance:0; http_client_body; fast_pattern; pcre:"/&(?:un)?key=[A-Z]+$/P"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:trojan-activity; sid:2021168; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7401
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT Backspace CnC Beacon"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3a 20|SJZJ (compatible|3b 20|MSIE 6.0|3b 20|Win32)"; http_header; fast_pattern:only; content:"HOST|3a 20|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,ddf0981aebeea6ba9abdae6ddf8ed4e2; classtype:trojan-activity; sid:2021184; rev:2; metadata:created_at 2015_06_04, updated_at 2015_06_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7405
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBase Keylogger Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:".php?type=notification&machinename="; fast_pattern:only; http_uri; content:"&machinetime="; http_uri; content:!"User-Agent|3a| "; http_header; reference:md5,fa6f24a18ef772d9cdaa1d6cd1e24d1b; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021188; rev:2; metadata:created_at 2015_06_05, updated_at 2015_06_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7408
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Databack CnC"; flow:to_server,established; content:"GET"; http_method; content:".php?pn="; fast_pattern; http_uri; content:"&s="; distance:0; http_uri; content:"&x="; http_uri; distance:0; content:!"Referer|3a|"; http_header; pcre:"/\.php\?pn=[^&]+&s=[0-9]+&x=0\.[0-9]{7}$/U"; reference:md5,dc7b0c078482b68c1ff89da3ac88949b; classtype:trojan-activity; sid:2021189; rev:3; metadata:created_at 2015_06_05, updated_at 2015_06_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7409
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Qadars WebInject SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|www.freechristmasgifts2014.com"; distance:1; within:31; reference:md5,06588acf0112a84fe5f684bbafd7dc00; classtype:trojan-activity; sid:2021194; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7412
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|01 01|"; distance:18; within:2; content:"|55 04 03|"; distance:0; content:"|0d|web.gibnos.pw"; distance:1; within:14; reference:md5,c8131a48e834291be6c7402647250e73; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021196; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_08, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7413
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Zacom.A CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:".py"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Windows NT 5.0|3b|"; http_header; pcre:"/^\d{4}/P"; pcre:"/\.py$/U"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:trojan-activity; sid:2021213; rev:2; metadata:created_at 2015_06_08, updated_at 2015_06_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7423
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Zacom.A CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:".asp"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Windows NT 5.0|3b|"; http_header; pcre:"/^\d{4}/P"; pcre:"/\.asp$/U"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:trojan-activity; sid:2021214; rev:2; metadata:created_at 2015_06_08, updated_at 2015_06_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7424
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IsSpace/Zacom Connectivity Check"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:"Host|3a 20|www.microsoft.com|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE 7.0|3b|Windows NT 5.1)"; http_header; fast_pattern:41,20; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:trojan-activity; sid:2021215; rev:2; metadata:created_at 2015_06_08, updated_at 2015_06_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7425
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Poweliks Clickfraud CnC M3"; flow:to_server,established; content:"GET"; http_method; content:".php?c="; http_uri; fast_pattern; content:"Referer|3a 20|"; http_header; content:".php?q="; http_header; distance:0; pcre:"/\.php\?c=[a-f0-9]{160}$/U"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:trojan-activity; sid:2021228; rev:2; metadata:created_at 2015_06_10, updated_at 2015_06_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7431
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Gatak.DR Activity"; flow:established,to_server; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0|29 0d 0a|"; fast_pattern:57,20; http_header; pcre:"/^\/([a-z]{4,9}\/[a-z]{4,12}\?[a-z]{4,7}\=[0-9]{5,7})$/U"; reference:md5,adb3242f8efad48ca174a7e46991f507; classtype:trojan-activity; sid:2021246; rev:3; metadata:created_at 2015_06_11, updated_at 2015_06_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7448
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Torrentlocker C2 Domain in SNI"; flow:established,to_server; content:"|00 00 0d|krusperon.net"; fast_pattern:only; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:trojan-activity; sid:2021254; rev:2; metadata:created_at 2015_06_11, updated_at 2015_06_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7450
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Agent.WVW CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/p?"; depth:3; http_uri; fast_pattern; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; pcre:"/^\/p\?\d+(?:\x3b\d+){4}$/U"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:trojan-activity; sid:2021088; rev:3; metadata:created_at 2015_05_12, updated_at 2015_05_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7451
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Agent.WVW CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/s?"; depth:3; http_uri; fast_pattern; content:"|3b|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"."; distance:1; within:2; http_uri; content:"_"; distance:0; http_uri; pcre:"/^\/s\?\d+\x3b\d+\x3b\d{1,2}\.\d_(?:32|64)_\d+(?:\x3b\d+){4}$/U"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:trojan-activity; sid:2021257; rev:2; metadata:created_at 2015_06_11, updated_at 2015_06_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7452
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Torrentlocker C2 SSL cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b3 b2 82 08 58 32 5e 8e|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; threshold: type limit, track by_src, count 1, seconds 60; reference:md5,77c99b6f06fe443b72a0efaf8f285e4d; classtype:trojan-activity; sid:2021260; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7453
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Chinad Retrieving Config"; flow:to_server,established; content:"GET"; http_method; urilen:22; content:"/css/bootstrap.min.css"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/Hi"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:trojan-activity; sid:2021261; rev:2; metadata:created_at 2015_06_12, updated_at 2015_06_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7454
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Chinad Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/api/?a="; http_uri; depth:8; fast_pattern; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\n(?:\r\n)?$/Hi"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:trojan-activity; sid:2021262; rev:2; metadata:created_at 2015_06_12, updated_at 2015_06_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7455
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Agent.WVW CnC Beacon 3"; flow:to_server,established; urilen:4; content:"GET"; http_method; content:"/cl1"; http_uri; fast_pattern:only; content:"Referer|3a 20|1|3a|"; pcre:"/^\d\.\d_(?:64|32)_\d\x3a/R"; content:"Empty|0d 0a|"; http_header; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:trojan-activity; sid:2021259; rev:3; metadata:created_at 2015_06_12, updated_at 2015_06_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7456
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12 2a 2e|pillspharm24.com"; distance:1; within:19; reference:md5,1b4e97af9f327126146338b8cd21dd86; classtype:trojan-activity; sid:2021273; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_15, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7457
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Elise SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 03|"; distance:0; content:"|0b|eric-office"; distance:1; within:12; reference:md5,8334f346585aa27ac6ae86e5adcaefa2; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021279; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_16, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7458
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W2KM_BARTALEX Downloading Payload"; flow:established,to_server; content:"/lns.txt"; http_uri; fast_pattern:only; pcre:"/\/lns.txt$/U"; content:"WinHttp.WinHttpRequest"; http_user_agent; reference:md5,0ed66982890ec483c3bc6f883e2424fb; classtype:trojan-activity; sid:2021284; rev:3; metadata:created_at 2015_06_17, updated_at 2015_06_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7459
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (FindPOS)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cd 2d 4a 53 08 27 aa b4|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:trojan-activity; sid:2021289; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_17, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7460
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader.Win32.Adload (KaiXin Payload) Config Download"; flow:established,to_server; content:"GET"; http_method; content:"/mac.html?uid="; http_uri; depth:14; fast_pattern; content:"&sid="; http_uri; distance:0; content:"&fname="; http_uri; distance:0; content:"&mac="; http_uri; distance:0; content:"&os="; http_uri; distance:0; content:"&pcname="; http_uri; distance:0; content:!"Referer|3a|"; http_header; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:trojan-activity; sid:2021299; rev:2; metadata:created_at 2015_06_18, updated_at 2015_06_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7461
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downloader.Win32.Adload (KaiXin Payload) Checkin"; flow:established,to_server; content:"GET"; http_method; content:".ini?"; http_uri; fast_pattern:only; content:!"|0d 0a|Accept-"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^\/[a-z]+?\.*?ini\?\d+$/Ui"; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:trojan-activity; sid:2021300; rev:2; metadata:created_at 2015_06_18, updated_at 2015_06_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7462
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Elise CnC Beacon 1 M1"; flow:to_server,established; content:"GET"; http_method; content:"/page_"; nocase; http_uri; fast_pattern:only; content:".html"; nocase; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0"; http_header; pcre:"/\/[a-f0-9]{8}\/page_\d{8,10}\.html$/Ui"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021274; rev:4; metadata:created_at 2015_06_16, updated_at 2015_06_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7463
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Elise CnC Beacon 3 M2"; flow:to_server,established; content:"GET"; http_method; content:".html"; nocase; http_uri; content:!"Referer|3a|"; http_header; content:"XX="; http_cookie; content:"BX="; http_cookie; content:"Cookie|3a 20|XX="; fast_pattern:only; pcre:"/\/\d{8,10}\.html$/Ui"; reference:md5,cf3f36dd3235d2cff5754b19b9e1cb1f; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021278; rev:3; metadata:created_at 2015_06_16, updated_at 2015_06_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7464
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (bpq4dub4rlivvswu)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bpq4dub4rlivvswu"; fast_pattern; distance:0; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; reference:url,www.threatexpert.com/report.aspx?md5=0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021302; rev:1; metadata:created_at 2015_06_18, updated_at 2015_06_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7465
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (gzc7lj4rvmkg25dm)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gzc7lj4rvmkg25dm"; fast_pattern; distance:0; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; reference:url,www.threatexpert.com/report.aspx?md5=0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021303; rev:1; metadata:created_at 2015_06_18, updated_at 2015_06_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7466
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Downloader.Win32.Adload (KaiXin Payload) Checkin Response"; flow:established,from_server; file_data; content:"[Config]|0d 0a|"; within:10; content:"[Process]|0d 0a|1="; distance:0; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:trojan-activity; sid:2021301; rev:4; metadata:created_at 2015_06_18, updated_at 2015_06_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7467
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|howtoe.pw"; distance:1; within:14; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021314; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7468
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Elise CnC Beacon 1 M2"; flow:to_server,established; content:"GET"; http_method; content:"/"; offset:9; depth:1; http_uri; content:".html"; distance:0; nocase; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"A="; depth:2; http_cookie; content:"Cookie|3a 20|A="; fast_pattern:only; pcre:"/^\/[a-f0-9]{8}\/\D+\d{8,10}\.html$/Ui"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021275; rev:5; metadata:created_at 2015_06_16, updated_at 2015_06_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7474
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Elise CnC Beacon 3 M1"; flow:to_server,established; content:"GET"; http_method; content:"/archive/"; nocase; offset:9; http_uri; fast_pattern; content:".html"; nocase; distance:8; within:7; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/[a-f0-9]{8}\/archive\/\d{8,10}\.html$/Ui"; reference:md5,cf3f36dd3235d2cff5754b19b9e1cb1f; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021277; rev:4; metadata:created_at 2015_06_16, updated_at 2015_06_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7475
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Keatep.B Checkin"; flow:established,to_server; content:"&id="; nocase; http_uri; content:"&v="; http_uri; pcre:"/\?[0-9a-f]{5,}=\d+&id=\d+&v=\d+$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Keatep.B; reference:md5,239aacf49bb6381fd71841fda4d4ee58; classtype:trojan-activity; sid:2011336; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7476
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi/Ursnif/Papras Grabftp Module Download"; flow:established,to_server; content:"GET"; http_method; content:"/download/ftp/grabftp"; http_uri; fast_pattern:9,12; content:".bin"; http_uri; pcre:"/^\/download\/ftp\/(grabftp|grabftp64)\.bin$/U"; content:"User-Agent|3A| Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b| Windows NT 6.1|3b 20|Win64|3B| x64)"; http_header; content:!"Referer|3A|"; http_header; content:!"Accept|3A|"; http_header; reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; classtype:trojan-activity; sid:2021321; rev:2; metadata:created_at 2015_06_23, updated_at 2015_06_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7477
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Taidoor Checkin"; flow:to_server,established; content:".jsp?"; http_uri; fast_pattern; pcre:"/^[a-z]{2}\x3d[a-z0-9]+?[A-F0-9]+?$/UR"; content:"User-Agent|3a| "; depth:12; http_header; content:!"Referer"; http_header; content:!"Accept"; http_header;  content:!"Host|3a 20|reg.163.com"; http_header; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017713; rev:7; metadata:created_at 2013_11_13, updated_at 2013_11_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7497
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 95 12 ee 90 e8 0f 66|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,22b0d4ff64d3cb3080feb47ce52988e9; classtype:trojan-activity; sid:2021375; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_02, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7498
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Kazy.325252 Variant CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:".php?p="; fast_pattern; http_uri; offset:2; depth:7; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; content:"Accept|3A| text/*, application/*, */*|0D 0A|"; http_header; pcre:"/^\x2F[a-z]\x2Ephp\x3Fp\x3D[a-z0-9]{30,}$/Ui"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:trojan-activity; sid:2018681; rev:3; metadata:created_at 2014_07_16, updated_at 2014_07_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7502
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Kazy.325252 Variant CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/track/?ip="; fast_pattern; http_uri; depth:11; content:"&data="; http_uri; distance:0; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; content:"Accept|3A| text/*, application/*, */*|0D 0A|"; http_header; pcre:"/^\x2Ftrack\x2F\x3Fip\x3D\d&data\x3D/U"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:trojan-activity; sid:2018682; rev:3; metadata:created_at 2014_07_16, updated_at 2014_07_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7503
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zberp receiving config via image file - SET"; flow:to_server,established; content:".jpg"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.jpg$/U"; flowbits:set,ET.Zberp; flowbits:noalert; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021381; rev:7; metadata:created_at 2015_07_06, updated_at 2015_07_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7504
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Denisca.A CnC Beacon"; content:"|7c 2a 26|"; depth:3; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:16; within:1; content:"|7c|"; distance:0; pcre:"/\x7c[a-f0-9]{16}\x7c\d+\x7c$/"; reference:md5,0075c4d976984436443b30926ad818dd; classtype:trojan-activity; sid:2021385; rev:1; metadata:created_at 2015_07_06, updated_at 2015_07_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7505
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dridex SSL Cert 30 June 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|Passio dpt"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0b|romantik.it"; distance:1; within:12; reference:md5,0a977dfcb93301f1841dbe2272d3102b; classtype:trojan-activity; sid:2021370; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_06_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7506
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dridex SSL Cert 1 July 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|gay rights"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:12; reference:md5,865164ef97c50bdd8e8740621234a3cf; classtype:trojan-activity; sid:2021372; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_01, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7507
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Denisca.A CnC Beacon 2"; dsize:37; content:"|2a 26|"; depth:2; content:"|26 5e|"; distance:22; fast_pattern; reference:md5,aaa4304dd5f22a017930a9eeebc8898f; classtype:trojan-activity; sid:2021389; rev:1; metadata:created_at 2015_07_07, updated_at 2015_07_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7509
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Wekby PCRat/Gh0st CnC Beacon (Outbound)"; flow:to_server,established; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:trojan-activity; sid:2021395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_07_09, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7511
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Wekby PCRat/Gh0st CnC Beacon (Inbound)"; flow:established,to_client; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:trojan-activity; sid:2021396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_07_09, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7512
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Matsnu Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php?"; fast_pattern:only; http_uri; content:!"Referer|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0b|3b| Windows NT 5.0|3b| .NET CLR 1.0.2914|29 0d 0a|"; http_header; content:"Connection|3a| Keep-Alive|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; content:"="; depth:7; http_client_body; content:"AA"; distance:3; within:2; http_client_body; pcre:"/^[a-z]{1,7}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:md5,7ff6912828faedbf39c4c66c7ba0260d; reference:md5,0361c2685bf799c04d796a6d18e1f075; reference:url,blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf; classtype:trojan-activity; sid:2021399; rev:3; metadata:created_at 2015_07_10, updated_at 2015_07_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7514
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Banload.VZS Banker POST CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/adm/contador.php"; http_uri; fast_pattern:only; content:"User-Agent|3A 20|Firefox/15.0.1|0D 0A|"; http_header; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:trojan-activity; sid:2021403; rev:2; metadata:created_at 2015_07_10, updated_at 2015_07_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7515
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Banload.VZS Banker POST CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/upload.php"; http_uri; content:"conteudo="; fast_pattern; depth:9; http_client_body; content:"&myFile="; http_client_body; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:trojan-activity; sid:2021404; rev:2; metadata:created_at 2015_07_10, updated_at 2015_07_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7516
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 89 56 e5 bd 59 77 67|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021411; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_13, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7519
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SeaDuke CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; fast_pattern:only; content:"Accept-Encoding|3a 20|identity|0d 0a|Host|3a 20|"; depth:33; http_header; content:!"Accept-L"; http_header; content:!"Accept|3a|"; http_header; pcre:"/\.php$/U"; pcre:"/^[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+(?:\x3b\x20[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+){1,6}={0,2}?$/C"; reference:md5,a25ec7749b2de12c2a86167afa88a4dd; reference:url,researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/; classtype:trojan-activity; sid:2021413; rev:2; metadata:created_at 2015_07_14, updated_at 2015_07_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7520
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30"; flow:to_server,established; dsize:>11; content:"|78 5e|"; offset:13; depth:2; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,aa717cce1ccfc766e0c8ad7a217f4be3; classtype:trojan-activity; sid:2018193; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7530
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 4"; flow:to_server,established; content:"|28 28|"; offset:2; depth:2; content:!"|28 28|"; within:2; content:"|28 28|"; distance:2; within:2; content:!"|28 28|"; within:2; content:"|28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28|"; pcre:"/[^\x28][^\x76\x74\x02\x03\x15\x54\x12\x13\x0a\x17\x14\x16\x04\x0b\x22][\x05\x09\x0b\x0e\x08\x06\x1a-\x1f\x10\x11\x18\x19\x40-\x47\x48-\x4f\x50-\x53\x55\x56\x58-\x5e\x60-\x68\x6a-\x6f\x70\x72\x76-\x7e]{1,14}\x28/R"; reference:md5,0c2cb38062e0fb6b040518a384418b7b; classtype:trojan-activity; sid:2019601; rev:6; metadata:created_at 2014_10_30, updated_at 2014_10_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7531
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible CVE-2015-2424 RTF Dropping Sofacy"; flow:established,from_server; file_data; content:"D0CF11E0A1B11AE1"; nocase; content:"ffffffffff74303074"; nocase; distance:0; fast_pattern; reference:md5,112c64f7c07a959a1cbff6621850a4ad; reference:url,isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:trojan-activity; sid:2021431; rev:2; metadata:created_at 2015_07_16, updated_at 2015_07_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7532
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bancos.AMM CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"ID_MAQUINA="; depth:11; nocase; http_client_body; fast_pattern; content:"&VERSAO="; distance:0; nocase; http_client_body; content:"&WIN="; distance:0; nocase; http_client_body; metadata: former_category TROJAN; reference:md5,f52ff1dc059f1df95781830d84a12869; classtype:trojan-activity; sid:2021439; rev:2; metadata:tag Banking_Trojan, created_at 2015_07_20, malware_family Bancos, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7536
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBase Keylogger HTTP Pattern"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/post.php?type="; http_uri; fast_pattern; content:"&machinename="; http_uri; distance:0; content:!"User-Agent|3a 20|"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?/H"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021440; rev:2; metadata:created_at 2015_07_20, updated_at 2015_07_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7537
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Rioselx.A Checkin"; flow:established,to_server; content:"/access.php"; http_uri; fast_pattern; content:"User-Agent|3a|"; http_header; content:!"Mozilla"; within:7; http_header; pcre:"/^User-Agent\x3a\x20(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\r\n/Hmi"; content:!"Referer"; http_header; content:!"Accept"; http_header; content:"Content-Type|3a| application/x-www-form-urlencoded"; http_header; content:"Content-Length|3a| "; http_header; reference:md5,3eb94c397a395f24b84297593f69710a; classtype:trojan-activity; sid:2021442; rev:5; metadata:created_at 2015_07_20, updated_at 2015_07_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7538
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/DDoS.Sotdas/IptabLex Checkin"; flow:to_server,established; dsize:296; content:"|72 8D 90 89 7E D6|"; offset:224; depth:6; fast_pattern; content:"|b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6|"; reference:md5,f7556d9ede5d988400b1edbb1a172634; classtype:trojan-activity; sid:2021049; rev:2; metadata:created_at 2015_05_04, updated_at 2015_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7541
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|04|clan"; distance:1; within:5; content:"|55 04 0b|"; distance:0; content:"|06|bushes"; distance:1; within:7; fast_pattern; reference:md5,a5f7d314e2b996b69751a4e46503c644; classtype:trojan-activity; sid:2021518; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_23, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7553
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/P"; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021520; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7555
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 11"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning; isdataat:!7,relative; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:trojan-activity; sid:2017934; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_06, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7557
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|09|Microsoft"; distance:1; within:10; fast_pattern; content:"|55 04 0b|"; content:"|0b|Widgits pty"; distance:1; within:12; reference:md5,32230d747829dcf77841f594aa54915a; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021529; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_07_24, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7559
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN EncryptorRaas .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|decryptoraveidf7"; nocase; distance:0; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021545; rev:1; metadata:created_at 2015_07_28, updated_at 2015_07_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7564
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN EncryptorRaas .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|encryptor3awk6px"; nocase; distance:0; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021547; rev:1; metadata:created_at 2015_07_28, updated_at 2015_07_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7566
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|des7siw5vfkznjhi"; fast_pattern; distance:0; nocase; reference:md5,ca57b9de1cae18bda994aa4bd093c571; reference:url,www.file-analyzer.net/analysis/4825; classtype:trojan-activity; sid:2021551; rev:1; metadata:created_at 2015_07_29, updated_at 2015_07_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7568
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dyre CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"_W"; fast_pattern; http_uri; content:"User-Agent|3a|"; depth:11; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/_W\d+\.[A-F0-9]+\/\d+\/[^\x2f]+\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/$/U"; reference:md5,3e215dfa84c271bb431b3de2e5da016a; classtype:trojan-activity; sid:2021556; rev:2; metadata:created_at 2015_07_30, updated_at 2015_07_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7572
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 16"; flow:to_server,established; dsize:>11; content:"|7d 9b|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:trojan-activity; sid:2017988; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_20, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7578
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Alina.POS-Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Accept|3a 20|application/octet-stream|0d 0a|"; http_header; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:"|20|InfoPath|2e|"; http_header; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+\x20InfoPath\x2e\d[^\x29]+\r?$/Hmi"; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019163; rev:3; metadata:created_at 2014_09_11, updated_at 2014_09_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7579
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 35"; flow:to_server,established; dsize:>11; content:"|7e 95|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,17274afd768cd0cbc2aa236cf82ab951; classtype:trojan-activity; sid:2018488; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_05_19, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7603
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32"; flow:to_server,established; dsize:>11; content:"|7a 98|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:trojan-activity; sid:2018485; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_05_19, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7604
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Alina.POS-Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Accept|3a 20|application/octet-stream|0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; depth:74; http_header; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2021597; rev:4; metadata:created_at 2015_08_05, updated_at 2015_08_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7605
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W2KM_BARTALEX Downloading Payload 2"; flow:established,to_server; content:"GET"; http_method; content:".txt"; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5|29 0d 0a|"; http_header; fast_pattern:51,20; content:"Accept|3a|"; http_header; content:"Accept-Language|3a|"; http_header; pcre:"/\/\d{4,}\.txt$/U"; reference:md5,545ee3114faa5abd994f9730713f2261; classtype:trojan-activity; sid:2021304; rev:4; metadata:created_at 2015_06_18, updated_at 2015_06_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7608
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Androm.gnlb Checkin"; flow:established,to_server; content:"/Count.asp?ver="; fast_pattern:only; nocase; http_uri; content:"&mac="; http_uri; content:!"Referer|3a|"; http_header; content:"Content-Length|3a| 0"; http_header; reference:md5,c7e6ebf91c03a2bcaa8053f149870fad; classtype:trojan-activity; sid:2021608; rev:2; metadata:created_at 2015_08_10, updated_at 2015_08_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7612
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN APT Lurker GET CnC Beacon"; flow:established,to_server; content:"GET /"; depth:5; content:".php HTTP/1."; distance:0; fast_pattern; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HOST|3a|"; distance:3; within:5; pcre:"/^[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/Rmi"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021585; rev:3; metadata:created_at 2015_08_03, updated_at 2015_08_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7617
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN APT Lurker POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"HOST|3a|"; depth:5; http_header; content:"User-Agent|3a|"; distance:0; http_header; pcre:"/\.php$/U"; pcre:"/^Host\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:\r\n)?$/Hmi";  reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:trojan-activity; sid:2021584; rev:4; metadata:created_at 2015_08_03, updated_at 2015_08_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7618
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 2"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Cache-Control|3a 20|no-cache|0d 0a|Pragma|3a 20|no-cache|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:104; http_header; fast_pattern:76,20; content:"Connection|3a 20|Keep-Alive|0d 0a|Content-Length|3a 20|"; distance:0; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; pcre:"/User-Agent\x3a[^\r\n]+(?:MSIE|rv\x3a)[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\nContent-Length\x3a\x20\d+\r\nHost\x3a[^\r\n]+\r\n(?:\r\n)?$/Hm"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:trojan-activity; sid:2021631; rev:2; metadata:created_at 2015_08_14, updated_at 2015_08_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7622
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 3"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"POST / 1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:73; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:trojan-activity; sid:2021632; rev:2; metadata:created_at 2015_08_14, updated_at 2015_08_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7623
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET ![80,443] (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13"; flow:to_server,established; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!8,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; content:"|7c 9e|"; offset:13; depth:8; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7c\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:trojan-activity; sid:2017938; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_01_07, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7628
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.VBKrypt.vquj Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"|0d 0a|Content-Encoding|3a| binary|0d 0a|"; fast_pattern; http_header; content:"|03 00|"; http_client_body; depth:2; content:"|00 01 00|"; http_client_body; within:4; content:"|00 01 00|"; http_client_body; within:4; reference:md5,0c420e1eef4b1f097ffec8d0c0ff438a; classtype:trojan-activity; sid:2021605; rev:4; metadata:created_at 2015_08_10, updated_at 2015_08_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7637
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W2KM_BARTALEX August 11 2015"; flow:to_server,established; content:".jpg"; http_uri; nocase; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| FSL 7.0.6.01001)"; http_header; fast_pattern:55,20; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/(?:[a-z]+|\d+)\.jpg/Ui";  reference:md5,1bcea0364088c5308ed217649eeef4d9; classtype:trojan-activity; sid:2021625; rev:4; metadata:created_at 2015_08_14, updated_at 2015_08_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7639
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vawtrak/NeverQuest CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?"; http_uri; content:"/0"; http_uri; content:"=0000"; http_uri; fast_pattern:only; content:"=?"; http_uri; content:!"Referer|3a|"; http_header; content:"Accept"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; pcre:"/\.php\?[a-z]+=0000[a-fA-F0-9]{4}&[a-z]+=\?[A-F0-9]+&[a-z]=\d{4}&[a-z]=\d{4}$/U"; flowbits:set,ET.Vawtrak; metadata: former_category TROJAN; reference:md5,1b820dda5833f802be829d468884884e; classtype:trojan-activity; sid:2025089; rev:2; metadata:created_at 2015_08_25, updated_at 2017_11_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7644
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (kb63vhjuk3wh4ex7)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kb63vhjuk3wh4ex7"; nocase; distance:0; fast_pattern; reference:md5,a9f29924410a14dea1eef8d75fed3b39; reference:url,www.malware-traffic-analysis.net/2015/08/24/index2.html; classtype:trojan-activity; sid:2021711; rev:1; metadata:created_at 2015_08_25, updated_at 2015_08_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7645
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Banker.bqba Checkin"; flow:to_server,established; content:".php"; nocase; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MyApp|29 0d 0a|"; fast_pattern:37,8; http_header; content:"windows="; depth:8; http_client_body; content:"&av="; http_client_body; reference:md5,838d43239ba2c28bd968f8a7da64d340; classtype:trojan-activity; sid:2023693; rev:2; metadata:created_at 2015_08_25, updated_at 2017_01_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7651
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN AlphaCrypt CnC Beacon 3"; flow:established,to_server; urilen:>250; content:"GET"; http_method; content:"/r.php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|"; depth:12; http_header; pcre:"/\/r\.php\?[A-F0-9]+=?$/U"; reference:md5,0a4d0e5d0b69560414bbd20127bd8176; classtype:trojan-activity; sid:2021723; rev:4; metadata:created_at 2015_08_27, updated_at 2015_08_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7658
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon Response"; flow:established,to_client; file_data; content:"---!!!INSERTED!!!---"; within:20; reference:md5,ee90ec9935c7b8e1a5dad364d4545851; classtype:trojan-activity; sid:2021724; rev:3; metadata:created_at 2015_08_27, updated_at 2015_08_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7659
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Aibatook checkin"; flow:established,to_server; content:"POST"; http_method; content:".asp"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:"m="; depth:2; http_client_body; content:"AA=="; http_client_body; fast_pattern:only; pcre:"/\.asp$/U"; pcre:"/^m=(?:[A-Za-z0-9+/]{4}){11}(?:(?:[A-Za-z0-9+/]{4}){6})?AA==/Pi"; reference:md5,57a0af91f3b35ef1cf54502e77cc2904; reference:url,www.welivesecurity.com/2014/07/16/win32aibatook/; classtype:trojan-activity; sid:2018685; rev:3; metadata:created_at 2014_07_16, updated_at 2014_07_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7660
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Corebot Checkin"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/6.0)"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:"AQAAA"; fast_pattern; depth:5; http_client_body; reference:md5,0f6a9b15bd9fd719bb96491e16eb2f9c; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; classtype:trojan-activity; sid:2021739; rev:2; metadata:created_at 2015_08_31, updated_at 2015_08_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7666
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Corebot Requesting Module"; flow:established,to_server; content:"POST"; http_method; content:".php?"; http_uri; content:"Content-Type|3a 20|text/plain"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_header; fast_pattern:59,20; content:!"Accept"; http_header; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f7dff17acec6b79f3cdad6259cfb2d2c; classtype:trojan-activity; sid:2021741; rev:2; metadata:created_at 2015_08_31, updated_at 2015_08_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7667
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Corebot Module Download"; flow:established,to_server; content:"GET"; http_method; content:".exx"; http_uri; content:!"Content-Type|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_header; fast_pattern:59,20; content:!"Accept"; http_header; pcre:"/\.exx$/U"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f7dff17acec6b79f3cdad6259cfb2d2c; classtype:trojan-activity; sid:2021742; rev:2; metadata:created_at 2015_08_31, updated_at 2015_08_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7668
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN AlphaCrypt .onion Proxy Domain (djdkduep62kz4nzx)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|djdkduep62kz4nzx"; fast_pattern; distance:0; nocase; reference:md5,1dd542bf3c1781df9a335f74eacc82a4; reference:url,malwr.com/analysis/YjllZWEzNmQ0MDA4NGNhNGIxYzIzNjU3YjczOTYxZjg/; classtype:trojan-activity; sid:2021363; rev:2; metadata:created_at 2015_06_29, updated_at 2015_06_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7669
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Reconyc.equo Checkin"; flow:to_server,established; content:"POST"; http_method; content:".php?userid="; http_uri; content:"&mac="; fast_pattern:only; http_uri; content:"&auth="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,32c17edee5b29e41f31eda05e78b2241; classtype:trojan-activity; sid:2021744; rev:3; metadata:created_at 2015_09_04, updated_at 2015_09_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7670
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN PredatorPain Keylogger FTP Activity"; flow:established,to_server; dsize:21; content:"USER|20|panzerhund2015|0d 0a|"; fast_pattern:5,14; reference:url,malwareconfig.com/stats/PredatorPain; reference:md5,e5ddca929924e4f34cb18692f09ac424; classtype:trojan-activity; sid:2021745; rev:1; metadata:created_at 2015_09_04, updated_at 2015_09_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7671
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Boaxxe.BR CnC Beacon"; flow:established,to_server; content:"|7c|CM01|7c|CM02|7c|CM03|7c|"; content:!">"; reference:md5,ec38ae7c35be4d7f8103bf1db692d2f8; classtype:trojan-activity; sid:2021748; rev:2; metadata:created_at 2015_09_08, updated_at 2015_09_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7672
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Critroni Variant .onion Proxy Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|7n4p5o6vlkdiqiee"; nocase; distance:0; fast_pattern; reference:md5,18dfcf3479bbd3878c0f19b80a01e813; classtype:trojan-activity; sid:2020213; rev:2; metadata:created_at 2015_01_19, updated_at 2015_01_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7673
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Corebot Module Download 2"; flow:established,to_server; content:"GET"; http_method; content:".dat"; http_uri; content:!"Content-Type|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_header; fast_pattern:59,20; content:!"Accept"; http_header; pcre:"/\.dat$/U"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f32f2209a1986c55750ceb6d8066df9f; classtype:trojan-activity; sid:2021754; rev:2; metadata:created_at 2015_09_09, updated_at 2015_09_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7676
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (FindPOS)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 805c 5f ec 50 39 a2 14|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:trojan-activity; sid:2021772; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_14, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7681
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN AlphaCrypt Connectivity Check 1"; flow:established,to_server; urilen:4; content:"/raw"; http_uri; fast_pattern:only; content:"Mozilla/5.0 (Windows NT 6.1|3b| rv|3a|31.0) Gecko/20100101 Firefox/31.0|0d 0a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+\r\nHost\x3a[^\r\n]+[\r\n]*$/H"; reference:md5,d0e3471f4963496cefd73744e98340aa; classtype:trojan-activity; sid:2021775; rev:2; metadata:created_at 2015_09_15, updated_at 2015_09_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7683
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Iron Tiger DNSTunnel DNS Lookup (xssok.blogspot.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|xssok|08|blogspot|03|com|00|"; nocase; distance:0; fast_pattern; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021788; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7693
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Iron Tiger DNSTunnel Retrieving CnC"; flow:established,from_server; file_data; content:"$$$$$$$$$$"; fast_pattern; pcre:"/^(?:#+[A-Z]+)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\${10}/R"; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021789; rev:2; metadata:created_at 2015_09_16, updated_at 2015_09_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7694
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET TROJAN PlugX UDP CnC Beacon"; dsize:36; content:"|00 00 50 00 02 00 00 00 00 04 00 00 00 10 00 00 00 00 00 00|"; depth:20; content:!"|00 00|"; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:3; within:13; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021791; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7696
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET TROJAN Possible Passthru/Kshell Port Redirection Initiation"; flow:to_server,established; dsize:11; content:"chkroot2007"; fast_pattern:only; reference:md5,f7146691adea573548fa040fb182f4fe; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021796; rev:1; metadata:created_at 2015_09_16, updated_at 2015_09_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7701
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CosmicDuke Exfiltrating Data via FTP STOR"; flow:established,to_server; dsize:55<>65; content:"STOR|20|"; depth:5; pcre:"/^[a-z0-9]{1,10}[A-F0-9]+\.bin\r\n$/R"; content:".bin|0d 0a|"; fast_pattern:only; reference:md5,5080bc705217c614b9cbf67a679979a8; classtype:trojan-activity; sid:2023910; rev:4; metadata:created_at 2015_07_17, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7705
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Odlanor CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?m="; http_uri; content:"&v="; http_uri; distance:0; content:"&os="; http_uri; distance:0; content:"&c="; http_uri; distance:0; content:"&u="; http_uri; distance:0; pcre:"/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/Pi"; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,ce19c30ffda76cd63a88eeb8af0340f0; reference:url,welivesecurity.com/2015/09/17/the-trojan-games-odlanor-malware-cheats-at-poker/; classtype:trojan-activity; sid:2021800; rev:2; metadata:created_at 2015_09_18, updated_at 2015_09_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7706
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Rovnix CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|cherniypoyas.ru"; distance:1; within:16; reference:md5,080db9578ea797cd231bc1160d3824f1; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021805; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_21, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7711
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/upx/"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http_header; pcre:"/\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$/U"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:trojan-activity; sid:2021812; rev:2; metadata:created_at 2015_09_22, updated_at 2015_09_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7717
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"|20 7c 20 22|0x"; http_client_body; fast_pattern; content:"_"; distance:0; http_client_body; content:"|22 20 7c 20|"; distance:0; http_client_body; content:"User-Agent|3a 20|Mozilla/"; depth:20; http_header; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:trojan-activity; sid:2021814; rev:2; metadata:created_at 2015_09_22, updated_at 2015_09_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7718
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 1d 11|"; content:"|10|blatnoidomen.com"; distance:5; within:22; fast_pattern; reference:url,sslbl.abuse.ch; reference:md5,8217cc4fc3d5781206becbef148154ea; classtype:trojan-activity; sid:2021815; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7719
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fc 56 1e 02 6c d4 e2 22|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,e448572aea062241c80dd2a15562e968; classtype:trojan-activity; sid:2021816; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_22, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7720
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 99 38 87 d8 6a ee a7|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; reference:md5,ead31d4cbbd79466359d46694a9d56d3; classtype:trojan-activity; sid:2021819; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_23, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7723
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 06 34 93 99 f8 54 f2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0b|Companyname"; distance:1; within:12; reference:md5,c7872508eededb17cf864886270fd3e9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021828; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_23, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7729
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC Beacon 4"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"."; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; http_header; fast_pattern:48,20; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; http_header; pcre:"/\.(?:gif|bmp|jpeg|png)$/U"; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021829; rev:3; metadata:created_at 2015_09_23, updated_at 2015_09_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7730
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC Data Exfil"; flow:established,to_server; urilen:>125; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"name=|22|upload_file|22 3b 20|filename=|22|"; http_client_body; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http_client_body; pcre:"/\.[a-z]{3,4}$/U"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:trojan-activity; sid:2021830; rev:3; metadata:created_at 2015_09_23, updated_at 2015_09_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7732
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|adtejoyo1377.tk"; distance:1; within:17; reference:md5,b40fc2d1f343affad7bc02ae9b37cd89; classtype:trojan-activity; sid:2021842; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7742
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 b1 f4 fe 4c 79 ed e9 98|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021843; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7743
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 9e 0c 1c 4c 8a d4 41 f7|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021844; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_28, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7744
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"P"; depth:1; nocase; http_client_body; content:"myPath = "; nocase; http_client_body; content:"iFold = "; nocase; http_client_body; content:"wallPath = "; nocase; http_client_body; fast_pattern:only; content:"listPath = "; nocase; http_client_body; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021851; rev:4; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7748
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"M FSO object created|0d 0a|"; http_client_body; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:trojan-activity; sid:2021852; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7749
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A Successfully Installed CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"M STATE|3a 20|INSTALL|0d 0a|"; http_client_body; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:trojan-activity; sid:2021853; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7750
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:"unit_action="; depth:12; http_client_body; fast_pattern; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:trojan-activity; sid:2021854; rev:4; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7751
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 4"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M Created wallet - "; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021855; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7752
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 5"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M RecursiveFileSearch"; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021856; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7753
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 6"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M Scan folder|3a 20|"; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021857; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7754
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 7"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M Saved cryptor key - "; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021858; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7755
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 8"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"|29 20|Encrypt|20|"; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021859; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7756
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 9"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M Files encrypted,"; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021860; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7757
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 10"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M STATE|3a 20|CRYPTED_"; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021861; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7758
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Win32/WinPlock.A CnC Beacon 11"; flow:established,to_server; content:"POST"; http_method; content:".php?rnd="; http_uri; content:!"Referer|3a|"; http_header; content:"P"; depth:1; http_client_body; pcre:"/^\d+\x20/PR"; content:"M Free disk space|3a 20|"; nocase; http_client_body; fast_pattern:only; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:trojan-activity; sid:2021862; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7759
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 86 21 67 18 96 8a 67 e1|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,4568bc3e9c1a24ba792666ad1c620560; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021863; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7760
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 fa 10 e1 67 c6 9a 67 1b|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:md5,c55a60bb04a449eb8bc182f52124c341; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2021864; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7761
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d5 f9 a6 1a fa 1e 76 c6|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,0453512c8c3bb940e8c40833d1076353; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021867; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7764
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 eb 96 25 e5 32 57 ee 34|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,77ebe2b014baf75e45c3009b0d42fa5d; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021868; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7765
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021869; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_09_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7766
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Java/QRat Retrieving PE"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Host|3a 20|www.quaverse.com|0d 0a|"; depth:24; http_header; fast_pattern; pcre:"/\.exe$/U"; metadata: former_category TROJAN; reference:md5,ccdffdc551b36980b7cd04e33d5fb100; classtype:trojan-activity; sid:2021889; rev:2; metadata:created_at 2015_10_01, malware_family QRat, updated_at 2018_03_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7771
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021894; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_10_02, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7772
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN StartPage Userclass HTTP Request"; flow:established,to_server; urilen:10; content:"/Userclass"; fast_pattern:only; http_uri; content:!"Accept"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Referer"; http_header; reference:md5,92ecb8cedb226a27e354b45a56f0353f; classtype:trojan-activity; sid:2021922; rev:2; metadata:created_at 2015_10_07, updated_at 2015_10_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7791
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Neshta.A Posting Data"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a| multipart/form-data|3b| boundary="; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; nocase; http_header; content:"name=|22|file|22 3b 20|filename=|22|Browser"; http_client_body; fast_pattern:10,20; reference:md5,e93e5af213707ef1888784fa1e709004; classtype:trojan-activity; sid:2021923; rev:3; metadata:created_at 2015_10_07, updated_at 2015_10_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7792
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET TROJAN MSIL/Banker.M Requesting Binary from SQL"; flow:established,to_server; content:"S|00|E|00|L|00|E|00|C|00|T|00 20 00|i|00|m|00|g"; content:"F|00|R|00|O|00|M|00 20 00|d|00|b|00|o|00 2e 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 20 00|"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021930; rev:1; metadata:created_at 2015_10_07, updated_at 2015_10_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7796
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 1433 -> $HOME_NET any (msg:"ET TROJAN MSIL/Banker.M Downloading Binary from SQL"; flow:established,to_client; content:"|03 00|d|00|b|00|o|00 09 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 03|i|00|m|00|g"; fast_pattern:14,20; content:"This program cannot be run"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021931; rev:1; metadata:created_at 2015_10_07, updated_at 2015_10_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7797
12/12/2018 -- 16:31:50 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (HTTPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{HTTPFLOOD}"; fast_pattern; nocase; content:"Started consuming data from host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021872; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7798
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021873; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7799
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021874; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7800
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (AUTH)"; flow:established,from_server; content:"PRIVMSG"; content:"] {AUTH} User"; fast_pattern; distance:0; nocase; content:"logged "; distance:0; pcre:"/^(?:in|out)/R"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021875; rev:5; metadata:created_at 2015_10_01, updated_at 2015_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7801
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (RAW)"; flow:established,from_server; content:"PRIVMSG"; content:"{RAW}"; fast_pattern; nocase; content:"Executing command|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021876; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7802
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (EXEC)"; flow:established,from_server; content:"PRIVMSG"; content:"{EXEC}"; fast_pattern; nocase; content:"Executing command|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021877; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7803
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (CHSERVER)"; flow:established,from_server; content:"PRIVMSG"; content:"{CHSERVER}"; fast_pattern; nocase; content:"Changing server|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021878; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7804
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (STOP)"; flow:established,from_server; content:"PRIVMSG"; content:"{STOP} Stop command ->"; fast_pattern:only; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021879; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7805
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (RESTART)"; flow:established,from_server; content:"PRIVMSG"; content:"{RESTART}"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021880; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7806
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command Complete 1"; flow:established,from_server; content:"PRIVMSG"; content:"] Process finished => Total bytes read|3a|"; fast_pattern; nocase; content:"Total bytes sent|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021881; rev:4; metadata:created_at 2015_10_01, updated_at 2015_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7807
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command Complete 2"; flow:established,from_server; content:"PRIVMSG"; content:"Total connections completed|3a|"; fast_pattern; nocase; content:"Total connections failed|3a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021882; rev:4; metadata:created_at 2015_10_01, updated_at 2015_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7808
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command Complete 3"; flow:established,from_server; content:"PRIVMSG"; content:" MB|2c| Average speed|3a|"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021883; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7809
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Win32/Kelihos.F Checkin"; flow:to_server,established; dsize:164; content:"|6c 55 55 45 03 10 48 40|"; offset:4; depth:8; reference:md5,dc226166dfbe28eee2576ea5141bc19d; reference:md5,dadee91e0b82fc91a25a66b61bb2f2dc; classtype:trojan-activity; sid:2021947; rev:3; metadata:created_at 2015_10_12, updated_at 2015_10_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7818
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/Nemucod.M.gen requesting EXE payload 2015-10-07"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; nocase; content:"key="; http_uri; nocase; distance:0; fast_pattern; content:!"pdf="; http_uri; nocase; content:!"Referer|3a| "; nocase; http_header; pcre:"/\/get(?:_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}$/U"; flowbits:set,ET.nemucod.exerequest; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021952; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7820
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/Nemucod.M.gen requesting PDF payload 2015-10-07"; flow:to_server,established; content:"GET"; http_method; content:".php?"; http_uri; nocase; content:"key="; http_uri; nocase; distance:0; fast_pattern; content:"pdf="; http_uri; nocase; distance:0; content:!"Referer|3a| "; nocase; http_header; pcre:"/\/get(?:_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}&pdf=[a-zA-Z]{4,}$/U"; flowbits:set,ET.nemucod.pdfrequest; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021953; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7821
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JS/Nemucod.M.gen downloading EXE payload"; flow:from_server,established; flowbits:isset,ET.nemucod.exerequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021954; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7822
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JS/Nemucod.M.gen downloading PDF payload"; flow:from_server,established; flowbits:isset,ET.nemucod.pdfrequest; file_data; content:"%PDF-"; within:5; fast_pattern; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021955; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7823
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/StreamFlaw.A Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"User-Agent|3a 20|Mozilla/6.0 (compatible|3b 20|MSIE 6.0"; http_header; fast_pattern:12,20; content:!"Referer|3a|"; http_header; reference:md5,981672cd969fe8cb1f887d0526b1ecf2; classtype:trojan-activity; sid:2020947; rev:3; metadata:created_at 2015_04_17, updated_at 2015_04_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7830
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Geodo Checkin"; flow:established,to_server; urilen:16<>20; content:!"Accept-"; http_header; content:" MSIE "; fast_pattern; http_user_agent; content:"POST"; http_method; content:"/"; offset:8; depth:2; http_uri; content:"/"; offset:16; depth:3; http_uri; pcre:"/^\/[a-f0-9]{7,8}\/[a-f0-9]{7,8}\/$/U"; content:!"Referer"; http_header; reference:md5,fa50062b7763487b3dd6f9ed0a2f3549; reference:url,pastebin.com/qnLmpKuQ; classtype:trojan-activity; sid:2018496; rev:9; metadata:created_at 2014_05_21, updated_at 2014_05_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7832
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.DarkComet Screenshot Upload Successful"; flow:established,to_server; dsize:7; content:"ENDSNAP"; reference:md5,38abba51bdf98347fc4f91642b21b041; classtype:trojan-activity; sid:2021996; rev:1; metadata:created_at 2015_10_23, updated_at 2015_10_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7844
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Duuzer Checkin"; flow:established,to_server; content:"|32 a3 56 bb 47 4f 32 00|"; depth:8; fast_pattern; content:"|30 b9 00 00|"; distance:3; within:4; reference:url,symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers; reference:md5,cd7a72be9c16c2ece1140bc461d6226d; classtype:trojan-activity; sid:2022000; rev:1; metadata:created_at 2015_10_26, updated_at 2015_10_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7845
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Load Payload"; flow:established,to_server; content:"&act="; http_uri; fast_pattern:only; pcre:"/\/(?:im(?:age|g)|pict)\.(?:jpg|php)\?id=\d+&act=[12]$/U"; content:!".money-media.com|0d 0a|"; nocase; http_header; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; reference:url,www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2022007; rev:2; metadata:created_at 2015_10_28, updated_at 2015_10_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7850
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy HTTP CnC Beacon"; flow:established,to_server; content:"|20|HTTP|3a 2f 2f|"; offset:3; depth:9; content:!"Host|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern; pcre:"/^[0-9A-F]{12}/R"; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:trojan-activity; sid:2021523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PoisonIvy, signature_severity Critical, created_at 2015_07_23, malware_family PoisonIvy, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7851
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Malvertising Malicious PE Download"; flow:established,to_server; content:"GET"; http_method; content:"/adobe_flashplayer_7.exe"; http_uri; fast_pattern:only; reference:md5,d9b91aa8c66c4a701f5558bdca805eec; reference:url,otx.alienvault.com/pulse/5637202b4637f2388aaec61c/; classtype:trojan-activity; sid:2022020; rev:2; metadata:created_at 2015_11_02, updated_at 2015_11_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7853
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 59 43 e2 96 23 5b 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c0c8178b7ef2a8c067c68a7fb7dc7ecd; classtype:trojan-activity; sid:2022021; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_02, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7854
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Silent Miner Changelog Checkin"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/plain"; http_header; file_data; content:"Changelog v"; depth:11; fast_pattern; content:"-Added startup folder"; distance:0; content:"-Changed AutoUpdate Mode"; distance:0; content:"|7c 7c|----------------"; distance:0; content:"-Fixed startup .exe without name bug"; distance:0; content:"-Changed files hosting"; distance:0; content:"- Added CPU Threads"; reference:md5,2d51e11a38b7fd448cd0b1d319915e44; classtype:trojan-activity; sid:2022034; rev:2; metadata:created_at 2015_11_04, updated_at 2015_11_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7855
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bebloh connectivity check"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:"Host|3a 20|"; depth:6; http_header; content:"Content-Length|3a 20|0|0d 0a|"; distance:0; http_header; content:"|3a 20|no-cache"; distance:0; http_header; content:!"|0d 0a|User-Agent"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,ccb463b2dadaf362a03c8bbf34dc247e; classtype:trojan-activity; sid:2014778; rev:4; metadata:created_at 2012_05_18, updated_at 2012_05_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7857
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/Nemucod.M.gen requesting EXE payload 2015-11-02"; flow:to_server,established; content:"POST"; http_method; content:"redir.php"; http_uri; nocase; content:!"Referer|3a| "; nocase; http_header; content: "jndj="; fast_pattern; http_client_body; content: !"&ncm="; http_client_body; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}$/P"; flowbits:set,ET.nemucod.exerequest; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022037; rev:2; metadata:created_at 2015_11_04, updated_at 2015_11_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7858
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/Nemucod.M.gen requesting PDF payload 2015-11-02"; flow:to_server,established; content:"POST"; http_method; content:"redir.php"; http_uri; nocase; content:!"Referer|3a| "; nocase; http_header; content: "jndj="; fast_pattern; http_client_body; content: "&ncm="; distance:0; http_client_body; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}&ncm=[a-zA-Z]{4,}$/P"; flowbits:set,ET.nemucod.pdfrequest; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022038; rev:2; metadata:created_at 2015_11_04, updated_at 2015_11_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7859
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoWall Check-in"; flow:established,to_server; urilen:<134; content:"="; offset:1; depth:1; http_client_body; content:" MSIE "; fast_pattern; http_user_agent; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http_header; content:!"|0d 0a|Accept-"; nocase; http_header; content:!"Referer|3a|"; http_header; pcre:"/[\/=][a-z0-9]{8,}$/U"; pcre:"/^[a-z]=[a-f0-9]{80,}$/P"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:15; metadata:created_at 2014_05_05, updated_at 2014_05_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7860
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Wrapper/Gholee/Wedex Checkin"; flow:established,to_server; dsize:12; content:"nocookie"; offset:4; depth:8; reference:md5,b7de8927998f3604762096125e114042; reference:url,blog.checkpoint.com/2015/11/09/rocket-kitten-a-campaign-with-9-lives/; classtype:trojan-activity; sid:2022047; rev:1; metadata:created_at 2015_11_09, updated_at 2015_11_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7861
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njRAT CnC Command (ll)"; flow:established,to_server; content:"|00|ll|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,5}\x00ll\x7c/i";  reference:md5,ac7b1fdc679fdbd3cb0cd8a3e30ecddb; classtype:trojan-activity; sid:2021176; rev:3; metadata:created_at 2015_06_02, updated_at 2015_06_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7862
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nyctradersacademy.com"; distance:1; within:22; reference:md5,cb690af981b61aa4779624db5d2489e1; reference:md5,040ac83b30a9bd111d06d238f39593fb; classtype:trojan-activity; sid:2022056; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7867
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|msupdcheck.com"; distance:1; within:16; reference:md5,4b689f711da45fb8523c95a85679f435; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022057; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7868
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 ae 7c 85 e8 a5 6b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5666cb1caca3fde7dd1c8195b76eac8e; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022058; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7869
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Get Passwords)"; flow:from_client,established; content:"|00|pl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00pl\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:trojan-activity; sid:2022059; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7870
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Desktop)"; flow:from_client,established; content:"|00|sc~|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00sc\x7e\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:trojan-activity; sid:2022060; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7871
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)"; flow:from_client,established; content:"|00|scPK|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00scPK\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:trojan-activity; sid:2022061; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7872
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Get Passwords)"; flow:established; content:"|00|ret|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00ret\x7c/i"; reference:md5,310c26fa0c7d07adbff32b569b1972f1; classtype:trojan-activity; sid:2022063; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7874
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/HideWindows.C IRC Checkin"; flow:established,to_server; content:"PASS 6667|0a|"; content:"NICK pr0n|7c 30 0a|"; distance:0; fast_pattern; content:"USER Pmx|20 22 2a 22 20 22|"; distance:0; content:"|22 20 3a|pr0n|0a|"; reference:md5,4645b7883d5c8fee6579cc79dee5f683; reference:url,thisissecurity.net/2015/11/05/low-cost-point-of-sales-pos-hacking/; classtype:trojan-activity; sid:2022064; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7875
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 fb cd cd ff 15 b4 03|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,c493fbc74573c2c125ff57b1bf15e4be; classtype:trojan-activity; sid:2022065; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7876
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|systruster.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; reference:url,sslbl.abuse.ch; reference:md5,efa5ea2c511b08d0f8259a10a49b27ad; classtype:trojan-activity; sid:2022066; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7877
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|retsback.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; reference:url,sslbl.abuse.ch; reference:md5,e5b7fd7eed59340027625ac39bae7c81; classtype:trojan-activity; sid:2022067; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_10, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7878
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN KilerRAT CnC - Info Checkin"; flow:from_server,established; content:"inf|7c 4b 69 6c 65 72 7c|"; fast_pattern; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:trojan-activity; sid:2022069; rev:1; metadata:created_at 2015_11_10, updated_at 2015_11_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7879
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN KilerRAT CnC - Remote Shell"; flow:from_server,established; content:"rs|7c 4b 69 6c 65 72 7c|"; fast_pattern:only; pcre:"/\x7c(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})$/"; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:trojan-activity; sid:2022068; rev:2; metadata:created_at 2015_11_10, updated_at 2015_11_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7880
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TinyLoader.B2 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 BA|"; fast_pattern:only; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:trojan-activity; sid:2022072; rev:1; metadata:created_at 2015_11_11, updated_at 2015_11_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7881
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bookworm CnC Beacon"; flow:to_server,established; content:"GET"; http_method; content:"/0"; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a 20|"; http_header; pcre:"/^\/0[a-f0-9]{48}$/Ui"; reference:md5,8ae2468d3f208d07fb47ebb1e0e297d7; reference:url,researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/; classtype:trojan-activity; sid:2022073; rev:2; metadata:created_at 2015_11_11, updated_at 2015_11_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7882
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)"; flow:established; content:!"GET|20|"; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; content:"|00|CAP|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00cap\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019214; rev:2; metadata:created_at 2014_09_23, updated_at 2014_09_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7883
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Keylogging)"; flow:from_client,established; content:"|00|kl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00kl\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019222; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7884
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (File Manager Actions)"; flow:from_client,established; content:"|00|fm|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00fm\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019221; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7885
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Process Listing)"; flow:from_client,established; content:"|00|proc|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00proc\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019220; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7886
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Registry Listing)"; flow:from_client,established; content:"|00|RG|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rg\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019219; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7887
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Services Listing)"; flow:from_client,established; content:"|00|srv|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00srv\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019218; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7888
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Shell)"; flow:from_client,established; content:"|00|rs|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rs\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019217; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7889
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00msg\x7c/i";  reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019216; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7890
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00mic\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:2019215; rev:3; metadata:created_at 2014_09_23, updated_at 2014_09_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7891
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bookworm CnC Beacon 2"; flow:to_server,established; content:"POST"; http_method; content:"000"; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a 20|"; http_header; pcre:"/^\/[a-f0-9]+000[a-f0-9]{37}$/Ui"; reference:md5,0f41c853a2d522e326f2c30b4b951b04; reference:url,researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/; classtype:trojan-activity; sid:2022074; rev:3; metadata:created_at 2015_11_11, updated_at 2015_11_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7892
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Poweliks Clickfraud CnC M4"; flow:to_server,established; content:"GET"; http_method; content:"click?sid="; http_uri; fast_pattern; content:"&cid="; http_uri; distance:0; content:"Referer|3a 20|"; http_header; pcre:"/\?sid=[a-f0-9]{40}&cid=[0-9]$/U"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:trojan-activity; sid:2021251; rev:3; metadata:created_at 2015_06_11, updated_at 2015_06_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7893
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET TROJAN Possible Chimera Ransomware - Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:md5,b66a864255ad796cf1e82f973f67f556; reference:url,reaqta.com/2015/11/diving-into-chimera-ransomware/; classtype:policy-violation; sid:2022075; rev:1; metadata:created_at 2015_11_11, updated_at 2015_11_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7894
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|rozmatis.com"; distance:1; within:13; reference:md5,58b38122ac12b84989914623efe833be; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022076; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7895
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0d|whoreshop.xyz"; distance:1; within:14; reference:md5,218a9854b7d1ca1f417c59a566b343d9; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022077; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7896
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-Ransom.Win32.Blocker.dham Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?ID="; http_uri; content:"&Serial="; http_uri; content:"&acao="; http_uri; content:"&Log="; http_uri; content:"&PCInfo="; fast_pattern:only; http_uri; reference:md5,e15b38251aed80298ba07169eb6ee2fa; classtype:trojan-activity; sid:2022091; rev:2; metadata:created_at 2015_11_13, updated_at 2015_11_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7900
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Operation Buhtrap CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"/menu.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"rv|3a|20.0"; http_user_agent; content:"Firefox/20.0"; distance:0; http_user_agent; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; pcre:"/\/menu\.php$/U"; reference:url,welivesecurity.com/2015/04/09/operation-buhtrap/; reference:md5,24fac66b3a6d55a83e1309bc530b032e; classtype:trojan-activity; sid:2020891; rev:4; metadata:created_at 2015_04_10, updated_at 2015_04_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7901
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Nymaim.BA CnC M1"; flow:to_server,established; content:"POST"; http_method; content:".in|0d 0a|User-Agent|3a 20|"; http_header; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; content:"Cache-Control|3a 20|no-cache"; http_header; content:"Pragma|3a 20|no-cache"; http_header; content:!"Content-Type|3a 20|"; http_header; content:!"/"; offset:1; http_uri; content:!"|2e|"; http_uri; pcre:"/^\/[a-z0-9]+\?[a-z0-9]+(?:=[a-z0-9&=]+)?$/Ui"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,3831e58cd22cc9bdf06f18f843cdfee9; reference:url,techhelplist.com/spam-list/974-intuit-browsers-update-malware; classtype:trojan-activity; sid:2022119; rev:2; metadata:created_at 2015_11_18, updated_at 2015_11_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7917
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Nymaim.BA CnC M2"; flow:to_server,established; content:"POST"; http_method; content:".pw|0d 0a|User-Agent|3a 20|"; http_header; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; content:"Cache-Control|3a 20|no-cache"; http_header; content:"Pragma|3a 20|no-cache"; http_header; content:!"Content-Type|3a 20|"; http_header; content:!"/"; offset:1; http_uri; content:!"|2e|"; http_uri; pcre:"/^\/[a-z0-9]+\?[a-z0-9]+(?:=[a-z0-9&=]+)?$/Ui"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,3831e58cd22cc9bdf06f18f843cdfee9; reference:url,techhelplist.com/spam-list/974-intuit-browsers-update-malware; classtype:trojan-activity; sid:2022120; rev:2; metadata:created_at 2015_11_18, updated_at 2015_11_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7918
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|softupdates|04|info|00|"; nocase; distance:0; fast_pattern; reference:md5,c3ae4a37094ecfe95c2badecf40bf5bb; classtype:trojan-activity; sid:2022121; rev:1; metadata:created_at 2015_11_18, updated_at 2015_11_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7919
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Sofacy DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|drivres-update|04|info|00|"; nocase; distance:0; fast_pattern; reference:md5,c3ae4a37094ecfe95c2badecf40bf5bb; classtype:trojan-activity; sid:2022122; rev:1; metadata:created_at 2015_11_18, updated_at 2015_11_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7920
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MegalodonHTTP CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&ip="; http_uri; content:"&os="; http_uri; content:"&name="; http_uri; content:"&ram="; http_uri; content:"&cpu="; http_uri; content:"&gpu="; http_uri; content:"&av="; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:trojan-activity; sid:2022126; rev:1; metadata:created_at 2015_11_23, updated_at 2015_11_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7921
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MegalodonHTTP Client Action"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?hwid=[A-F0-9]{16}$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\r\n\r?$/H"; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:trojan-activity; sid:2022127; rev:2; metadata:created_at 2015_11_23, updated_at 2015_11_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7922
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MegalodonHTTP CoinMiner Activity"; flow:established,to_server; content:"GET"; http_method; content:".php?check="; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?check=\d$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\r\n\r?$/H"; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:trojan-activity; sid:2022128; rev:1; metadata:created_at 2015_11_23, updated_at 2015_11_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7923
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 29"; flow:to_server,established; dsize:>11; content:"|7b 9e|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9af77f89a565143983fa008bbd8eedee; classtype:trojan-activity; sid:2018181; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_26, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7930
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Matryoshka CnC Beacon 1"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"/img/"; depth:5; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/general.png"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/general\.png$/U"; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022146; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7931
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Matryoshka CnC Beacon 2"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"/img/"; depth:5; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/n"; distance:0; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/n\d+\.png$/U"; content:".png|20|HTTP/1.1|0d 0a|"; fast_pattern:only; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022147; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7932
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Swrort.A Checkin 3"; flow:to_server,established; content:"GET"; http_method; nocase; content:".php?/12345"; http_uri; pcre:"/\.php\?\/12345$/U"; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\r\nConnection\x3a\x20[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n\r?$/Hi"; reference:md5,24203ba70f584b64a432fb6dad52765d; classtype:trojan-activity; sid:2022186; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7948
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Scieron-A Checkin via HTTP POST 2"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|Sony|3b|"; http_header; fast_pattern:only; pcre:"/^\/\d+$/U"; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,f184c13be617754e394ecb8c972c8861; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2022188; rev:2; metadata:created_at 2015_11_25, updated_at 2015_11_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7949
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Teslacrypt .onion Proxy Domain (tw7kaqthui5ojcez)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tw7kaqthui5ojcez"; fast_pattern; distance:0; nocase; reference:md5,45683c29a36ef8a15f216d7c4b2af822; classtype:trojan-activity; sid:2022191; rev:1; metadata:created_at 2015_11_30, updated_at 2015_11_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7952
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN VBKlip/ClipBanker.P Status Update"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"/"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (compatible MSIE 9.0 Windows NT 6.1 WOW64 Trident/5.0)|0d 0a|"; http_header; content:"tekst="; depth:6; http_client_body; fast_pattern; content:!"Accept-"; http_header; pcre:"/^tekst=\w+$/Pi"; reference:md5,ef230777f5b34291ea22bfc3c591ce2d; classtype:trojan-activity; sid:2022192; rev:2; metadata:created_at 2015_11_30, updated_at 2015_11_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7953
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Send-Safe Bulk Mailer SSL Cert - Observed in Spam Campaigns"; flow:established,from_server; content:"|55 04 06|"; content:"|07|Unknown"; distance:1; within:8; content:"|55 04 08|"; distance:0; content:"|07|Unknown"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|07|Unknown"; distance:1; within:8; content:"|55 04 0a|"; distance:0; content:"|09|Send-Safe"; fast_pattern; distance:1; within:10; content:"|55 04 0b|"; distance:0; content:"|07|Unknown"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|09|Send-Safe"; distance:1; within:10; reference:md5,837c7af7f376722a0315cb0a7cb12399; classtype:trojan-activity; sid:2022194; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_11_30, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7954
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 33"; flow:to_server,established; dsize:>11; content:"|70 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2acd1b235e12dc9b961e7236f6db8144; classtype:trojan-activity; sid:2018486; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_05_19, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7987
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 34"; flow:to_server,established; dsize:>11; content:"|74 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3063e7406947d00b792cb013ca667a69; classtype:trojan-activity; sid:2018487; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_05_19, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7988
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2015-12-01"; flow:to_server,established; content:"GET"; http_method; content:".exe?"; http_uri; nocase; content:!"Referer|3a| "; nocase; http_header; content:!"User-Agent|3a| BlueCoat"; nocase; http_header; content:"MSIE 7.0"; http_user_agent; pcre:"/\/[0-9]{2}\.exe\?[0-9]$/iU"; flowbits:set,ET.nemucod.exerequest; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,77290f994d05ad0add5768c9c040dc55; classtype:trojan-activity; sid:2022207; rev:4; metadata:created_at 2015_12_02, updated_at 2015_12_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7989
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sednit/AZZY Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Content-Type|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:"/"; offset:1; http_uri; content:"User-Agent|3a 20|MSIE|20|"; depth:17; http_header; fast_pattern; pcre:"/^User-Agent\x3a MSIE \d+\.\d+\r\n/Hi"; pcre:"/\/$/U"; reference:md5,7c373c607c8724f8be461d61016ed272; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:url,securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/; classtype:trojan-activity; sid:2019534; rev:4; metadata:created_at 2014_10_28, updated_at 2014_10_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7995
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.Win32.Vobfus Checkin 3"; flow:established,to_server; content:!"Accept-Language|3a|"; http_header; content:!"Referer"; http_header; content:"GET"; http_method; content:"|3f|"; offset:2; depth:20; http_uri; pcre:"/^\/[a-zA-Z0-9]{1,19}\/?\?[abdefijhgv\x22](?:\x7C\x2d?\d+?[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14})?$/U"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE|20|"; http_header; fast_pattern:36,6; content:!"Host|3a 20|www.pinterest.com"; reference:md5,3ed744b12a77359576af10a265154081; reference:md5,a2049adc2834d797b37f45382608f2b4; classtype:trojan-activity; sid:2018958; rev:18; metadata:created_at 2013_03_25, updated_at 2013_03_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 7996
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NetBackdoor Checkin"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"|0d 0a|log="; http_client_body; fast_pattern; content:"path="; http_client_body; pcre:"/path=[A-Z]\x3a\x5c[A-F0-9]+\r\nlog=/Pi"; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:trojan-activity; sid:2022244; rev:2; metadata:created_at 2015_12_11, updated_at 2015_12_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8015
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DustySky CnC Beacon"; flow:established,to_server; content:".php?"; http_uri; content:"Pn="; nocase; distance:0; http_uri; fast_pattern; content:"&ID="; nocase; http_uri; content:"&o="; http_uri; content:"&av="; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,07fd870e4ea8dd6b9503a956b5bb47f3; classtype:trojan-activity; sid:2021919; rev:5; metadata:created_at 2015_10_06, updated_at 2015_10_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8016
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 47 00 43 cf a7 86 ee|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,d90c0177437c4cf588de4e60ab233fe1; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022275; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_12_17, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8034
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FAKBEN Ransomware"; flow:established,to_server; content:"GET"; http_method; content:".php?btc="; http_uri; nocase; fast_pattern; content:"&wid="; http_uri; nocase; distance:0; content:"|3a|TWljcm9zb2Z0IFdpbmR"; http_uri; distance:0; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,c952a88edc0766adf819b30cd2683ac7; classtype:trojan-activity; sid:2022283; rev:1; metadata:created_at 2015_12_18, updated_at 2015_12_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8041
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ironhalo CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0(compatible|3b|MSIE 8.0|3b|Windows NT 6.1|29 0d 0a|"; http_header; fast_pattern:22,20; pcre:"/\.php$/U"; reference:md5,fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html; classtype:trojan-activity; sid:2022298; rev:2; metadata:created_at 2015_12_22, updated_at 2015_12_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8046
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Win32/Dimegup.A Downloading Image Common URI Struct"; flow:established,to_server; content:"/444.jpg"; http_uri; fast_pattern:only; content:"postimg.org"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.postimg\.org(?:\x3a\d{1,5})?\r?$/Hmi"; reference:md5,914c58df5d868f7c3438921d682f7fe5; classtype:trojan-activity; sid:2018022; rev:5; metadata:created_at 2014_01_27, updated_at 2014_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8049
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ASCII Executable Inside of MSCOFF File DL Over HTTP"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"|34 64 35 61|"; content:"|35 34 36 38 36 39 37 33 32 30 37 30 37 32 36 66 36 37 37 32 36 31 36 64 32 30|"; distance:38; reference:md5,f4ee917a481e1718ccc749d2d4ceaa0e; classtype:trojan-activity; sid:2022303; rev:3; metadata:created_at 2015_12_23, updated_at 2015_12_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8050
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Powersploit Framework Script Downloaded"; flow:to_client,established; file_data; content:"function Invoke-"; depth:16; content:"|0a 7b 0a 3c 23 0a 2e 53 59 4e 4f 50 53 49 53 0a|"; distance:0; content:"|0a|PowerSploit Function|3a 20|"; distance:0; reference:md5,0aa391dc6d9ebec2f5d0ee6b4a4ba1fa; classtype:trojan-activity; sid:2022309; rev:2; metadata:created_at 2015_12_24, updated_at 2015_12_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8054
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BBSRAT GET request CnC"; flow:to_server,established; content:"GET"; http_method; content:"/bbs/"; depth:5; fast_pattern; http_uri; content:"/forum.php?sid="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|Windows NT 5.1)"; http_header; pcre:"/[A-F0-9]{8}(?:-[A-F0-9]{4}){2}-[A-F0-9]{8}/C"; pcre:"/^\/bbs\/(?P<counter>[a-f0-9]+)\/forum\.php\?sid=(?P=counter)$/Ui"; reference:md5,8cd233d3f226cb1bf6bf15aca52e0e36; reference:url,researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/; classtype:trojan-activity; sid:2022310; rev:2; metadata:created_at 2015_12_24, updated_at 2015_12_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8055
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BBSRAT POST request CnC"; flow:to_server,established; content:"POST"; http_method; content:"/bbs/"; depth:5; fast_pattern; http_uri; content:"/forum.php?sid="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|Windows NT 5.1)"; http_header; pcre:"/[A-F0-9]{8}(?:-[A-F0-9]{4}){2}-[A-F0-9]{8}/C"; pcre:"/^\/bbs\/(?P<counter>[a-f0-9]+)\/forum\.php\?sid=(?P=counter)$/Ui"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; reference:md5,8cd233d3f226cb1bf6bf15aca52e0e36; reference:url,researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/; classtype:trojan-activity; sid:2022311; rev:2; metadata:created_at 2015_12_24, updated_at 2015_12_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8056
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET  any (msg:"ET TROJAN Win32/Htbot.B Checkin"; flow:to_server,established; content:".php?command="; fast_pattern:only; http_uri; content:"User-Agent|3A| pb|0D 0A|"; http_header; pcre:"/\.php\?command=(g(hl|et(ip|id|backconnect))|update2?|dl|log)($|&)/U"; reference:md5,bdd2328d466e563a650bb7ccdb9aca79; reference:md5,ba1404af71ecf3ca8b0e30a2b365f6fd; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FHtbot.B; classtype:trojan-activity; sid:2020089; rev:4; metadata:created_at 2015_01_05, updated_at 2015_01_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8060
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; content:"|0a|infosec.jp"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0e|www.infosec.jp"; distance:1; within:15; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:trojan-activity; sid:2022323; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_12_31, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8064
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Cryptojoker Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?info="; fast_pattern; http_uri; content:"|3a 3a|"; distance:0; http_uri; content:"|4f 4e 4c 25 35 43 6e|"; http_raw_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a 20|"; http_header; pcre:"/\x4f\x4e\x4c\x25\x35\x43\x6e$/I"; reference:url,www.bleepingcomputer.com/news/security/the-cryptojoker-ransomware-is-nothing-to-laugh-about/; reference:md5,904b0888bfa02d200091fa8ad014d016; reference:md5,bca6c1fa9b9a8bf60eecbd91e08d1323; classtype:trojan-activity; sid:2022333; rev:2; metadata:created_at 2016_01_05, updated_at 2016_01_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8070
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Malicious VBS Downloader fake image zip"; flow:to_server,established; content:"GET"; http_method; content:".zip"; http_uri; nocase; fast_pattern:only; content:"Content-Type|3a 20|text/plain|3b| Charset=UTF-8|0d 0a|"; http_header; pcre:"/\.(?:gif|jpe?g)\.zip$/Ui"; reference:md5,7b678a25c533652dbb0c2a2ac37cf1e3; classtype:trojan-activity; sid:2022334; rev:2; metadata:created_at 2016_01_05, updated_at 2016_01_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8071
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NanoLocker Check-in (ICMP) M2"; itype:8; icode:0; dsize:26<>35; content:"|33|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022330; rev:2; metadata:created_at 2016_01_04, updated_at 2016_01_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8072
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NanoLocker Check-in (ICMP) M1"; itype:8; icode:0; dsize:26<>35; content:"|31|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022331; rev:3; metadata:created_at 2016_01_05, updated_at 2016_01_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8073
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN ELF.MrBlack DOS.TF Malformed Lookup (/lib32/libc.so.6)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|/lib32/libc|02|so|01|6|00|"; fast_pattern; distance:0; nocase; reference:md5,312fa52a7992e58359cb68bb0f029ea7; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022335; rev:2; metadata:created_at 2016_01_06, updated_at 2016_01_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8074
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Win32.Nitol.K Variant CnC"; flow:established,to_server; content:"|0b 00 00 00 00|"; depth:5; content:"Windows|20|"; distance:3; within:8; content:"|00|"; within:5; content:"|7c b4 ab b2 a5 7c|"; fast_pattern:only; reference:md5,56bff68317a0af08f749a1c717125cf3; classtype:trojan-activity; sid:2022337; rev:2; metadata:created_at 2016_01_06, updated_at 2016_01_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8076
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bulta CnC Beacon "; flow:established,to_server; content:"|1f 93 97 d3 94 01 69 49 4d 7b a7 ac f6 7a|"; depth:14; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:trojan-activity; sid:2022345; rev:2; metadata:created_at 2016_01_08, updated_at 2016_01_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8078
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Bulta DNS Lookup (kugo.f3322.net)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|kugo|05|f3322|03|net|00|"; nocase; distance:0; fast_pattern; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:trojan-activity; sid:2022346; rev:2; metadata:created_at 2016_01_08, updated_at 2016_01_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8079
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Bulta DNS Lookup (yk.ftwxw.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|yk|05|ftwxw|03|com|00|"; nocase; distance:0; fast_pattern; reference:md5,5b9a9e363f46f09e7f40c5cde2c90361; classtype:trojan-activity; sid:2022347; rev:2; metadata:created_at 2016_01_08, updated_at 2016_01_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8080
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Agent.XST Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"this is UP"; depth:10; http_client_body; fast_pattern; content:"|00 00 00 00|"; http_client_body; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022362; rev:2; metadata:created_at 2016_01_13, updated_at 2016_01_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8086
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FakeM RAT CnC Beacon"; flow:established,to_server; content:"<html><title>"; depth:13; content:"</title><body>"; within:48; content:!"</body>"; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; distance:0; reference:md5,3e008471eaa5e788c41c2a0dff3d1a89; classtype:trojan-activity; sid:2014636; rev:5; metadata:created_at 2012_04_25, updated_at 2012_04_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8088
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|relaxsaz.com"; distance:1; within:13; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022386; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8092
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|contora24.com"; distance:1; within:14; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022387; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8093
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|websecuranalitic.com"; distance:1; within:21; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022388; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8094
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|moneyclass24.com"; distance:1; within:17; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022389; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8095
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|vle.cli"; distance:1; within:8; reference:md5,678129a67898174fdb7e8c70ebcca6c3; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022390; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_01_21, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8096
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/7ev3n Ransomware Initial Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?RIGHTS="; http_uri; fast_pattern; nocase; content:"&WIN="; http_uri; distance:0; nocase; content:"User-Agent|3a 20|Internet Explorer|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,9f8bc96c96d43ecb69f883388d228754; classtype:trojan-activity; sid:2022402; rev:2; metadata:created_at 2016_01_22, updated_at 2016_01_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8107
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/7ev3n Ransomware Process Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?SSTART="; http_uri; nocase; content:"&CRYPTED_DATA="; http_uri; nocase; distance:0; fast_pattern; content:"&ID="; http_uri; nocase; distance:0; content:"User-Agent|3a 20|Internet Explorer|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,9f8bc96c96d43ecb69f883388d228754; classtype:trojan-activity; sid:2022403; rev:2; metadata:created_at 2016_01_22, updated_at 2016_01_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8108
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN LeChiffre Ransomware CnC"; flow:to_server,established; content:"GET"; http_method; content:"/sipvoice.php?"; http_uri; depth:14; fast_pattern; content:"&session="; http_uri; distance:0; content:"Keep-Alive|3a 20|300"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|Synapse)"; http_header; reference:md5,4523ccfd191dcceeae8e884f82f5c7ad; reference:url,blog.malwarebytes.org/intelligence/2016/01/draft-lechiffre-a-manually-run-ransomware/; classtype:trojan-activity; sid:2022406; rev:2; metadata:created_at 2016_01_25, updated_at 2016_01_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8111
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Kaicone.A Checkin via HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Plug="; http_client_body; depth:5; fast_pattern; content:"Instituto="; http_client_body; distance:0; content:"&AV="; http_client_body; distance:0; content:!"Referer|3a 20|"; http_header; reference:md5,0dfaf7a70859ddb86296276dc20ce1ae; classtype:trojan-activity; sid:2022407; rev:2; metadata:created_at 2016_01_25, updated_at 2016_01_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8112
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CenterPOS User Agent Observed"; flow:established,to_server; content:"User-Agent|3a 20|IDOSJNDX|0d 0a|"; fast_pattern; flowbits:set,ET.centerpos; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022468; rev:2; metadata:created_at 2016_01_28, updated_at 2016_01_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8164
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CenterPOS CnC"; flow:established,to_server; content:"POST"; content:".php"; http_uri; content:"mode="; depth:5; fast_pattern; nocase; http_client_body; content:"&uid="; nocase; http_client_body; distance:0; content:"&osname="; nocase; http_client_body; distance:0; content:"&compname="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; flowbits:set,ET.centerpos; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022469; rev:2; metadata:created_at 2016_01_28, updated_at 2016_01_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8165
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN CenterPOS Delete Plugins"; flow:to_client,established; flowbits:isset,ET.centerpos; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"|7c|delplugs|20|"; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022470; rev:2; metadata:created_at 2016_01_28, updated_at 2016_01_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8166
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN CenterPOS Load Plugins"; flow:to_client,established; flowbits:isset,ET.centerpos; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"|7c|loadplug|20|"; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022471; rev:2; metadata:created_at 2016_01_28, updated_at 2016_01_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8167
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CenterPOS CnC 2"; flow:established,to_server; content:"POST"; content:".php"; http_uri; content:"mode="; depth:5; fast_pattern; nocase; http_client_body; content:"&uid="; nocase; http_client_body; distance:0; content:"&comid="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; flowbits:set,ET.centerpos; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022472; rev:2; metadata:created_at 2016_01_28, updated_at 2016_01_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8168
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Download Request Containing Suspicious Filename - Crypted"; flow:to_server,established; content:"GET"; http_method; content:"crypted.exe"; nocase; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/crypted\.exe$/Ui"; reference:md5,ff823130efcdf8ab267cad92eb5b90d7; reference:md5,e953e6b3be506c5b8ca80fbcd79c065e; reference:md5,1e2fa2e401cd2295a03ba8d8d3d3698b; classtype:trojan-activity; sid:2022491; rev:2; metadata:created_at 2016_02_04, updated_at 2016_02_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8180
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Fluxer CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/gate.php?id="; http_uri; fast_pattern; content:"&ver="; http_uri; distance:0; content:"&m="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla|0d 0a|"; http_header; content:"Connection|3a 20|Close|0d 0a|"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/&m=\d$/Ui"; reference:md5,648f432b41f3bcebc1a599f529055cf0; classtype:trojan-activity; sid:2022492; rev:2; metadata:created_at 2016_02_04, updated_at 2016_02_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8181
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/LockScreen CnC HTTP Pattern"; flow:established,to_server; content:"GET"; http_method; content:",0x"; http_uri; fast_pattern:only; pcre:"/(?:,0x[0-9a-f]{2}){10}$/U"; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:md5,8df8d0cd70f96538211c65fb6361704d; classtype:trojan-activity; sid:2022494; rev:2; metadata:created_at 2016_02_08, updated_at 2016_02_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8182
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dridex POST Retrieving Second Stage"; flow:established,to_server; content:"POST / HTTP/1.1|0d 0a|"; fast_pattern; depth:17; content:"Host|3a 20|"; http_header; pcre:"/^[^\r\n]+\x20[a-z]/RHi"; content:"|0d 0a 0d 0a|"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/R";  reference:md5,6948d4f22e8d57369988be219ab70335; classtype:trojan-activity; sid:2020470; rev:6; metadata:created_at 2015_02_18, updated_at 2015_02_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8185
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dridex POST Retrieving Second Stage M2"; flow:established,to_server; content:"POST / HTTP/1.1|0d 0a|"; depth:17; fast_pattern; content:"|0d 0a 0d 0a|"; distance:0; byte_extract:1,4,Dridex.Pivot,relative; byte_test:1,!=,Dridex.Pivot,0,relative; byte_test:1,=,Dridex.Pivot,7,relative; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/R"; content:"Host|3a 20|"; http_header; pcre:"/^(?=[a-z0-9]{0,19}[A-Z])(?:(?=[A-Z0-9]{0,19}[a-z])|(?=[A-Za-z]{0,19}\d)|(?=[A-Z]+\.))[a-zA-Z0-9]{3,20}[\x2e\x20][a-z]{2,3}\r?$/RHm"; reference:md5,148112df459ba40b9127f7d4f1c08df2; classtype:trojan-activity; sid:2020825; rev:6; metadata:created_at 2015_04_01, updated_at 2015_04_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8186
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Banload Downloading Executable"; flow:established,from_server; flowbits:isset,ET.autoit.ua; content:"Content-Type|3a 20|image/"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:md5,838ab7aacac590ea2e170888b2502a63; classtype:trojan-activity; sid:2019165; rev:3; metadata:created_at 2014_09_11, updated_at 2014_09_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8187
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TeslaCrypt/AlphaCrypt Payment DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|javajvlsworf3574"; nocase; distance:0; fast_pattern; reference:md5,ff50a331feec575b505976cb0506ebfd; classtype:trojan-activity; sid:2022507; rev:1; metadata:created_at 2016_02_11, updated_at 2016_02_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8188
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|susana24.com"; distance:1; within:13; reference:md5,23cfdb9896cadd54f935ed4e2df2e0a4; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022510; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_02_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8191
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Putter Panda HTTPClient CnC HTTP Request"; flow:established,to_server; content:"GET"; http_method; content:"/Microsoft"; nocase; http_uri; content:"/default.asp"; http_uri; distance:0; content:"?tmp="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/default\.aspx?\?tmp=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; reference:url,resources.crowdstrike.com/putterpanda/; reference:md5,544fca6eb8181f163e2768c81f2ba0b3; classtype:trojan-activity; sid:2018554; rev:4; metadata:created_at 2014_06_10, updated_at 2014_06_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8196
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/GCman.Backdoor CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/s2.cgi"; http_uri; depth:15; content:!"Referer|3A|"; http_header; pcre:"/^[a-f0-9]{31}\x3B(?:[a-zA-Z0-9+/=]+)?\r?$/P"; reference:md5,8a18846e17244db9af90009ddab341ce; reference:url,securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/; classtype:trojan-activity; sid:2022529; rev:2; metadata:created_at 2016_02_16, updated_at 2016_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8199
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Deep Panda User-Agent"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/4.0|3b| SLCC2|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.5.30729|3b| .NET CLR 3.0.30729|3b| Media Center PC 6.0|29 0d 0a|"; http_header; fast_pattern:83,20; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Host|3a 20|iecvlist.microsoft.com"; http_header; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020380; rev:3; metadata:created_at 2015_02_06, updated_at 2015_02_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8204
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN FrameworkPOS CnC Server Reporting IP Address To Agent"; flow:established,to_client; file_data; content:"=="; depth:2; content:"=="; within:17; fast_pattern; file_data; content:"=="; depth:2; pcre:"/^(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})(?:={2})/R"; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:trojan-activity; sid:2022552; rev:2; metadata:created_at 2016_02_22, updated_at 2016_02_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8208
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN FrameworkPOS Covert DNS CnC Initial Check In"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04 70 69 6e 67 03 61 64 6d|"; fast_pattern; distance:15; content:"|05|grp"; nocase; offset:12; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:trojan-activity; sid:2022559; rev:1; metadata:created_at 2016_02_22, updated_at 2016_02_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8214
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely PadCrypt Locker PKG DL"; flow:established,to_server; content:".pdcr"; http_uri; nocase; pcre:"/\.pdcr$/Ui"; content:!"Referer|3a|"; http_header; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022568; rev:2; metadata:created_at 2016_02_25, updated_at 2016_02_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8219
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN PadCrypt .onion Payment Domain"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gnkltbsaeq35rejl"; fast_pattern; distance:0; nocase; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022569; rev:1; metadata:created_at 2016_02_25, updated_at 2016_02_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8220
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN jFect HTTP CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/ping"; http_uri; content:"User-Agent|3a 20|Java/"; content:"uid="; depth:4; http_client_body; content:"&group="; http_client_body; content:"&lan="; http_client_body; content:"&nameAtPc="; http_client_body; fast_pattern; nocase; content:"&os="; http_client_body; content:"&country="; http_client_body; content:"&uptime="; http_client_body; content:"&installDate="; http_client_body; nocase; content:!"Referer|3a|"; http_header; reference:md5,d19261cf449afc52532028cca110eb36; classtype:trojan-activity; sid:2022582; rev:2; metadata:created_at 2016_03_02, updated_at 2016_03_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8224
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Windows executable base64 encoded"; flow: established,from_server; file_data; content:"TVqQA"; pcre:"/^[A-Za-z0-9]{3}(?:[A-Za-z0-9+/]{4}|\s){100}/Rs"; reference:md5,49aca228674651cba776be727bdb7e60; classtype:trojan-activity; sid:2018856; rev:10; metadata:created_at 2014_07_31, updated_at 2014_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8227
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Panda Banker CnC"; flow:established,to_server; content:"POST"; http_method; content:!"Content-Type|3a 20|"; http_header; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; depth:13; content:!".php"; http_uri; pcre:"/^\/[A-Za-z0-9]+(?:\/[A-F0-9]+){3,}$/U"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; pcre:"/^User-Agent\x3a[^\r\n]+?(?:MSIE|rv\x3a11)/Hm"; content:"P/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern:only; reference:md5,17bd012f145bba62b4e58b376d8002d3; classtype:trojan-activity; sid:2022609; rev:2; metadata:created_at 2016_03_10, updated_at 2016_03_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8233
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Maktub Locker Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bs7aygotd2rnjl4o"; fast_pattern; distance:0; nocase; reference:md5,74add6536cdcfb8b77d10a1e7be6b9ef; classtype:trojan-activity; sid:2022634; rev:1; metadata:created_at 2016_03_21, updated_at 2016_03_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8241
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PunkeyPOS HTTP CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"version="; depth:8; http_client_body; fast_pattern; pcre:"/^version=\d{4}-\d{1,2}-\d{1,2}$/P";  reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:trojan-activity; sid:2020936; rev:3; metadata:created_at 2015_04_16, updated_at 2015_04_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8247
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Genome User-Agent (Http Down)"; flow:established,to_server; content:"User-Agent|3a 20|Http Down"; http_header; fast_pattern; reference:md5,479306863946029e545a4803b303d74c; classtype:trojan-activity; sid:2022654; rev:2; metadata:created_at 2016_03_24, updated_at 2016_03_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8248
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IrcBot Fantasy Name Gen"; flow:established,to_server; content:"Host|3a 20|www.fantasynamegen.com"; http_header; nocase; fast_pattern; content:!"User-Agent"; http_header; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022655; rev:2; metadata:created_at 2016_03_24, updated_at 2016_03_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8249
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN IrcBot Downloading Files via FTP"; flow:established,to_server; content:"RETR scrypt13"; depth:13; content:".cl"; distance:2; within:6; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022656; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8250
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IrcBot Downloading .old"; flow:established,to_server; content:".old"; http_uri; content:".old|20|HTTP/1.1|0d 0a|Host"; content:!"User-Agent"; http_header; content:!"Referer"; http_header; content:!"Accept"; http_header; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022657; rev:2; metadata:created_at 2016_03_24, updated_at 2016_03_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8251
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Locky CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:11; content:"/submit.php"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"www-form-urlencoded|0d 0a|"; http_header; content:!"Accept"; http_header; content:"User-Agent|3a|"; http_header; pcre:"/[\x80-\xff]/P"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:trojan-activity; sid:2022665; rev:4; metadata:created_at 2016_03_28, updated_at 2016_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8257
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Coverton Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lnc57humvaxpqfv3"; nocase; distance:0; fast_pattern; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:trojan-activity; sid:2022675; rev:1; metadata:created_at 2016_03_28, updated_at 2016_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8258
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware/Coverton Checkin"; flow:to_server,established; content:".php?ch="; http_uri; fast_pattern:only; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-length|3a| 0|0d 0a|"; http_header; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:trojan-activity; sid:2022676; rev:2; metadata:created_at 2016_03_28, updated_at 2016_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8259
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware/Coverton CnC 1"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"task=report&id="; http_client_body; fast_pattern:only; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:trojan-activity; sid:2022677; rev:2; metadata:created_at 2016_03_28, updated_at 2016_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8260
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware/Coverton CnC 2"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"task=knock&pub="; http_client_body; fast_pattern:only; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:trojan-activity; sid:2022678; rev:2; metadata:created_at 2016_03_28, updated_at 2016_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8261
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.TreasureHunter Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; content:"request=true"; http_uri; fast_pattern:only; content:"request="; http_client_body; depth:8; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept-"; http_header; reference:md5,070e9a317ee53ac3814eb86bc7d5bf49; reference:url,isc.sans.edu/forums/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/; classtype:trojan-activity; sid:2022681; rev:1; metadata:created_at 2016_03_29, updated_at 2016_03_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8263
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Elise CnC Beacon 2"; flow:to_server,established; content:"POST"; http_method; content:".html"; nocase; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:!"Host|3 a20|www.youdao.com"; http_header; pcre:"/\/\d{8,10}\.html$/Ui"; reference:md5,cfa7954722d4277d26e96edc3289a4ce; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021276; rev:4; metadata:created_at 2015_06_16, updated_at 2015_06_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8264
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Dripion External IP Check"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:"/"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http_header; content:"Host|3a 20|www.dawhois.com|0d 0a|"; fast_pattern:only; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:trojan-activity; sid:2022688; rev:2; metadata:created_at 2016_03_30, updated_at 2016_03_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8267
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Dripion HTTP CnC Checkin"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:"/"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http_header; fast_pattern:only; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"|40 24|"; http_client_body; depth:2; pcre:"/^\x40\x24[^\x20-\x7e\r\n]+$/Ps"; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:trojan-activity; sid:2022689; rev:2; metadata:created_at 2016_03_30, updated_at 2016_03_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8268
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"Internet Widgits Pty Ltd"; within:50; content:"|09 00 e6 7b 40 4f 24 b8 2a f9|"; reference:url,sslbl.abuse.ch; reference:md5,3d8d1a65ce53c6ac2e43523e82a6d471; classtype:trojan-activity; sid:2022713; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_04_07, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8278
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Locky JS Downloading Payload"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; fast_pattern; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{6,10}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+?(?:MSIE|rv\x3a11)/Hm"; flowbits:set,ET.Locky; flowbits:noalert; metadata: former_category TROJAN; reference:md5,c6896184db5c07ebadf40115138b2f4c; reference:md5,cb8f78317622f8ae855ac25ef4cf3688; classtype:trojan-activity; sid:2026460; rev:3; metadata:created_at 2016_03_16, updated_at 2018_10_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8282
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Ponmocup.A Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/space.php"; http_uri; fast_pattern; content:"Accept|3a| */*|0d 0a|Cookie|3a|"; depth:25; http_raw_header; content:"User-Agent|3a| "; http_raw_header; distance:0; content:"Host|3a| "; http_raw_header; distance:0; content:"uid="; depth:4; http_cookie; content:"|3b 20|VISITOR="; distance:0; http_cookie; reference:md5,97a1acc085849c0b9af19adcf44607a7; classtype:trojan-activity; sid:2014660; rev:4; metadata:created_at 2012_05_01, updated_at 2012_05_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8291
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Virus-Encoder Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:"submit=submit&id="; http_client_body; fast_pattern; content:"&guid="; http_client_body; content:"&pc="; http_client_body; content:"&mail="; http_client_body; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,57a69d5130d32da0a278c72137ca58ee; classtype:trojan-activity; sid:2022737; rev:3; metadata:created_at 2016_04_15, updated_at 2016_04_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8292
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Agent.XST Keepalive"; flow:established,to_server; content:"POST"; http_method; content:".asp"; http_uri; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; content:"Content-Length|3a 20|2|0d 0a|"; http_header; fast_pattern:only; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"ok"; http_client_body; depth:2; threshold: type limit, count 1, seconds 60, track by_src; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022363; rev:3; metadata:created_at 2016_01_13, updated_at 2016_01_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8296
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Agent.XST/UP007 Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"this is UP"; depth:10; http_client_body; fast_pattern; content:"|00 00 00 00|"; http_client_body; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; classtype:trojan-activity; sid:2022749; rev:2; metadata:created_at 2016_04_20, updated_at 2016_04_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8297
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TrojanDownloader.Banload.XDL Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/okok/Notify.php"; fast_pattern:only; http_uri; content:"User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library|29 0d 0a|"; http_header; reference:md5,70adf5506c767590e11bdc473c91bb38; classtype:trojan-activity; sid:2022754; rev:2; metadata:created_at 2016_04_22, updated_at 2016_04_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8300
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Gaudox Checkin"; flow:to_server,established; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0|0d 0a|"; fast_pattern:25,20; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/Ps"; pcre:"/\.php$/U"; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:trojan-activity; sid:2022505; rev:4; metadata:created_at 2016_02_11, updated_at 2016_02_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8301
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT.Fwits CnC Beacon M1"; flow:established,to_server; content:"GET"; http_method; content:"/al?"; depth:4; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,24d76abbc0a10e4c977a28b33c879248; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; classtype:trojan-activity; sid:2022756; rev:2; metadata:created_at 2016_04_25, updated_at 2016_04_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8303
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT.Fwits CnC Beacon M2"; flow:established,to_server; content:"GET"; http_method; content:"?---"; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\?---[A-Z]$/U"; reference:md5,24d76abbc0a10e4c977a28b33c879248; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; classtype:trojan-activity; sid:2022757; rev:2; metadata:created_at 2016_04_25, updated_at 2016_04_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8304
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Blackmoon/Banbra Configuration Request"; flow:to_server,established; content:"GET"; http_method; content:"/fcg-bin/cgi_get_portrait.fcg?uins="; depth:35; http_uri; content:"Accept|3a 20|*/*|0d 0d 0a|User-Agent"; http_header; fast_pattern; content:".qq.com|0d 0a|"; http_header; reference:url,blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackmoon-campaign; reference:md5,bbcbd3dc203829c9cdbf7d1b057f0e79; classtype:trojan-activity; sid:2022759; rev:2; metadata:created_at 2016_04_25, updated_at 2016_04_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8305
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 105"; flow:to_server,established; dsize:>11; content:"|4a ae|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x4a\xae/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ba6eaf301344de6fe1e079fa960bc698; classtype:trojan-activity; sid:2022773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2016_04_29, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8314
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.0)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|d|01|q|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022780; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8317
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.1)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|e|01|q|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022781; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8318
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|f|01|q|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022782; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8319
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.0)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|d|01|r|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022783; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8320
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|e|01|r|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022784; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8321
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|f|01|r|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022785; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8322
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.3)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|g|01|r|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022786; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8323
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 10.0)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|01|d|01|v|00 00 05 00 01|"; distance:0; fast_pattern; isdataat:!1,relative; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:trojan-activity; sid:2022787; rev:1; metadata:created_at 2016_05_04, updated_at 2016_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8324
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Sality-GR Checkin 2"; flow:to_server,established; content:".png?"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|"; depth:12; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/\.png\x3f[0-9a-f]{4,8}\x3d\d+?$/U"; reference:md5,99d614964eafe83ec4ed1a4537be35b9; classtype:trojan-activity; sid:2022804; rev:2; metadata:created_at 2016_05_13, updated_at 2016_05_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8330
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enfal CnC POST"; flow:to_server,established; content:"POST"; http_method; content:".cgi"; fast_pattern:only; http_uri; pcre:"/\.cgi$/U"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Content-Type|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/Hmi"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:trojan-activity; sid:2021079; rev:3; metadata:created_at 2015_05_08, updated_at 2016_05_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8331
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Hidden-Tear Ransomware Variant (.bloccato) DNS Request to CnC Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|ur232dkkwpdkwp|03|xyz|00|"; nocase; distance:0; fast_pattern; reference:url,www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/; reference:md5,e586f208a724ba84369b72bc43d92057; classtype:trojan-activity; sid:2022831; rev:1; metadata:created_at 2016_05_19, updated_at 2016_05_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8336
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.Win32.Agent.bay Variant Covert Channel (VERSONEX)"; flow:established,to_server; content:"VERSONEX|3a|"; depth:9; fast_pattern; byte_test:1,>=,0x30,0,relative; byte_test:1,<=,0x39,0,relative; content:"|7c|"; distance:1; within:1; reference:md5,f80af2735fdad5fe14defc4f1df1cc30; classtype:trojan-activity; sid:2020978; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8341
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:51 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop smtp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Hawkeye Keylogger SMTP Beacon"; flow:established,to_server; content:"Subject|3a 20|"; content:"SGF3a0V5ZSBLZXlsb2dnZXIg"; within:45; reference:md5,dfc2c23663122ac9fc25b708f278c147; classtype:trojan-activity; sid:2021871; rev:3; metadata:created_at 2015_09_30, updated_at 2015_09_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8345
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Locky CnC Beacon 4 21 May"; flow:established,to_server; content:"POST"; http_method; content:"/access.cgi"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"www-form-urlencoded|0d 0a|"; http_header; content:!"Accept"; http_header; content:"User-Agent|3a|"; http_header; pcre:"/[\x80-\xff]/P"; reference:md5,53859b74ab0ed0e98065982462f4e575; classtype:trojan-activity; sid:2022844; rev:2; metadata:created_at 2016_05_31, updated_at 2016_05_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8348
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Luminosity RAT Possible Module Download M1"; flow:to_server,established; urilen:5; content:"GET"; http_method; content:"/EPWD"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,7a7776473db6e4b6ac90a4b1da4b50d4; classtype:trojan-activity; sid:2022851; rev:2; metadata:created_at 2016_06_02, updated_at 2016_06_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8349
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Luminosity RAT Possible Module Download M2"; flow:to_server,established; urilen:4; content:"GET"; http_method; content:"/PWD"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,7a7776473db6e4b6ac90a4b1da4b50d4; classtype:trojan-activity; sid:2022852; rev:2; metadata:created_at 2016_06_02, updated_at 2016_06_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8350
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Criptobit/Mobef Ransomware Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?a="; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) Edge/13.10586|0d 0a|"; fast_pattern:40,20; http_header; pcre:"/\.php\?a=\d{5,10}.+\x3a\d\x3a\d\x3a\d\.\d\x3a\d$/U"; reference:md5,c90a8039f330ba6660a91113f6c53685; classtype:trojan-activity; sid:2022845; rev:4; metadata:created_at 2016_05_31, updated_at 2016_05_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8360
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BandarChor/CryptON Ransomware Checkin"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:"=8ACEFC"; offset:1; depth:7; fast_pattern; http_client_body; pcre:"/=8ACEFC[0-9A-F]{150,}$/P"; pcre:"/\.php$/U"; reference:md5,5ee28035c56c048580c64b67ec4f2124; classtype:trojan-activity; sid:2022875; rev:1; metadata:created_at 2016_06_08, updated_at 2016_06_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8361
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Qarallax RAT Downloading Modules"; flow:to_server,established; content:"GET"; http_method; content:"qarallax.com|0d 0a|"; http_header; fast_pattern; content:"User-Agent|3a 20|Java/"; http_header; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:trojan-activity; sid:2022881; rev:2; metadata:created_at 2016_06_08, updated_at 2016_06_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8367
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1714 (msg:"ET TROJAN Qarallax RAT Keepalive C2 (set)"; flow:to_server,established; content:"|00 00 09 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; flowbits:set,ET.qarallax; flowbits:noalert; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:trojan-activity; sid:2022882; rev:1; metadata:created_at 2016_06_08, updated_at 2016_06_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8368
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 1714 -> $HOME_NET any (msg:"ET TROJAN Qarallax RAT Keepalive C2"; flow:from_server,established; flowbits:isset,ET.qarallax; content:"|00 00 0c 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:trojan-activity; sid:2022883; rev:1; metadata:created_at 2016_06_08, updated_at 2016_06_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8369
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT28 SEDNIT Variant CnC Beacon 1"; flow:to_server,established; content:"POST"; http_method; content:".pdf/?"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.pdf\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:trojan-activity; sid:2023912; rev:2; metadata:created_at 2016_06_09, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8370
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT28 SEDNIT Variant CnC Beacon 2"; flow:to_server,established; content:"POST"; http_method; content:".zip/?"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.zip\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:trojan-activity; sid:2023913; rev:2; metadata:created_at 2016_06_09, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8371
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT28 SEDNIT Variant CnC Beacon 3"; flow:to_server,established; content:"POST"; http_method; content:".htm/?"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.htm\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:trojan-activity; sid:2023914; rev:2; metadata:created_at 2016_06_09, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8372
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT28 SEDNIT Variant CnC Beacon 4"; flow:to_server,established; content:"POST"; http_method; content:".xml/?"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.xml\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:trojan-activity; sid:2023915; rev:2; metadata:created_at 2016_06_09, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8373
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bolek HTTP Checkin"; flow: to_server,established; content:"GET"; http_method; content:"User-Agent|3a 20|Client 1.2|0d 0a|"; fast_pattern; http_header; pcre:"/\?[a-f0-9]{32}$/Ui"; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:trojan-activity; sid:2022889; rev:2; metadata:created_at 2016_06_10, updated_at 2016_06_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8374
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Zeprox.B Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?a=n|60|e|3e|"; http_uri; fast_pattern:only; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"Proxy-Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,bc27f28e5fe47b78202fd3108d39aac1; reference:md5,38c89cca7806fde08bba82b3cb533e5a; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3AWin32/Zeprox.B; classtype:trojan-activity; sid:2020203; rev:5; metadata:created_at 2015_01_16, updated_at 2015_01_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8375
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Neurevt.A/Betabot checkin"; flow:established,to_server; content:"POST"; http_method; nocase;  content:!"Referer|3a|"; http_header; content:"ps0="; http_client_body; depth:4; fast_pattern; content:"&ps1="; http_client_body; pcre:"/^ps0=[A-F0-9]+\&ps1=[A-F0-9]+($|\&[a-z]s\d=)/P"; reference:md5,c447d364a9dad369ff07dcc14f5fbefb; reference:md5,a0a66dfbdf1ce76782ba20a07a052976; classtype:trojan-activity; sid:2017371; rev:11; metadata:created_at 2013_05_15, updated_at 2016_06_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8376
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106"; flow:to_server,established; dsize:>11; content:"kuroro"; depth:6; byte_jump:4,0,relative,little,from_beginning; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:trojan-activity; sid:2022885; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2016_06_09, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8378
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Spy.Banker.DH Checkin"; flow:established,to_server; content:"POST"; http_method; content:".aspx?"; http_uri; content:"Content-Type|3a| application/x-www-form-urlencoded"; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.1|3b| ru|3b| rv|3a|1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)|0d 0a|"; fast_pattern:84,20; http_header; content:"id="; depth:3; nocase; http_client_body; pcre:"/\.aspx\?$/U"; reference:md5,39519ff5bddd6d0eee032232349fe0a6; classtype:trojan-activity; sid:2022811; rev:3; metadata:created_at 2016_05_17, updated_at 2016_06_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8379
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Crypren/Zcrypt Ransomware Checkin"; flow:established,to_server; content:".php?computerid="; http_uri; pcre:"/\.php\?computerid=[a-fA-F0-9]{32}&(?:public|private)=\d$/U"; content:!"Referer|3a 20|"; http_header; reference:md5,7efb738c2b04aacdd3354d590cb3df47; classtype:trojan-activity; sid:2022897; rev:2; metadata:created_at 2016_06_14, updated_at 2016_06_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8380
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/RAA Ransomware check-in"; flow:established,to_server; content:".php?id="; http_uri; content:" - RAA"; http_uri; fast_pattern; content:"WinHttp.WinHttpRequest"; http_header; reference:md5,535494aa6ce3ccef7346b548da5061a9; classtype:trojan-activity; sid:2022899; rev:2; metadata:created_at 2016_06_15, updated_at 2016_06_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8381
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Satana Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/add.php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; content:"id="; http_client_body; depth:3; content:"&code="; http_client_body; distance:0; content:"&sdata="; http_client_body; distance:0; content:"&name="; http_client_body; distance:0; reference:md5,d236fcc8789f94f085137058311e848b; reference:url,blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware; classtype:trojan-activity; sid:2022929; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8393
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Locky CnC Beacon 21 May"; flow:established,to_server; content:"POST"; http_method; content:"/_dispatch.php"; fast_pattern; content:"www-form-urlencoded|0d 0a|"; http_header; content:"|0d 0a|x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http_header; pcre:"/^[0-9a-zA-Z=%-]{0,48}(?:%[A-F0-9]{2}){4}/Psi"; reference:md5,6f8987e28fed878d08858a943e7c6e7c; classtype:trojan-activity; sid:2022952; rev:2; metadata:tag Locky, created_at 2016_07_06, updated_at 2016_07_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8404
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Certificate Detected (Bancos C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|US"; distance:1; within:4; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:4; content:"|55 04 07|"; content:"|05|Miami"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; content:"|08|Business"; distance:1; within:10; metadata: former_category TROJAN; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:trojan-activity; sid:2022888; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Banking_Trojan, signature_severity Major, created_at 2016_06_10, malware_family Bancos, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8406
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Ranscam Ransomware Contact Form"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"action=|22|http|3a|//www.tectite.com"; fast_pattern; nocase; content:"EmailAddr|3a|Your email address"; nocase; distance:0; content:"Message|3a|Your message"; nocase; distance:0; content:"Use your real email if you want a response"; nocase; distance:0; content:"spam folder if you do not receive"; nocase; distance:0; reference:md5,926a8d1c842964b2b81f5f94f6ae73b1; reference:url,blog.talosintel.com/2016/07/ranscam.html; classtype:trojan-activity; sid:2022968; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_07_14, performance_impact Low, updated_at 2016_07_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8410
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Razy.azv Downloading Content"; flow:established,to_server; content:".so"; http_uri; pcre:"/\/(?:tr(?:_w)?|ft)\.so$/U"; content:!"Referer|3a 20|"; nocase; http_header; content:!"Accept"; nocase; http_header; reference:md5,e17b1d84da1d2c684f3e67adff7ef582; classtype:trojan-activity; sid:2022969; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_14, malware_family Razy, performance_impact Low, updated_at 2016_07_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8411
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Evil Monero Cryptocurrency Miner Request Pools"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<HTML>|0d 0a|<HEAD>|0d 0a|<BODY>|0d 0a|<DIV"; depth:28; content:"|0d 0a|899@"; distance:0; content:"0.rn,9.re9899@n&9,bgggs"; distance:0; fast_pattern; reference:md5,848720742b957d27f6ee94b9fe4126f0; reference:url,www.fireeye.com/blog/threat-research/2016/06/resurrection-of-the-evil-miner.html; classtype:trojan-activity; sid:2022982; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_21, performance_impact Low, updated_at 2016_07_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8414
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Pottieq.A Check-in"; flow:established,to_server; content:"POST"; http_method; content:!"Accept"; http_header; content:"pc="; http_client_body; content:"mail="; http_client_body; content:"guid="; nocase; http_client_body; content:!"Cookie|3a 20|"; content:!"Referer|3a 20|"; http_header; content:"User-Agent|3a 20 7b|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a\x20\{[0-9a-z]{8}-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\}\r?$/Hmi"; pcre:"/(?:^|&)id=\d+(?:$|&)/P"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32/Pottieq.A; reference:md5,909bce4dea2ca76cab87ce186d9cdfdc; classtype:trojan-activity; sid:2022988; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Pottieq, signature_severity Major, created_at 2016_07_27, malware_family Pottieq, performance_impact Low, updated_at 2016_07_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8416
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Radonskra.B C2 Check-in"; flow:established,to_server; content:".php?"; http_uri; nocase; content:"&os=Windows"; http_uri; nocase; content:"&mac="; nocase; http_uri; content:"&lua="; http_uri; nocase; content:"&firewall="; http_uri; nocase; content:"&antivirus="; http_uri; nocase; content:"&antispyware"; http_uri; nocase; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; reference:md5,9d6b99e87faa3f7a23adef5031bd598b; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fRadonskra.B; classtype:trojan-activity; sid:2023033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_09, performance_impact Low, updated_at 2016_08_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8445
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/Lady CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"/pm.sh?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|curl/"; http_header; pcre:"/^\/pm\.sh\?\d+$/U"; reference:md5,86ac68e5b09d1c4b157193bb6cb34007; reference:url,vms.drweb.com/virus/?_is=1&i=8400817; classtype:trojan-activity; sid:2023034; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2016_08_10, malware_family Linux_Lady, performance_impact Low, updated_at 2016_08_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8446
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/Lady CnC Beacon 2"; flow:established,to_server; content:"GET"; http_method; content:"/v"; depth:2; http_uri; content:"/lady_"; distance:0; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|curl/"; http_header; pcre:"/^\/v\d+\/lady_[ix]/U"; reference:md5,86ac68e5b09d1c4b157193bb6cb34007; reference:url,vms.drweb.com/virus/?_is=1&i=8400817; classtype:trojan-activity; sid:2023035; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2016_08_10, malware_family Linux_Lady, performance_impact Low, updated_at 2016_08_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8447
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Monsoon Tinytyphon CnC Beacon GET"; flow:established,to_server; content:"GET"; http_method; content:"/dw.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; pcre:"/\/dw\.php$/U"; reference:md5,f32c5a923393a2ae2fcd292f299b63b1; reference:url,blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign; classtype:trojan-activity; sid:2023049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_11, malware_family MONSOON, malware_family Tinytyphon, performance_impact Low, updated_at 2016_08_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8448
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Monsoon Tinytyphon CnC Beacon Exfiltrating Docs"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"name=|22|MD5|22|"; http_client_body; content:"name=|22|fname|22|"; distance:0; http_client_body; content:"name=|22|compname|22|"; distance:0; http_client_body; content:"name=|22|uploadedfile|22 3b|"; http_client_body; fast_pattern:only; reference:md5,f32c5a923393a2ae2fcd292f299b63b1; reference:url,blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign; classtype:trojan-activity; sid:2023050; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_11, performance_impact Low, updated_at 2016_08_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8449
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Aveo Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?id="; depth:14; http_uri; fast_pattern; content:"&1="; distance:0; http_uri; content:"&2="; distance:0; http_uri; content:"&4="; distance:0; http_uri; content:"&5="; distance:0; http_uri; content:"&6="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:trojan-activity; sid:2023076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_18, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, updated_at 2016_08_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8453
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Aveo C2 Response"; flow:to_server,established; content:"POST"; http_method; content:"/index.php?id="; depth:14; http_uri; fast_pattern; content:"&1="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:trojan-activity; sid:2023077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_18, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, updated_at 2016_08_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8454
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Aveo C2 Request"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?id="; depth:14; http_uri; fast_pattern; content:"&1="; distance:0; http_uri; content:!"&2="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:trojan-activity; sid:2023078; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_18, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, updated_at 2016_08_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8455
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Curso Banker.BR Checkin"; flow:established,to_server; content:".asp?m="; http_uri; fast_pattern:only; pcre:"/\.asp\?m=(?:INS|UAC)(?:&p=&a=)?&i=201\d{11}&/Ui"; content:"&v="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-new-technique-to-take-advantage-of-2016-olympics/; reference:md5,bd389eb9cf03e55013eaf07970288f08; classtype:trojan-activity; sid:2023081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_19, malware_family Banking_Trojan, performance_impact Low, updated_at 2016_08_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8456
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Curso Banker Downloading Modules"; flow:to_server,established; content:"GET"; http_method; content:"/system/MA-"; depth:11; http_uri; fast_pattern; content:".dll"; http_uri; pcre:"/\/(?:IUpdate|fbclient|IETask|Mixeds|Ubuntu10)\.dll$/U"; reference:md5,blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-new-technique-to-take-advantage-of-2016-olympics/; reference:md5,260a7aab3d29ed4bce9ac35002361a87; classtype:trojan-activity; sid:2023082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_19, malware_family Banking_Trojan, performance_impact Low, updated_at 2016_08_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8457
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Alfa/Alpha Ransomware Checkin"; flow:established,to_server; urilen:33; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern:only; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Cache-Control|3a|"; http_header; content:!"Pragma|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^GET\x20\/[A-F0-9]{32}\x20HTTP\/1\.1\r\nHost\x3a\x20[^\r\n]+\r\n\r\n$/"; reference:md5,0601d824d188a42bc530f349926f1f95; reference:md5,900cacbd18f1e21cf6b5a9f842c23b72; reference:url,www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/; classtype:trojan-activity; sid:2023083; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_22, performance_impact Low, updated_at 2016_08_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8458
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Locky .onion Payment Domain (5n7y4yihirccftc5)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|5n7y4yihirccftc5"; fast_pattern; distance:0; nocase; reference:md5,d7cb55e90dee7777fe7b77b079d51513; classtype:trojan-activity; sid:2023084; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2016_08_23, malware_family Ransomware, malware_family Locky, performance_impact Low, updated_at 2016_08_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8459
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN R980/CRYPBEE.A Ransomware Activity"; flow:established,to_server; content:"GET"; http_method; content:"/assets/timepicker/x.php?"; http_uri; content:"User-Agent|3a 20|cpp"; http_header; reference:md5,a38e156b5c7b337ffbde6cc1ddab1004; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/; classtype:trojan-activity; sid:2023085; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_08_24, malware_family Ransomware, performance_impact Low, updated_at 2016_08_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8460
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.DarkComet Keepalive Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\d+$/"; reference:md5,d4f949f268d00522cfbae5d18cbce933; classtype:trojan-activity; sid:2023091; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_25, performance_impact Low, updated_at 2016_08_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8464
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Swrort.A Checkin 2"; flow:to_server,established; content:"POST"; http_method; nocase; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.1|3b| Windows NT|29 0d 0a|"; http_header; content:"RECV"; depth:4; fast_pattern; http_client_body; pcre:"/^\/[A-Za-z0-9-_]{30,}\/$/U"; reference:md5,61dacbf1fc20af3afdc432a0dd78eaf3; reference:md5,a3ef217825ce310c41e6edaee2db5eb9; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32/Swrort.A; classtype:trojan-activity; sid:2019841; rev:3; metadata:created_at 2014_12_02, updated_at 2014_12_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8508
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/DMA Locker CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?action="; http_uri; fast_pattern; content:!".aspx"; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\?action=\d(&botId=[A-F0-9]{32})?$/Ui"; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:\r\n)?$/Hmi"; reference:md5,050f04ed78e96418179228272998d87d; classtype:trojan-activity; sid:2022873; rev:3; metadata:created_at 2016_06_07, updated_at 2016_06_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8509
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN plasmabot Checkin"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"crypt="; depth:6; http_client_body; fast_pattern; content:!"User-Agent|3a|"; http_header; reference:url,blogs.mcafee.com/mcafee-labs/plasma-http-botnet-steals-stored-passwords-chrome-filezilla; reference:md5,ffbf380abaa7c56b45edd2784feecf36; classtype:trojan-activity; sid:2018393; rev:4; metadata:created_at 2014_04_16, updated_at 2014_04_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8544
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Quant Loader Download Request"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?id="; http_uri; fast_pattern; content:"&c="; distance:0; nocase; http_uri; content:"&mk="; distance:0; nocase; http_uri; content:!"Referer"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 30; reference:md5,7554244ea84457f53ab9d4989c4d363d; classtype:trojan-activity; sid:2023203; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family Locky, malware_family Pony9, updated_at 2016_09_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8546
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Quant Loader Download Response"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"dll=http"; depth:8; nocase; fast_pattern; content:"|3b|exe=http"; distance:0; nocase; content:"|3b|dll=http"; distance:0; nocase; reference:md5,7554244ea84457f53ab9d4989c4d363d; classtype:trojan-activity; sid:2023204; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_12, malware_family Locky, malware_family Pony9, updated_at 2016_09_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8547
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN LuminosityLink - Inbound Data Channel CnC Delimiter"; flow:established,to_client; dsize:<25; content:"8_=_8"; fast_pattern; isdataat:!1,relative; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:trojan-activity; sid:2023241; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_15, malware_family Luminosity_Link, updated_at 2016_09_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8570
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN LuminosityLink - Outbound Data Channel CnC Delimiter"; flow:established,to_server; dsize:<25; content:"8_=_8"; fast_pattern; isdataat:!1,relative; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:trojan-activity; sid:2023242; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_15, malware_family Luminosity_Link, updated_at 2016_09_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8571
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Windows route Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Route Table"; content:"Active Routes|3a|"; fast_pattern; content:"Network Destination"; content:"Netmask"; content:"Gateway"; content:"Interface"; content:"Metric";  reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019082; rev:2; metadata:created_at 2014_08_28, updated_at 2014_08_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8575
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC Beacon"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"/images/"; http_uri; fast_pattern; content:".gif"; distance:100; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/images(?:\/[a-zA-Z0-9_]+)+\.gif$/U"; pcre:"/^User-Agent\x3a\x20(?:Mozilla\/|Shockwave)/Hmi"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:trojan-activity; sid:2021813; rev:6; metadata:created_at 2015_09_22, updated_at 2015_09_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8576
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware Locky .onion Payment Domain (f5xraa2y2ybtrefz)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|f5xraa2y2ybtrefz"; fast_pattern; distance:0; nocase; reference:md5,5eeeeb093ee02d3769886880f8a58a90; classtype:trojan-activity; sid:2023247; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, signature_severity Major, created_at 2016_09_19, malware_family Ransomware, malware_family Locky, performance_impact Low, updated_at 2016_09_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8578
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Pony Variant FOX Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"os_version="; http_client_body; depth:11; fast_pattern; content:"os_version_full="; http_client_body; distance:0; content:"processorId="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; reference:md5,190c607ef81fa0c27fb1313df5f05266; reference:url,malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork.html; classtype:trojan-activity; sid:2023292; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_10, malware_family Pony, performance_impact Low, updated_at 2016_09_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8599
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Pony Variant FOX Reporting Adfraud Activity"; flow:established,to_server; content:"POST"; http_method; content:".php/data"; http_uri; fast_pattern:only; pcre:"/\.php\/data$/U"; content:"http|3a 2f 2f|"; http_client_body; offset:20; depth:7; content:!"Referer|3a|"; http_header; reference:md5,cdfb7e5544c9aa49c17217fdfe04e854; reference:url,malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork.html; classtype:trojan-activity; sid:2023293; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_08, malware_family Pony, performance_impact Low, updated_at 2016_09_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8600
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Zemot URI Struct"; flow:established,to_server; content:"GET"; http_method; content:"/catalog/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"nap.edu|0d 0a|"; http_header; pcre:"/\/catalog\/\d{3,}$/U"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019458; rev:3; metadata:created_at 2014_10_17, updated_at 2014_10_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8609
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/HadesLocker Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; content:"hwid="; http_client_body; depth:5; fast_pattern; content:"&tracking_id="; http_client_body; distance:0; content:"&usercomputername="; http_client_body; distance:0; content:"&ip="; http_client_body; distance:0; reference:md5,6970847bedab9ab83e69630d065ba67b; classtype:trojan-activity; sid:2023481; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_10_04, malware_family Ransomware, performance_impact Low, updated_at 2016_11_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8615
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Citadel Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/file.php"; fast_pattern:only; http_uri; content:"Content-Length|3a| 128|0d 0a|"; nocase; http_header; content:!"Referer"; http_header; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|"; http_header; depth:25; pcre:"/^\/[A-Za-z0-9]+?\/file\.php$/U"; flowbits:set,et.citadel; reference:md5,280ffd0653d150906a65cd513fcafc27; reference:md5,f1c8cc93d4e0aabd4713621fe271abc8; reference:url,arbornetworks.com/asert/2014/06/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/; classtype:trojan-activity; sid:2018598; rev:3; metadata:created_at 2014_06_24, updated_at 2014_06_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8624
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Enigma Locker Checkin"; flow:to_server,established; urilen:8; content:"GET"; http_method; content:"/get.php"; http_uri; fast_pattern; content:"Connection|3a 20|close"; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/Hi"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:trojan-activity; sid:2023334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_12, malware_family Ransomware, malware_family Enigma, performance_impact Low, updated_at 2016_10_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8632
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Infostealer.Snifula File Upload"; flow:established,to_server; content:"POST"; http_method; content:".cgi"; http_uri; content:"name|3d 22|upload_file|22 3b 20|filename|3d 22|"; fast_pattern:6,20; http_client_body; content:!"Referer|3a 20|"; http_header; content:"User-Agent|3a 20|IE|0d 0a|Host"; http_header; reference:md5,be16b8d1b85843c89301f189b35c4963; classtype:trojan-activity; sid:2023337; rev:2; metadata:created_at 2016_10_14, updated_at 2016_10_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8634
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TheTrick Banking Trojan User-Agent"; flow:to_server,established; content:"User-Agent|3a 20 54 72 69 63 6b 4c 6f 61 64 65 72|"; fast_pattern:only; reference:md5,f26649fc31ede7594b18f8cd7cdbbc15; classtype:trojan-activity; sid:2023338; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_13, malware_family Banking_Trojan, performance_impact Low, updated_at 2016_10_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8635
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Malicious SSL certificate detected (Powershell Trojan)"; flow:from_server,established; content:"|16|"; content:"|0b|"; distance:0; within:8; content:"|09 00 d6 e6 05 e6 06 e6 17 3f|"; fast_pattern:only; reference:url,pastebin.com/7wYupkJL; reference:md5,4c5c9014f2d18f11ca62848876551323; classtype:trojan-activity; sid:2023342; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_17, malware_family PowerShell, performance_impact Low, updated_at 2016_10_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8636
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Oct 28"; flow:established,to_server; content:"/pict."; content:"?id="; http_uri; pcre:"/\/pict\.(?:jpg|php|xsp)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/U"; content:"office"; http_header; nocase; fast_pattern:only; pcre:"/^User-Agent\x3a\x20[^\x0d\x0a]+?ms-?office/Hmi"; content:!".money-media.com|0d 0a|"; nocase; http_header; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2022008; rev:3; metadata:created_at 2015_10_28, updated_at 2016_10_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8637
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/CryPy Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/victim.php?info="; http_uri; fast_pattern; content:"&ip="; http_uri; distance:0; content:"User-Agent|3a 20|Python-urllib"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/victim\.php\?info=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&ip=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; reference:md5,8bd7cd1eee4594ad4886ac3f1a05273b; reference:url,nakedsecurity.sophos.com/2016/10/18/data-stealing-crpy-ransomware/; classtype:trojan-activity; sid:2023345; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_09, malware_family Ransomware, performance_impact Low, updated_at 2016_10_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8638
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/CryPy Ransomware Encrypting File"; flow:established,to_server; content:"GET"; http_method; content:"/savekey.php?file="; http_uri; fast_pattern; content:"&id="; http_uri; distance:0; content:"User-Agent|3a 20|Python-urllib"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/savekey\.php\?file=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; reference:md5,8bd7cd1eee4594ad4886ac3f1a05273b; reference:url,nakedsecurity.sophos.com/2016/10/18/data-stealing-crpy-ransomware/; classtype:trojan-activity; sid:2023346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_10_18, malware_family Ransomware, malware_family CryPy, performance_impact Low, updated_at 2016_10_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8639
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET ![80,443] (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 52"; flow:to_server,established; dsize:>11; content:"|7f 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,61c03cdd39f0618d1643af15594da3e4; classtype:trojan-activity; sid:2020611; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_04, malware_family Gh0st, malware_family PCRAT, updated_at 2016_10_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8640
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106"; flow:to_server,established; dsize:>11; content:"|00 00|"; offset:2; depth:2; content:!"|00 00|"; depth:2; content:"|9c 4b|"; offset:8; fast_pattern; byte_jump:4,0,little,from_beginning,post_offset -9; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,edc84c505d101301459dafab296fb743; classtype:trojan-activity; sid:2023349; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Gh0st, signature_severity Major, created_at 2016_10_19, malware_family Gh0st, malware_family PCRAT, performance_impact Low, updated_at 2016_10_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8643
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed AgentTesla Domain Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|agenttesla|03|com|00|"; nocase; distance:0; fast_pattern; reference:md5,32f3fa6b80904946621551399be32207; classtype:trojan-activity; sid:2023354; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_21, malware_family Keylogger, malware_family AgentTesla, malware_family Backdoor, performance_impact Low, updated_at 2016_10_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8645
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/CryptFile2 Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"|3d 30 78 30 36 2c 30 78 30 32 2c 30 78 30 30 2c 30 78 30 30|"; fast_pattern; http_client_body; content:"|2c 3c 62 72 3e 30 78|"; distance:0; http_client_body; content:"|2c 3c 62 72 3e 30 78|"; distance:0; http_client_body; content:"|2c 3c 62 72 3e 30 78|"; distance:0; http_client_body; reference:md5,5bb7d85f7a5f1d2b01efabe5635e2992; classtype:trojan-activity; sid:2022683; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_03_29, malware_family Ransomware, malware_family CryptFile2, performance_impact Low, updated_at 2016_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8688
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/CryptFile2 Ransomware Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a 20 70 6f 73 74 5f 65 78 61 6d 70 6c 65|"; http_header; fast_pattern:only; content:"=0x"; http_client_body; content:"|2c|0x"; distance:2; within:5; http_client_body; content:"|3c 62 72 3e|"; distance:0; http_client_body; pcre:"/\.php$/U"; reference:md5,ad2c80611ebc7f6d45bd3e46de38b776; reference:md5,5bb7d85f7a5f1d2b01efabe5635e2992; classtype:trojan-activity; sid:2023397; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_10_24, malware_family Ransomware, malware_family CryptFile2, performance_impact Low, updated_at 2016_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8689
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bitter RAT TCP CnC Beacon"; flow:established,from_server; content:"BITTER1234"; depth:10; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,6e855944d171a3acbb64635dbe7a9c62; classtype:trojan-activity; sid:2023399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_24, malware_family Bitter_implant, updated_at 2016_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8690
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bitter RAT HTTP CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?cId="; http_uri; fast_pattern; content:"&hos"; distance:0; http_uri; content:"Name="; distance:0; http_uri; content:"Info="; distance:0; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; threshold: type both, count 1, seconds 120, track by_src; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,2b07e054a1abb2941e5e70fba652a211; classtype:trojan-activity; sid:2023400; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_24, malware_family Bitter_implant, updated_at 2016_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8691
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT28/Sednit SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|09|ngefqevwe"; distance:1; within:10; fast_pattern; reference:md5,f7ee38ca49cd4ae35824ce5738b6e587; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:trojan-activity; sid:2023423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_10_25, malware_family APT28_Sednit, updated_at 2016_10_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8713
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware/Cerber Checkin 2"; dsize:<11; content:"hi"; depth:2; fast_pattern; pcre:"/^[a-f0-9]{7,}$/R"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,ac4d7fb5739862e9914556ed5d50f84f; classtype:trojan-activity; sid:2023453; rev:5; metadata:created_at 2016_03_28, updated_at 2016_10_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8714
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Brazilian Banker Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?role="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&bits="; http_uri; content:"&av="; http_uri; content:"&host="; http_uri; content:"&plugins="; http_uri; content:!"Referer|3a 20|"; http_header; reference:md5,580f82bbd46e8344231cf005; classtype:trojan-activity; sid:2023424; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2016_10_26, malware_family Banking_Trojan, performance_impact Low, updated_at 2016_10_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8715
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Jackpot Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?HWInfo="; http_uri; nocase; content:"}&Time="; http_uri; nocase; distance:0; content:"User-Agent|3a 20|My Session"; http_header; fast_pattern:2,20; content:"|2e 00 70 00 68 00 70 00 3f 00 48 00 57 00 49 00 6e 00 66 00 6f 00 3d|"; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,5624c920b1fd3da3a451d564bb7488d3; classtype:trojan-activity; sid:2023465; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_10_27, malware_family Ransomware, malware_family Jackpot, performance_impact Low, updated_at 2016_10_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8720
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Houdini/Hworm CnC Checkin M1"; flow:established,to_server; content:"new_houdini|0d 0a|"; fast_pattern; offset:4; depth:13; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; isdataat:!1,relative; reference:md5,45009c70d362dcd253112c9cf1924f57; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance; classtype:trojan-activity; sid:2023429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_10_26, malware_family Houdini, malware_family Hworm, performance_impact Low, updated_at 2016_11_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8729
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Zberp/ZeusVM receiving config via image file (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|ff fe 3f 10 00 00|"; distance:0; byte_test:4,>,100,4,relative,little; byte_extract:4,4,config_len,relative,little; content:!"|00|"; within:config_len; pcre:"/^[^\x00]+(\xff\xd9)?$/R"; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021382; rev:11; metadata:created_at 2015_07_06, updated_at 2016_11_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8730
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Zberp/ZeusVM receiving config via image file (steganography) 2"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe|"; distance:-10; within:2; byte_test:2,>,100,0,relative,little; byte_extract:2,0,config_len,relative,little; content:!"|00|"; distance:6; within:config_len; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021383; rev:3; metadata:created_at 2015_07_06, updated_at 2016_11_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8731
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Zberp/ZeusVM receiving config via image file (steganography) 3"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe ff ff|"; distance:-10; within:4; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021527; rev:5; metadata:created_at 2015_07_23, updated_at 2016_11_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8732
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32.Dreambot File Upload (No Data Sent)"; flow:established,to_server; content:"POST"; http_method; content:"/images/"; http_uri; content:"_2"; http_uri; content:"User-Agent|3a 20|"; http_header; depth:12; content:"Content-Length|3a 20|2|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; pcre:"/\/images\/.*_2[FB].*\.(?:avi|gif|bmp|jpeg|png)$/Ui"; reference:md5,e17b1d84da1d2c684f3e67adff7ef582; classtype:trojan-activity; sid:2022970; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_14, malware_family ursnif, malware_family Dreambot, malware_family ISFB, performance_impact Low, updated_at 2016_11_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8733
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:from_server,established; content:"|16|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:11; content:"|09 00 ff 41 25 0a bf 95 6d 71|"; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0b|domzino org"; distance:1; within:13; reference:md5,f6e81ae634bbcc309a4a5e01f20e4136; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_07, updated_at 2016_11_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8767
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CerberTear Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?hwid=[A-F0-9]{8}$/Ui"; pcre:"/^Host\x3a\x20[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\n(?:\r\n)?$/Hmi"; reference:md5,7d181574893ec9cb2795166623f8e531; classtype:trojan-activity; sid:2023505; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_11_14, malware_family Ransomware, malware_family CerberTear, performance_impact Low, updated_at 2016_11_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8770
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Alcatrez Locker Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?user="; http_uri; fast_pattern; content:"&try="; http_uri; distance:0; content:"&status="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\n\r\n$/Hmi"; reference:md5,1cb51c130e6f75f11c095b122e008bbc; classtype:trojan-activity; sid:2023506; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_11_14, malware_family Ransomware, malware_family Alcatrez_Locker, performance_impact Low, updated_at 2016_11_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8771
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoLuck / YafunnLocker Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?id="; http_uri; content:"&hi"; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1)|0d 0a|"; http_header; fast_pattern:20,20; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,59109839de42d2acb44fbd7ff151fe0c; classtype:trojan-activity; sid:2023533; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_11_14, malware_family Ransomware, malware_family YafunnLocker, performance_impact Low, updated_at 2016_11_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8772
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBoy CnC Beacon"; flow:established,to_server; content:"|8a 00 d1 00 8a 00 6a 00|"; depth:8; reference:url,citizenlab.org/2016/11/parliament-keyboy/; reference:md5,8846d109b457a2ee44ddbf54d1cf7944; classtype:trojan-activity; sid:2023527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_18, malware_family KeyBoy, performance_impact Low, updated_at 2016_11_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8779
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/CHIP Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a| application/x-www-form-urlencoded"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"-----BEGIN CERTIFICATE-----"; depth:27; fast_pattern; http_client_body; content:"-----END CERTIFICATE-----"; distance:0; http_client_body; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; reference:md5,18189daa96e711777158d7cb599c13b1; reference:url,malware-traffic-analysis.net/2016/11/17/index.html; classtype:trojan-activity; sid:2023534; rev:3; metadata:created_at 2016_03_07, updated_at 2016_11_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8782
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET ![445,139] (msg:"ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND)"; flow:to_server,established; content:"|18 18|"; offset:2; depth:2; content:!"|18 18|"; within:2; content:"|18 18|"; distance:2; within:2; content:!"|18 18|"; within:2; content:"|18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18|"; pcre:"/[^\x18][^\x44\x32\x33\x25\x64\x22\x23\x3a\x27\x24\x26\x34\x3b\x12][\x20\x21\x28-\x2f\x70-\x77\x79-\x7f\x60-\x63\x65\x66\x67-\x6f\x50-\x5f\x40-\x42\x46-\x4f\x30\x31\x35\x36\x38\x3e\x39\x3b]{1,14}\x18/R"; reference:md5,16549f8a09fd5724f2107a8f18dca10b; classtype:trojan-activity; sid:2019204; rev:10; metadata:created_at 2014_09_22, updated_at 2016_11_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8791
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (FlokiBot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; content:"|55 04 03|"; distance:0; content:"|08|uspal.cf"; distance:1; within:9; reference:md5,3ddf657800e60a57b884b87e1e8a987c; classtype:trojan-activity; sid:2023536; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_21, performance_impact Low, updated_at 2016_11_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8792
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/VB.SDB CnC Beacon"; flow:established,to_server; content:"Auth"; depth:4; content:"|20 40 20|"; distance:0; content:"|5c 23 2f|Microsoft|20|"; distance:0; fast_pattern; reference:md5,5a9a8502b87ce1a6a608debd10761957; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:trojan-activity; sid:2023544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_23, updated_at 2016_11_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8795
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/TrojanDownloader.Delf.BXC CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?cg="; http_uri; fast_pattern; content:"&b="; distance:0; http_uri; content:"&gt="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,d199b13d4676080073eaeb4e0ff39a75; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:trojan-activity; sid:2023546; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_23, updated_at 2016_11_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8796
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Malicious SSL Certificate Detected (Gootkit CnC)"; flow:from_server,established; content:"|09 00 c7 52 05 4b 9d 0e f6 96|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:10; reference:md5,fa224c69088cc331a6b30bc5069fa9d5; classtype:trojan-activity; sid:2023550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_11_23, updated_at 2016_11_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8797
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 103"; flow:established,to_server; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x78\x9c/s"; reference:md5,b0c2a5a3cfef4e759979b7d0869b7612; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:trojan-activity; sid:2021753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_09_09, malware_family Gh0st, malware_family PCRAT, updated_at 2016_11_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8798
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Sharik/Smoke Loader Receiving Payload"; flow:established,from_server; content:"404"; http_stat_code; file_data; content:"|00|"; distance:1; within:1; content:"|00|MZ"; distance:1; within:3; content:"This program must be run under Win32"; distance:0; fast_pattern; reference:md5,65c7426b056482fcda962a7a14e86601; classtype:trojan-activity; sid:2023567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_30, malware_family Sharik, malware_family Smoke_Loader, performance_impact Low, updated_at 2016_11_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8805
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke Loader Adobe Connectivity check"; flow:established,to_server; urilen:18; content:"POST"; http_method; content:"/support/main.html"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,3a128a9e8668c0181d214c20898f4a00; classtype:trojan-activity; sid:2018676; rev:4; metadata:created_at 2014_07_14, updated_at 2016_11_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8806
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke Loader Microsoft Connectivity check"; flow:established,to_server; content:"POST"; http_method; content:"/kb/"; http_uri; depth:4; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; pcre:"/^\/kb\/\d{4,8}$/U"; reference:md5,193494912a6f549c0da40bf22c3384ee; classtype:trojan-activity; sid:2018677; rev:3; metadata:created_at 2014_07_15, updated_at 2016_11_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8807
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 2"; flow:established,to_server; urilen:24; content:"POST"; http_method; content:"/go/flashplayer_support/"; http_uri; fast_pattern:4,20; content:"Host|3a 20|www.adobe.com"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,aa42c4ee46136d4125bebf93e9b2776c; classtype:trojan-activity; sid:2022025; rev:3; metadata:created_at 2015_11_03, updated_at 2016_11_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8808
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke Loader Java Connectivity Check"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Host|3a 20|java.com"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,aa42c4ee46136d4125bebf93e9b2776c; classtype:trojan-activity; sid:2022026; rev:3; metadata:created_at 2015_11_03, updated_at 2016_11_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8809
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke Loader Adobe Connectivity Check 3"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Host|3a 20|www.adobe.com"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,aa42c4ee46136d4125bebf93e9b2776c; classtype:trojan-activity; sid:2022027; rev:3; metadata:created_at 2015_11_03, updated_at 2016_11_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8810
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check"; flow:established,to_server; content:"POST"; http_method; content:"/fwlink/?LinkId="; http_uri; fast_pattern:only; content:"Host|3a 20|go.microsoft.com"; http_header; content:!"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; http_user_agent; content:!"SOAPAction|3a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:md5,467b786f7c645c73d5c29347d35cae11; classtype:trojan-activity; sid:2022124; rev:6; metadata:created_at 2015_11_20, updated_at 2016_11_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8811
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DistTrack/Shamoon CnC Beacon M1"; flow:established,to_server; content:"GET"; http_method; content:".php?shinu="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?shinu=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; reference:md5,5446f46d89124462ae7aca4fce420423; reference:md5,5bac4381c00044d7f4e4cbfd368ba03b; reference:url,researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/; classtype:trojan-activity; sid:2023570; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_01, malware_family DistTrack, malware_family Shamoon, performance_impact Low, updated_at 2016_12_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8812
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DistTrack/Shamoon CnC Beacon M2"; flow:established,to_server; content:"GET"; http_method; content:"."; http_uri; content:"?"; distance:3; within:1; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (MSIE 7.1|3b| Windows NT 6.0)|0d 0a|"; http_header; fast_pattern:20,20; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.[a-z]{3}\?[a-z]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; reference:md5,5446f46d89124462ae7aca4fce420423; reference:md5,5bac4381c00044d7f4e4cbfd368ba03b; reference:url,researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/; classtype:trojan-activity; sid:2023571; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_01, malware_family DistTrack, malware_family Shamoon, performance_impact Low, updated_at 2016_12_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8813
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a0 c9 ee 35 a4 1c 6f 74|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:md5,a8139f8c2547f11522c3d7d58b90c422; classtype:trojan-activity; sid:2023590; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_12_01, performance_impact Low, updated_at 2016_12_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8815
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:from_server,established; content:"|55 04 03|"; content:"|0B|fleil42.com"; distance:1; within:12; reference:md5,50ede75eb74a0a795500cc7b8c6c9f54; classtype:trojan-activity; sid:2023591; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2016_12_01, performance_impact Low, updated_at 2016_12_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8816
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Win32.Qadars Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"AAAA"; offset:10; depth:4; fast_pattern; http_client_body; content:"="; offset:7; depth:1; http_client_body; content:!"Referer|3A|"; http_header; content:!"Connection|3A|"; http_header; content:!"Accept"; http_header; pcre:"/^[a-zA-Z]{7}=(?:[A-Za-z0-9+/]|%2[FB]){2}AAAA[a-z]A[^\s=]+=?=?$/P"; reference:md5,d611a633e8ceabdc9c2f5b0b9dd4f19e; reference:md5,a55b312d4e2006b5698e8f5ae8e5d735; reference:md5,3b4c2d3447bc49f057d76a92e7cae96b; reference:md5,08833cd7564f29f7f499a65a7be82d02; reference:url,www.lexsi-leblog.com/cert-en/qadars-new-banking-malware-with-fraudulent-mobile-application-component.html; classtype:trojan-activity; sid:2023588; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2013_10_09, malware_family Qadars, performance_impact Low, updated_at 2016_12_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8828
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN AgentTesla PWS HTTP CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"type="; http_client_body; depth:5; content:"&hwid="; http_client_body; content:"&time="; http_client_body; content:"&pcname="; http_client_body; content:"&logdata="; http_client_body; fast_pattern; content:"&screen="; http_client_body; content:"&ipadd="; http_client_body; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php$/U"; reference:md5,21d3c7d099aceff2a1f16d8ae0f38731; classtype:trojan-activity; sid:2023144; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_09_01, performance_impact Low, updated_at 2016_12_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8879
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Braincrypt Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?uuid="; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Go-http-client/"; http_header; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?uuid=[a-z0-9]{32}$/Ui"; reference:md5,6b938ca31a55e743112ab34dc540a076; classtype:trojan-activity; sid:2023675; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_12_20, malware_family Ransomware, malware_family Braincrypt, performance_impact Low, updated_at 2016_12_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8882
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN SHUJIN .onion Payment Page"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eqlc75eumpb77ced"; fast_pattern; distance:0; nocase; reference:md5,d59a27b1e0a46cc185f1937ca42f300a; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/; classtype:trojan-activity; sid:2022798; rev:2; metadata:created_at 2016_05_06, updated_at 2016_12_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8883
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/HydraCrypt CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:"/upd.php"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; pcre:"/\/upd.php$/U"; pcre:"/^(?:Referer\x3a[^\r\n]+\r\n)?Host\x3a[^\r\n]+\r\n(?:\r\n)?$/H"; reference:md5,046e4b3ff7b323f2147f2d5d43b7e5f4; reference:md5,e4ab12da8828a7f1e6c077a2999f8320; classtype:trojan-activity; sid:2020503; rev:4; metadata:created_at 2015_02_23, updated_at 2016_12_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8884
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Towerweb Ransomware Landing Page"; flow:from_server,established;  content:"200"; http_stat_code; file_data; content:"WRITE THIS INFORMATION DOWN---------------<br>|0a|Ransom Id|3a|"; fast_pattern:37,20; content:"BTC Address|3a 20|"; distance:0; content:"|0a|Email|3a 20|"; distance:0; reference:md5,fb279dc7e47adefb3a9f1c78297c5870; reference:url,www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/; classtype:trojan-activity; sid:2022906; rev:3; metadata:created_at 2016_06_20, updated_at 2016_12_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8885
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Tinba DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|03|com"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold: type both, track by_src, count 50, seconds 10; content:!"|08|sophosxl|03|"; reference:md5,1044af21a7c4cbc291ab418a47de52b4; reference:url,seculert.com/blog/2014/09/tiny-tinba-trojan-could-pose-big-threat.html; reference:url,garage4hackers.com/entry.php?b=3086; classtype:trojan-activity; sid:2019230; rev:2; metadata:created_at 2014_09_24, updated_at 2014_09_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8887
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Ransomware/Cerber Onion Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|p27dokhpz2n7nvgr"; nocase; distance:0; fast_pattern; reference:md5,c2f7595a1c394f1dac2e418815c54fd2; classtype:trojan-activity; sid:2023690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2016_12_29, malware_family Ransomware_Cerber, performance_impact Low, updated_at 2016_12_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8888
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Archie EK Payload Checkin GET"; flow:established,to_server; content:"GET"; http_method; content:"/log?log="; depth:9; http_uri; content:!"Referer|3a|"; http_header; content:!"gigwise.com|0d 0a|"; http_header; content:!"Host|3a| cleanerapp.net"; http_header; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:trojan-activity; sid:2019680; rev:5; metadata:created_at 2014_11_07, updated_at 2016_12_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8890
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MRCR1 Ransomware Checkin M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"form-data|3b 20|name=|22|uid|22|"; http_client_body; content:"form-data|3b 20|name=|22|uname|22|"; http_client_body; content:"form-data|3b 20|name=|22|cname|22|"; http_client_body; content:"form-data|3b 20|name=|22|ltime|22|"; http_client_body; content:"form-data|3b 20|name=|22|uright|22|"; http_client_body; content:"form-data|3b 20|name=|22|sysinfo|22|"; http_client_body; fast_pattern:5,20; pcre:"/\.php$/U"; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:trojan-activity; sid:2023691; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_03, malware_family Ransomware, updated_at 2017_01_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8893
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MRCR1 Ransomware Checkin M2"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"|43 50 55 20 4d 6f 64 65 6c 3a|"; http_client_body; fast_pattern; content:"|43 50 55 20 43 6f 75 6e 74 3a|"; http_client_body; content:"|47 65 74 52 41 4d 3a|"; http_client_body; content:"|5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d|"; http_client_body; content:"|5b 50 72 6f 67 72 61 6d 6d 73 5d|"; http_client_body; pcre:"/\.php$/U"; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:trojan-activity; sid:2023692; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_03, malware_family Ransomware, updated_at 2017_01_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8894
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Blackmoon/Banbra Configuration Request M2"; flow:to_server,established; content:"GET"; http_method; content:"/fcg-bin/cgi_get_portrait.fcg?uins="; depth:35; fast_pattern:15,20; http_uri; content:"keep-alive|0d 0a|User-Agent"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; reference:url,blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackmoon-campaign; reference:md5,56b8f9428b2171f45dc447fb9fa1b03f; classtype:trojan-activity; sid:2023694; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_04, malware_family Banking_Trojan, performance_impact Low, updated_at 2017_01_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8895
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Maldoc Second Stage VBS Downloader with URL Padding"; flow:established,to_server; content:".exe???????????????"; http_uri; nocase; fast_pattern:only; pcre:"/\.exe\?+$/Ui"; content:"WinHttp.WinHttpRequest."; http_header; reference:md5,57ce6f966c6b441fe82a211647c6e863; classtype:trojan-activity; sid:2023739; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2017_01_12, malware_family Maldoc, performance_impact Low, updated_at 2017_01_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8924
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Evil JS Ransomware"; flow:from_server,established; file_data; content:"|5c|u006d|5c|u0065|5c|u0073|5c|u0073|5c|u0061|5c|u0067|5c|u0065"; content:"<html><body|20|bgcolor=|22|#F78181|22|>"; nocase; within:100; content:"Hello.|20|Your|20|UID|3a|"; within:100; content:"|65 76 69 6c 20 72 61 6e 73 6f 6d 77 61 72 65|"; fast_pattern; within:100; content:"|75 6e 69 71 75 65 20 73 74 72 6f 6e 67 65 73 74 20 41 45 53 20 6b 65 79|"; distance:0; content:"|73 65 6e 64 20 6d 65 20 79 6f 75 72 20 55 49 44 20 74 6f|"; distance:0; content:"|4c 69 73 74 20 6f 66 20 65 6e 63 72 79 70 74 65 64 20 66 69 6c 65 73|"; distance:0; reference:md5,b9d81c51c10abd64107edc5e73a26aea; reference:url,www.cert.pl/en/news/single/evil-a-poor-mans-ransomware-in-javascript/; classtype:trojan-activity; sid:2023747; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_18, malware_family Ransomware, performance_impact Low, updated_at 2017_01_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8930
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.Dunihi Checkin 1"; flow:established,to_server; content:"POST"; http_method; urilen:9; content:"/is-ready"; http_uri; fast_pattern:only; nocase; reference:md5,d2e799904582f03281060689f5447585; classtype:trojan-activity; sid:2017516; rev:4; metadata:created_at 2013_08_27, updated_at 2017_01_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8931
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN OSX Backdoor Quimitchin DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|eidk|05|hopto|03|org"; nocase; distance:0; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/; reference:md5,e4744b9f927dc8048a19dca15590660c; classtype:trojan-activity; sid:2023763; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_24, malware_family Quimitchin, performance_impact Low, updated_at 2017_01_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8934
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Trojan Checkin Jan 24 2017"; flow:established,to_server; content:"User-Agent|3a 20|v7v7v7v7v7v7v7v7v7v7v7v7"; http_header; reference:md5,4c3b84efe89e5f5cf3e17f1e1751e708; classtype:trojan-activity; sid:2023764; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_25, updated_at 2017_01_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8935
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Unknown Trojan Checkin Jan 26 2017"; flow:to_server,established; content:"GET"; http_method; content:"/config.php?id="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; pcre:"/\/config\.php\?id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/U"; reference:md5,2ccd95bb2e9d8c6e6b6eb68963461f08; classtype:trojan-activity; sid:2023769; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_27, performance_impact Low, updated_at 2017_01_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8939
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downeks Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:!"."; http_uri; content:!"?"; http_uri; content:!"="; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|text/plain|3b|charset=UTF-8|0d 0a|Host|3a 20|"; depth:46; http_header; fast_pattern:26,20; content:"Expect|3a 20|100-continue|0d 0a|"; distance:0; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/P"; reference:md5,31cf042e91de7492c86e1ad02dc9eaec; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023811; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustSky_related_Implant, updated_at 2017_01_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8974
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible DustySky PoisonIvy CnC Beacon"; flow:established,to_server; dsize:48; content:"|75 f0 01 ef 23 bf db 30 19 9f 56 74 01 f7 30 a0|"; offset:16; depth:16; reference:md5,2cd8c27bdc88ebba3e36114a1b55cef6; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustSky_related_Implant, updated_at 2017_01_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8975
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DustySky QuasarRAT CnC Beacon"; flow:established,from_server; content:"|10 00 00 00 99 9a c7 b8|"; depth:8; reference:md5,a19d4ff89a3f699a6f8237a7905e80e1; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family DustSky_related_Implant, updated_at 2017_01_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8976
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Shafttt MySQL Bruteforce Bot CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:"get="; fast_pattern; depth:4; http_client_body; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; pcre:"/^get=\d+(?:$|&)/P"; pcre:"/\.php$/U"; reference:md5,cb4ab17468984f1b292adac9f745cb2b; classtype:trojan-activity; sid:2023815; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family Shafttt, performance_impact Low, updated_at 2017_01_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8977
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WSF/JS Downloader Jan 30 2017 M1"; flow:to_server,established; urilen:>65; content:"/counter/?"; fast_pattern; http_uri; depth:10; content:"a="; http_uri; content:"i="; http_uri; content:"MSIE 7.0"; http_user_agent; pcre:"/[&?]i=[A-Za-z0-9_-]{50,}(?:&|$)/U"; pcre:"/[&?]a=(?:[a-zA-Z0-9_-]{25,}|(?:0\.)?\d+)(?:&|$)/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; reference:md5,852cbd70766feb96923a79b210e94646; classtype:trojan-activity; sid:2023816; rev:2; metadata:created_at 2017_01_31, updated_at 2017_01_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8978
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant CnC Beacon"; flow:established,to_server; urilen:>125; content:"GET"; http_method; content:"/assets/"; http_uri; fast_pattern; content:"."; distance:100; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/assets(?:\/[a-zA-Z0-9_]+)+\.(?:jpeg|gif)$/U"; pcre:"/^User-Agent\x3a\x20(?:Mozilla\/|Shockwave)/Hmi"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023870; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_06, malware_family ursnif, updated_at 2017_02_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8980
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant Retrieving Payload (x32)"; flow:established,to_server; content:"GET"; http_method; content:"X32.jpg"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/X32\.jpg$/U"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023871; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_06, malware_family ursnif, updated_at 2017_02_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8981
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ursnif Variant Retrieving Payload (x64)"; flow:established,to_server; content:"GET"; http_method; content:"X64.jpg"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/X64\.jpg$/U"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023872; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_06, malware_family ursnif, updated_at 2017_02_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8982
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Spora Ransomware DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|spora|03|biz|00|"; nocase; distance:0; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2023887; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_02_09, malware_family Spora, performance_impact Low, updated_at 2017_02_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8989
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BePush/Kilim CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?type="; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:!"Mozilla|2f|"; http_header; content:!"threatseeker.com|0d 0a|"; pcre:"/\.php\?type=(?:update_hash|js|key|arsiv_(?:hash|link))$/U"; reference:md5,dad57ec2d5d99b725acc726b0a644c00; reference:url,seclists.org/fulldisclosure/2015/Jan/131; classtype:trojan-activity; sid:2021030; rev:4; metadata:created_at 2015_04_29, updated_at 2017_02_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 8995
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CryptoShield Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Accept"; http_header; content:"id="; http_client_body; depth:3; content:"&numbers=-----"; http_client_body; content:"BEGIN|20|PRIVATE|20|KEY"; http_client_body; fast_pattern; reference:md5,ef815146b802cfd6a5fb67d1f9267745; classtype:trojan-activity; sid:2023814; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_31, malware_family Ransomware, performance_impact Low, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9003
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string2_slide_2_2)"; flow:established,to_server; content:"A"; content:"z"; within:3; content:"N"; within:3; content:"G"; within:3; content:"Z"; within:3; content:"a"; within:3; content:"N0VbcF"; within:8; reference:md5,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9013
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN MiniDuke CnC Beacon (string2_slide_3_1)"; flow:established,to_server; content:"AMzRmWj"; content:"d"; within:3; content:"F"; within:3; content:"W"; within:3; content:"3"; within:3; content:"B"; within:3; content:"c"; within:3; reference:md5,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9014
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Miniduke Variant CnC Beacon via WebDAV"; flow:established,to_server; content:"/catalog/outgoing"; http_uri; fast_pattern:only; content:"User-Agent|3a 20|Microsoft-WebDAV-MiniRedir/"; http_header; reference:md5,f3459924f8b657359cb0bd0984a1d0fa; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023930; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family APT29_MiniDuke, performance_impact Low, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9016
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN APT29 Cache_DLL SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|private.directinvesting.com"; distance:1; within:28; reference:md5,8f154d23ac2071d7f179959aaba37ad5; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:trojan-activity; sid:2023931; rev:2; metadata:created_at 2017_02_16, malware_family APT29_Cache_DLL, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9017
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET TROJAN MAGICHOUND.MPK Activity via IRC"; flow:established,to_server; content:"PRIVMSG mpk|20 3a|"; content:"!MpkPing|20|<<mpk>>"; fast_pattern; distance:0; pcre:"/^\d{5}/R"; content:"<<mpk>>|20|<<mpk>>"; distance:0; pcre:"/^\d/R"; content:"<<mpk>>"; distance:0; reference:md5,ece5b62a4ed4e88dab4f1b5451f54794; classtype:trojan-activity; sid:2023940; rev:2; metadata:cve url_researchcenter_paloaltonetworks_com_2017_02_unit42_magic_hound_campaign_attacks_saudi_targets_, created_at 2015_10_14, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9019
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MAGICHOUND.FETCH Retrieving Malicious PowerShell"; flow:established,to_server; urilen:8; content:"GET"; http_method; content:"/pro.bat"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:md5,97454efcab28e64ac5400e63780af764; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/; classtype:trojan-activity; sid:2023948; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family MAGICHOUND_FETCH, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9021
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MAGICHOUND.RETRIEVER CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".asmx"; http_uri; content:"<ip>"; http_client_body; content:"</ip><mac>"; distance:0; http_client_body; content:"</mac><host>"; distance:0; http_client_body; fast_pattern; content:"</host>"; distance:0; http_client_body; reference:md5,012f79570f720b997b9ef4ef327dd2da; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023950; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family MAGICHOUND_related, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9023
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MAGICHOUND.LEASH IRC CnC Beacon"; flow:established,to_server; content:"USER AS_a # # |3a|des|0d 0a|"; depth:20; reference:md5,3c8a142d2e3b84fb0d210250af77cc9b; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023963; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family MAGICHOUND_LEASH, performance_impact Low, updated_at 2017_02_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9035
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Matrix Ransomware CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:".php?apikey="; http_uri; content:"&compuser="; http_uri; distance:0; content:"&sid="; http_uri; distance:0; content:"&phase="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|Synapse)|0d 0a|"; http_header; fast_pattern:24,20; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,ad8a7a383971ce0f5fc51e909e406996; classtype:trojan-activity; sid:2024120; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_24, malware_family Ransomware, malware_family Matrix, performance_impact Low, updated_at 2017_03_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9069
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pteranodon Backdoor Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?comp="; nocase; depth:16; fast_pattern; http_uri; content:"&id="; nocase; distance:0; http_uri; content:"_{"; distance:0; http_uri; metadata: former_category TROJAN; reference:md5,58aee970b06e67c9047836710f28e205; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024022; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_02_28, malware_family Gamaredon, updated_at 2017_02_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9070
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pteranodon Backdoor CnC POST"; flow:to_server,established; content:"POST"; http_method; content:"|42 30 75 4e 64 34 52 79 5f 24 0d 0a|"; http_header; fast_pattern; content:"form-data|3b 20|name=|22|uuid|22|"; http_client_body; metadata: former_category TROJAN; reference:md5,58aee970b06e67c9047836710f28e205; reference:md5,8d6d246c5c660691c59405ee2914a020; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024023; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_02_28, malware_family Gamaredon, updated_at 2017_02_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9071
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pteranodon Variant 1 Backdoor Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"comp="; nocase; depth:5; http_client_body; fast_pattern; content:"&id="; distance:0; nocase; http_client_body; content:"_{"; distance:0; nocase; http_client_body; content:"}_"; distance:0; nocase; http_client_body; content:"&sysinfo="; distance:0; nocase; http_client_body; metadata: former_category TROJAN; reference:md5,c56c677b52e795710e77aa2d4f12b70a; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024024; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_02_28, malware_family Gamaredon, updated_at 2017_02_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9072
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pteranodon Variant 2 Backdoor Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"fid="; depth:4; nocase; http_client_body; content:"&versiya="; nocase; distance:0; http_client_body; fast_pattern; content:"&comp="; nocase; distance:0; http_client_body; content:"&id="; nocase; distance:0; http_client_body; content:"&sysinfo="; nocase; distance:0; http_client_body; metadata: former_category TROJAN; reference:md5,2f0f78038c8a2f6177d266c62cadd756; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024025; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_02_28, malware_family Gamaredon, updated_at 2017_02_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9073
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pteranodon Variant 3 Backdoor Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?fid="; depth:15; http_uri; content:"&versiya="; nocase; distance:0; http_uri; fast_pattern; content:"&comp="; nocase; distance:0; http_uri; content:"&id="; nocase; distance:0; http_uri; content:"&sysinfo="; nocase; distance:0; http_uri; metadata: former_category TROJAN; reference:md5,2f0f78038c8a2f6177d266c62cadd756; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_02_28, malware_family Gamaredon, updated_at 2017_02_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9074
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gamaredon File Stealer POST"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"form-data|3b 20|name=|22|filename|22|"; nocase; http_client_body; content:"form-data|3b 20|name=|22|compname|22|"; distance:0; nocase; http_client_body; content:"form-data|3b 20|name=|22|serial|22|"; distance:0; nocase; http_client_body; fast_pattern:4,20; content:"form-data|3b 20|name=|22|w|22|"; distance:0; nocase; http_client_body; content:"form-data|3b 20|name=|22|filesize|22|"; distance:0; nocase; http_client_body; content:"form-data|3b 20|name=|22|file|22|"; distance:0; nocase; http_client_body; metadata: former_category TROJAN; reference:md5,1a81516780c2c5a966261cc47478133c; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024027; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_02_28, malware_family Gamaredon, updated_at 2017_02_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9075
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN TorrentLocker .onion Proxy Domain (zbqxpjfvltb6d62m)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zbqxpjfvltb6d62m"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:trojan-activity; sid:2021252; rev:2; metadata:created_at 2015_06_11, updated_at 2017_03_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9077
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Infostealer.Bancos ProxyChanger Checkin"; flow:established,to_server; content:"GET"; http_method; content:"//admin/imagens/icones/new/get.php"; fast_pattern:only; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; metadata: former_category TROJAN; reference:md5,d34912a19473fe41abdd4764e7bec5f9; classtype:trojan-activity; sid:2024028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2017_02_28, malware_family Bancos, performance_impact Low, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9078
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NetBackdoor User-Agent (.net backdor)"; flow:to_server,established; content:"User-Agent|3a 20 2e|net backdor"; http_header; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:trojan-activity; sid:2022245; rev:2; metadata:created_at 2015_12_11, updated_at 2015_12_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9082
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Poweliks Clickfraud CnC M1"; flow:to_server,established; content:"GET"; http_method; content:"/query?version="; http_uri; fast_pattern; content:"&sid="; http_uri; distance:0; content:"&builddate="; http_uri; distance:0; content:"&q="; http_uri; distance:0; metadata: former_category TROJAN; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:trojan-activity; sid:2021226; rev:2; metadata:created_at 2015_06_10, updated_at 2017_03_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9083
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/KeyLogger.ACQH!tr Checkin"; flow:to_server,established; content:".php?cn"; http_uri; content:"&str="; fast_pattern:only; http_uri; content:"&file="; http_uri; content:"WinInetGet/"; depth:11; http_user_agent; pcre:"/\.php\?cn(ame)?=/U"; reference:md5,eddce1a6c0cc0eb7b739cb758c516975; reference:md5,c0d9352ad82598362a426cd38a7ecf0e; reference:url,www.fortiguard.com/av/VID4225990; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016912; rev:5; metadata:created_at 2012_12_12, updated_at 2012_12_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9084
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/UltimateDefender.FakeAV Checkin"; flow:established,to_server; content:"/show_module.php?IsAutoGeneratedPage="; http_uri; content:"&asked_billing_id="; http_uri; content:"&original_asked_billing_id="; http_uri; content:"&brokerid="; http_uri; content:"&country="; http_uri; content:"&customid="; http_uri; content:"&product="; http_uri; content:"&custom_param="; http_uri; content:"&extparam="; http_uri; content:"&nums="; http_uri; reference:md5,cec40236236466a1acb33aca3220eebe; classtype:trojan-activity; sid:2014566; rev:3; metadata:created_at 2012_04_16, updated_at 2012_04_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9088
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious User-Agent build - possibly Delf/Troxen/Zema"; flow:established,to_server; content:"User-Agent|3a| build"; http_header; pcre:"/User-Agent\x3a build\d/H"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014116; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2012_01_12, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9089
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Pony Payload DL"; flow:established,to_server; content:"/inst.exe"; http_uri; fast_pattern:only; pcre:"/\/inst\.exe$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:!"Accept-"; http_header; content:"User-Agent|3a|"; http_header; content:"Accept|3a|"; http_header; content:!"360safe.com|0d 0a|"; http_header; content:!"qhcdn.com|0d 0a|"; http_header; metadata: former_category TROJAN; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2023740; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_13, malware_family Pony, updated_at 2017_03_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9093
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MagikPOS Downloader Retrieving Payload"; flow:established,to_server; content:"GET"; http_method; content:".php?file="; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?file=(?:64|86)$/U"; metadata: former_category TROJAN; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:trojan-activity; sid:2024064; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag POS, signature_severity Major, created_at 2017_03_16, malware_family MagikPOS, performance_impact Low, updated_at 2017_03_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9094
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MagikPOS Downloader Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"data=domain%253a"; depth:16; http_client_body; fast_pattern; metadata: former_category TROJAN; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:trojan-activity; sid:2024066; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2017_03_16, malware_family MagikPOS, performance_impact Low, updated_at 2017_03_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9095
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MagikPOS CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/api/?act=in"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/api\/\?act=in$/U"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; metadata: former_category TROJAN; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:trojan-activity; sid:2024067; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag POS, signature_severity Major, created_at 2017_03_16, malware_family MagikPOS, performance_impact Low, updated_at 2017_03_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9096
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/CryptFile2 / Revenge Ransomware Checkin M3"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"id="; http_client_body; depth:3; content:"&count="; http_client_body; distance:0; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; pcre:"/^id=[0-9A-Z]+&count=/P"; metadata: former_category TROJAN; reference:md5,116fbce554b25829b17b6e47990821b4; classtype:trojan-activity; sid:2024056; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_15, malware_family CryptFile2, performance_impact Moderate, updated_at 2017_03_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9120
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Banker.ACUT CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)|0d 0a|"; http_header; fast_pattern:12,20; content:"plugin="; http_client_body; depth:7; content:"&windows="; http_client_body; content:"&user="; http_client_body; content:"&av="; http_client_body; content:"&bs="; http_client_body; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,219cf8b022d3933ba46f482478450f49; classtype:trojan-activity; sid:2024099; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_22, malware_family Banload, performance_impact Moderate, updated_at 2017_03_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9124
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 84"; flow:to_server,established; dsize:>11; content:"|4a d5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x4a\xd5/s"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,096fd620508d929b3422c6dca836e718; classtype:trojan-activity; sid:2020785; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2017_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9125
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 78"; flow:to_server,established; dsize:>11; content:"|3b d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x3b\xd8/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,844ddc8d762f94e8cf04bbc6eb483121; classtype:trojan-activity; sid:2020779; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9126
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 82"; flow:to_server,established; dsize:>11; content:"|40 d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x40\xd8/s"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2978e52da3503e33c65cd286a322bd2; classtype:trojan-activity; sid:2020783; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2017_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9127
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 90"; flow:to_server,established; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1fa6460563cddcb165511c6b17ff4637; classtype:trojan-activity; sid:2020791; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2017_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9128
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 80"; flow:to_server,established; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,132c66e47afb0c1b969140713b09d625; classtype:trojan-activity; sid:2020781; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9129
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Neutrino ping"; flow:to_server,established; content:"POST"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"ping=1|0a|"; depth:7; http_client_body; fast_pattern; content:"Content-Length|3a 20|7|0d 0a|"; nocase; http_header; threshold: type both, count 1, seconds 60, track by_src; metadata: former_category TROJAN; reference:md5,bef57db893b54c5605d0e3e7d50d6d70; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2019211; rev:4; metadata:created_at 2014_09_22, updated_at 2017_03_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9132
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Neutrino Cookie"; flow:to_server,established; content:"=21232f297a57a5a743894a0e4a801fc3"; http_cookie; metadata: former_category TROJAN; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2020093; rev:4; metadata:created_at 2015_01_05, updated_at 2017_03_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9133
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Neutrino Checkin"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"cmd="; http_client_body; content:"version="; http_client_body; content:"quality="; http_client_body; fast_pattern:only; content:"av="; http_client_body; metadata: former_category TROJAN; reference:md5,bef57db893b54c5605d0e3e7d50d6d70; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2018580; rev:5; metadata:created_at 2014_06_18, updated_at 2017_03_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9134
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Neutrino CC dump"; flow:to_server,established; content:"POST"; http_method; content:"dumpgrab="; http_client_body; fast_pattern:only; content:"track_type="; http_client_body; content:"track_data="; http_client_body; content:"process_name="; http_client_body; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2020094; rev:3; metadata:created_at 2015_01_05, updated_at 2017_03_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9135
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Neutrino Checkin 2"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"auth=1"; http_client_body; depth:6; pcre:"/^$/RP"; metadata: former_category TROJAN; reference:md5,25bd222c947fcbb7e1fb9f6e176ea53f; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2022462; rev:3; metadata:created_at 2016_01_27, updated_at 2017_03_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9137
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Neutrino Checkin 3"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"exec=1&task_id="; http_client_body; depth:15; fast_pattern; metadata: former_category TROJAN; reference:md5,25bd222c947fcbb7e1fb9f6e176ea53f; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2022463; rev:3; metadata:created_at 2016_01_27, updated_at 2017_03_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9138
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Blue Bot DDoS Proxy Request"; flow:to_server,established; content:"GET"; http_method; content:"/proxy"; http_uri; fast_pattern; content:"Host|3a 20|"; http_header; content:"|0d 0a|Connection|3a 20|"; http_header; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:!"Cache-Control|3a 20|"; http_header; pcre:"/\/proxy$/U"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021128; rev:3; metadata:created_at 2015_05_21, updated_at 2015_05_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9139
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Felismus CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:".php?V="; http_uri; fast_pattern; content:"&U="; distance:0; http_uri; content:!"Accept-"; http_header; content:"Windows NT"; http_header; content:"Referer|3a|"; http_header; content:".php|0d 0a|"; distance:0; http_header; metadata: former_category TROJAN; reference:url,blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware; reference:md5,8de3f20d94611e0200c484e42093f447; classtype:trojan-activity; sid:2024176; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Felismus, signature_severity Major, created_at 2017_04_04, malware_family Felismus, performance_impact Low, updated_at 2017_04_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9174
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Felismus CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"/products.php?"; http_uri; fast_pattern:only; content:!"Content-Type|3a|"; http_header; content:"Referer|3a|"; http_header; content:"/products.php|0d 0a|"; distance:0; http_header; pcre:"/\.php\?[a-z]{15,}$/U"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; threshold:type limit, track by_src, count 1, seconds 600; metadata: former_category TROJAN; reference:url,blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware; reference:md5,8de3f20d94611e0200c484e42093f447; classtype:trojan-activity; sid:2024177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Felismus, signature_severity Major, created_at 2017_04_04, malware_family Felismus, performance_impact Low, updated_at 2017_04_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9175
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Matrix Ransomware Sending Encrypted Filelist"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|Synapse)|0d 0a|"; http_header; fast_pattern:12,20; content:"name=|22|uploadfile|22 3b 20|filename=|22|C|3a 5c|"; http_client_body; content:"|0d 0a|[ALL]|0d 0a|"; http_client_body; distance:0; content:"|0d 0a|[ALL_END]|0d 0a 0d 0a|[PRIORITY]|0d 0a|"; http_client_body; distance:0; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,e5293a4da4b67be6ff2893f88c8ef757; classtype:trojan-activity; sid:2024178; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_04, malware_family Ransomware, malware_family Matrix, performance_impact Moderate, updated_at 2017_04_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9176
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Neutrino Checkin 6"; flow:to_server,established; content:"POST"; http_method; content:"authkeys="; http_cookie; content:!"Referer|3a|"; http_header; content:"auth=1"; http_client_body; depth:6; metadata: former_category TROJAN; reference:md5,656766ad934aa482cbe78f1bca6dadc2; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2024179; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_04, malware_family Neutrino, performance_impact Moderate, updated_at 2017_04_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9177
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|x5sbb5gesp6kzwsh"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,ransomwaretracker.abuse.ch; reference:md5,f09e72e3c1c36192b22e15b59a13ee1c; reference:url,blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html; classtype:trojan-activity; sid:2023998; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_02_17, malware_family Torrentlocker, performance_impact Low, updated_at 2017_04_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9178
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MSIL/NR42 Bot Parsing Config From Webpage"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<sendusername>"; fast_pattern; content:"</sendusername>"; distance:0; within:30; content:"<guser>"; distance:0; content:"</guser>"; distance:0; content:"<files>"; distance:0; content:"</files>"; distance:0; content:"<cmdua>"; distance:0; content:"</cmdua>"; distance:0; content:"<cmdkmt>"; distance:0; threshold:type both, track by_src, count 60, seconds 60; metadata: former_category TROJAN; reference:md5,32730022593ebd2c93126d34bc60b654; classtype:trojan-activity; sid:2024182; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_06, performance_impact Moderate, updated_at 2017_04_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9181
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Mole Ransomware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"guid="; http_client_body; depth:5; fast_pattern; content:"&ver="; http_client_body; distance:0; pcre:"/^guid=[^&]+?&ver=[^&]+?(?:&fc=[^\r\n]+)?$/Pi"; metadata: former_category TROJAN; reference:url,isc.sans.edu/forums/diary/Malspam+on+20170411+pushes+yet+another+ransomware+variant/22290/; reference:md5,31c2e85ef5e4c0009e1f18794527b4ca; classtype:trojan-activity; sid:2024203; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_12, malware_family Ransomware, malware_family Mole, performance_impact Moderate, updated_at 2017_04_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9190
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Hidden-Tear Variant Ransomware CnC Checkin"; flow:established,to_server; content:".php?rid=ClsgIFVzZXItSUQgIF0gID"; http_uri; fast_pattern; content:"Ransom|3a 20|Client|0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?rid=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; metadata: former_category TROJAN; reference:md5,b991a99335b01bed8da4401fee1f2d45; classtype:trojan-activity; sid:2024204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_12, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Moderate, updated_at 2017_04_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9191
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Nuke Ransomware Checkin"; flow:to_server,established;content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:"Expect|3a 20|100-continue"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"machine="; depth:8; fast_pattern; http_client_body; pcre:"/\.php$/Ui"; pcre:"/^machine=[^&]+$/Pi"; metadata: former_category TROJAN; reference:url,www.spyware-techie.com/nuke-ransomware-removal-guide; reference:md5,ff0e42146794f0d080df0467337b2d01; classtype:trojan-activity; sid:2023335; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_10_12, malware_family Ransomware, malware_family Nuke, performance_impact Low, updated_at 2017_04_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9192
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (11)"; dsize:13<>32; content:"a"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023622; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9193
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (1)"; dsize:13<>32; content:"0"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023612; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9194
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (10)"; dsize:13<>32; content:"9"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9195
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (12)"; dsize:13<>32; content:"b"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023623; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9196
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (13)"; dsize:13<>32; content:"c"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9197
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (14)"; dsize:13<>32; content:"d"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023625; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9198
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (15)"; dsize:13<>32; content:"e"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023626; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9199
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (16)"; dsize:13<>32; content:"f"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023627; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9200
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (2)"; dsize:13<>32; content:"1"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023613; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9201
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (3)"; dsize:13<>32; content:"2"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9202
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (4)"; dsize:13<>32; content:"3"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023615; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9203
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (5)"; dsize:13<>32; content:"4"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023616; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9204
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (6)"; dsize:13<>32; content:"5"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023617; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9205
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (7)"; dsize:13<>32; content:"6"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023618; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9206
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (8)"; dsize:13<>32; content:"7"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9207
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET TROJAN Ransomware/Cerber Checkin M3 (9)"; dsize:13<>32; content:"8"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:trojan-activity; sid:2023620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Cerber, signature_severity Major, created_at 2016_12_12, malware_family Ransomware_Cerber, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9208
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Cradle Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pn6fsogszhqlxz4n"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,53f6f9a0d0867c10841b815a1eea1468; classtype:trojan-activity; sid:2024205; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_14, malware_family Ransomware, malware_family Cradle, performance_impact Low, updated_at 2017_04_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9209
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Runsome Ransomware CnC Checkin"; flow:established,to_server; content:".php?name="; http_uri; content:"&key=ENC"; http_uri; distance:0; fast_pattern; content:"|20|HTTP/1.1|0d 0a|Host|3a|"; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?name=[^\r\n]+?&key=ENC[^\r\n]+$/U"; metadata: former_category TROJAN; reference:md5,70c27926e54732a579b0004ede566fc6; reference:url,github.com/ShaneNolan/Runsome; classtype:trojan-activity; sid:2024223; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_19, malware_family Ransomware, malware_family Runsome, performance_impact Moderate, updated_at 2017_04_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9212
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL cert (pyteHole Ransomware)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|services.pasmik.net"; distance:1; within:20; metadata: former_category TROJAN; reference:md5,f652968bfe0861b56c8bdc111d902512; classtype:trojan-activity; sid:2024246; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_25, malware_family pyteHole, performance_impact Low, updated_at 2017_04_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9221
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Betabot Checkin 5"; flow:established,to_server; content:"/order.php"; http_uri; fast_pattern:only; pcre:"/\.php$/U";content:!"Referer|3a 20|"; http_header;pcre:"/(?:^|=)[A-F0-9]{70,}(?:$|&)/P"; metadata: former_category TROJAN; reference:md5,4c3b84efe89e5f5cf3e17f1e1751e708; classtype:trojan-activity; sid:2023765; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_25, updated_at 2017_05_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9228
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Saker UA"; flow:established,to_server; content:"Mozilla/"; depth:8; http_user_agent; content:" MSIE "; distance:0; http_user_agent; content:"|3b| Wis NT "; distance:0; http_user_agent; fast_pattern; content:"|3b| .NET CLR "; distance:0; http_user_agent;  metadata: former_category TROJAN; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,b362f833c9d6e5bed19aeec5a5b868ea; classtype:trojan-activity; sid:2018321; rev:6; metadata:created_at 2014_03_26, updated_at 2017_05_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9229
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET TROJAN Unknown Possibly Ransomware (Dropped by RIG) CnC Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Accept|3a 20|*|0d 0a|"; http_header; fast_pattern:only; content:"|0a|"; offset:64; depth:1; http_client_body; pcre:"/^[A-Za-z0-9+/]{64}\x0a/P"; metadata: former_category TROJAN; reference:md5,26b21902548e3b821387c90d729bace6; classtype:trojan-activity; sid:2024233; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_21, performance_impact Moderate, updated_at 2017_04_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9230
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kazuar CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:"Referer|3a|"; http_header; content:"AuthToken="; depth:10; http_cookie; pcre:"/^AuthToken=[A-Za-z0-9+/]{43}=$/C"; content:"Cookie|3a 20|AuthToken="; fast_pattern:only; metadata: former_category TROJAN; reference:md5,7a778e076e48ff269e91f17a15ea97d5; reference:url,researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/; classtype:trojan-activity; sid:2024270; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT, tag RUAPT, signature_severity Major, created_at 2017_05_04, malware_family Turla, malware_family Kazuar, performance_impact Low, updated_at 2017_09_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9231
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> any any (msg:"ET TROJAN SuperCMD CnC Beacon"; flow:established,to_server; content:"windows update "; depth:15; pcre:"/^[A-F0-9]+\x00/R"; metadata: former_category TROJAN; reference:md5,816db8a1916201309d2a24b4a745305b; reference:url,blogs.rsa.com/supercmd-rat/; classtype:trojan-activity; sid:2024273; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2017_05_04, performance_impact Low, updated_at 2017_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9233
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443] (msg:"ET TROJAN W32.Geodo/Emotet Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| SLCC1|3b| .NET CLR 1.1.4322)|0d 0a|Host"; http_header; content:"HTTP/1.1|0d 0a|Cookie|3a 20|"; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; pcre:"/[a-z0-9]{3,4}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/Ci"; flowbits:set,ETPRO.Emotet; metadata: former_category TROJAN; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:trojan-activity; sid:2024272; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_01, malware_family Geodo, malware_family Emotet, performance_impact Low, updated_at 2017_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9234
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET TROJAN W32/Emotet CnC Beacon 1"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:"/"; http_uri; depth:1; content:"Cookie|3A 20|"; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| SLCC1|3B| .NET CLR 1.1.4322)|0D 0A|Host|3A|"; http_header; content:!"Referer|3A|"; http_header; pcre:"/^[A-Za-z0-9]{3,4}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/Ci"; metadata: former_category TROJAN; reference:url,blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1; reference:url,www.cyphort.com/emotet-cookies-c2-fakes-404/; reference:url,blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk; reference:md5,21542133a586782e7c2fa4286d98fd73; classtype:trojan-activity; sid:2024274; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_04, performance_impact Moderate, updated_at 2017_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9235
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET TROJAN W32/Emotet CnC Beacon 2"; flow:established,to_server; urilen:1; content:"GET"; http_method; content:"/"; http_uri; depth:1; content:"Cookie|3A 20|"; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32|3B| Trident/4.0)|0D 0A|Host|3A|";  http_header; content:!"Referer|3A|"; http_header; pcre:"/^[A-Za-z0-9]{3,4}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})/Ci"; metadata: former_category TROJAN; reference:url,blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1; reference:url,www.cyphort.com/emotet-cookies-c2-fakes-404/; reference:url,blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk; reference:md5,21542133a586782e7c2fa4286d98fd73; classtype:trojan-activity; sid:2024275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_04, performance_impact Moderate, updated_at 2017_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9236
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/OzazaLocker Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?key="; http_uri; fast_pattern; content:"&value="; http_uri; distance:0; content:"|20|HTTP/1.1|0d 0a|Host|3a|"; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,e8c6d686249fc3c6df3dc88ea2cddf02; classtype:trojan-activity; sid:2024276; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_04, malware_family OzazaLocker, performance_impact Moderate, updated_at 2017_05_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9237
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/NewHT Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?computerName="; http_uri; fast_pattern; content:"&userName="; http_uri; distance:0; content:"&key="; http_uri; distance:0; content:"&id="; http_uri; distance:0; content:"&time="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,2e0ebb7a21d16ab6fa908f74bee260d6; classtype:trojan-activity; sid:2024280; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_05, malware_family Ransomware, malware_family NewHT, performance_impact Moderate, updated_at 2017_05_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9238
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Jaff Ransomware Checkin"; flow:to_server,established; content:"GET"; http_method; content:"Host|3a 20|fkksjobnn43.org|0d 0a 0d 0a|"; fast_pattern:only; metadata: former_category TROJAN; reference:url,blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style; reference:md5,942c6a039724ed5326c3c247bfce3461; classtype:trojan-activity; sid:2024288; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_05_11, malware_family Jaff_Ransomware, updated_at 2017_05_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9242
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Jaff Domain (fkksjobnn43 . org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|fkksjobnn43|03|org|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:md5,924c84415b775af12a10366469d3df69; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024289; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_05_11, malware_family Jaff_Ransomware, performance_impact Low, updated_at 2017_05_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9243
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Jaff Ransomware Checkin M1"; flow:to_server,established; urilen:4; content:"GET"; http_method; content:"/a5/"; fast_pattern; http_uri; content:"Host|3a 20|"; depth:6; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Connection|3a 20|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cache-Control|3a|"; http_header; content:"GET /a5/ HTTP/1."; depth:16; content:"|0d 0a|Host|3a 20|"; distance:1; within:8; pcre:"/^[a-z0-9\-\.]+?\x0d\x0a\x0d\x0a$/R"; metadata: former_category TROJAN; reference:md5,924c84415b775af12a10366469d3df69; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024290; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_05_11, malware_family Jaff_Ransomware, performance_impact Low, updated_at 2017_05_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9244
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Tor based locker .onion Proxy domain in SNI July 31 2014"; flow:established,to_server; content:"iet7v4dciocgxhdv."; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018872; rev:2; metadata:created_at 2014_08_01, updated_at 2017_05_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9250
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any -> any 53 (msg:"ET TROJAN Tor based locker .onion Proxy DNS lookup July 31 2014"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iet7v4dciocgxhdv"; nocase; metadata: former_category TROJAN; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018874; rev:2; metadata:created_at 2014_08_01, updated_at 2017_05_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9251
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Tor based locker knowledgewiki.info in SNI July 31 2014"; flow:established,to_server; content:"knowledgewiki.info"; fast_pattern:only; nocase; metadata: former_category TROJAN; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018877; rev:2; metadata:created_at 2014_08_01, updated_at 2017_05_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9252
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Zbot .onion Proxy domain in SNI Aug 04 2014"; flow:established,to_server; content:"zxjfcvfvhqfqsrpz."; fast_pattern:only; metadata: former_category TROJAN; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018892; rev:2; metadata:created_at 2014_08_04, updated_at 2017_05_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9253
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Zbot .onion Proxy DNS lookup July 31 2014"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zxjfcvfvhqfqsrpz"; fast_pattern; nocase; distance:0; metadata: former_category TROJAN; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018893; rev:2; metadata:created_at 2014_08_04, updated_at 2017_05_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9254
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN MSIL/May Ransomware SSL Cert Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|13|mayofware.solutions"; distance:1; within:20; metadata: former_category TROJAN; reference:md5,9bee9fbe8c87f491ed31e94bb0c2e06f; classtype:trojan-activity; sid:2024304; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_16, malware_family May, performance_impact Low, updated_at 2017_05_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9256
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/EasyLocker Ransomware CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a 20|noobcrypt"; fast_pattern; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/(?:countdown|check)\/[a-f0-9]{30,45}\/(?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})?$/Ui"; metadata: former_category TROJAN; reference:md5,980342a5a783d7f6ce188c575d9ca97a; classtype:trojan-activity; sid:2024320; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_18, malware_family Ransomware, malware_family EasyLocker, performance_impact Moderate, updated_at 2017_05_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9260
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/ASPC Bot CnC Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php?key="; http_uri; fast_pattern; content:"&string="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"Referer|3a|"; http_header; content:"key="; http_client_body; depth:4; content:"&string="; http_client_body; distance:0; pcre:"/\.php\?key=[^\r\n]+&string=[^\r\n]+?(?:\x3a\x3a[^\x3a]+?){5,}$/Ui"; metadata: former_category TROJAN; reference:md5,15167239effdfb68bb10467eeea2f24d; classtype:trojan-activity; sid:2024321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_18, malware_family ASPC_Bot, performance_impact Moderate, updated_at 2017_05_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9261
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Spora Ransomware DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|spora|02|li|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,906c51a18073112c4479b3fe4ea329ca; classtype:trojan-activity; sid:2024324; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_22, performance_impact Moderate, updated_at 2017_05_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9272
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MalDoc Retrieving Payload May 23 2017 2"; flow:established,to_server; content:"GET"; http_method; content:!"|2e|"; http_uri; content:"Mozilla/5.2 (Windows NT 6.2|3b| rv|3a|50.2) Gecko/20200103 Firefox/50.2"; http_user_agent; fast_pattern; content:!"Referer|3A|"; http_header; metadata: former_category TROJAN; reference:md5,502cb33a03c29a96a4c32ec26dce5395; classtype:trojan-activity; sid:2024325; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_23, malware_family Dridex, performance_impact Moderate, updated_at 2017_05_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9273
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Jaff Domain (orhangazitur . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|orhangazitur|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024339; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_31, malware_family Jaff_Ransomware, performance_impact Moderate, updated_at 2017_05_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9280
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Jaff Ransomware Checkin"; flow:to_server,established; content:"GET"; http_method; content:"Host|3a 20|comboratiogferrdto.com|0d 0a|"; fast_pattern:only; metadata: former_category TROJAN; reference:url,blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024340; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_31, malware_family Jaff_Ransomware, performance_impact Moderate, updated_at 2017_05_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9281
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query to Jaff Domain (comboratiogferrdto . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|comboratiogferrdto|03|com|00|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:md5,51cf3452feb218a4b1295cebf3b2130e; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_31, malware_family Jaff_Ransomware, performance_impact Moderate, updated_at 2017_05_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9282
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Fireball Activity"; flow:established,to_server; content:"GET"; http_method; content:"?clients="; http_uri; content:"&reqs=visit."; http_uri; distance:0; content:"User-Agent|3a 20|RookIE/"; http_header; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection; reference:md5,69ffdf99149d19be7dc1c52f33aaa651; classtype:trojan-activity; sid:2024348; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_02, malware_family Fireball, performance_impact Moderate, updated_at 2017_06_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9283
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25,2525,587] (msg:"ET TROJAN Executioner Ransomware Reporting Infection via SMTP "; flow:established,to_server; dsize:<40; content:"DECRYPT CODE|20 3a 20 20 20 20 20 20 20|"; fast_pattern; depth:21; metadata: former_category TROJAN; reference:md5,eec4f84d12139add6d6ebf3b8c72fff7; classtype:trojan-activity; sid:2024351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_06, malware_family Ransomware, malware_family Executioner, performance_impact Moderate, updated_at 2017_06_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9286
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Unk.HT-Based Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"hostname=csharp-"; http_client_body; depth:16; fast_pattern; content:"&enckey="; http_client_body; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,2aa11c090fd0737e52cd532418c1211e; classtype:trojan-activity; sid:2024352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_06, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Moderate, updated_at 2017_06_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9287
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/ASPC Bot CnC Checkin M1"; flow:established,to_server; content:"GET"; http_method; content:".php?key="; http_uri; content:"&string="; http_uri; distance:0; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.php\?key=[^\r\n]+&string=[^\r\n]+?(?:(?:\x3a\x3a|3A3A)[^\x3a]+?){5,}$/Ui"; metadata: former_category TROJAN; reference:md5,15167239effdfb68bb10467eeea2f24d; classtype:trojan-activity; sid:2024322; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_18, malware_family ASPC_Bot, performance_impact Moderate, updated_at 2017_05_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9289
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PLATINUM Dipsind CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"ud7LDjtsTHe2tWeC8DYo8A**"; http_client_body; fast_pattern; metadata: former_category TROJAN; reference:md5,0cc901350eaffb8f84b920691460921f; classtype:trojan-activity; sid:2024369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT, tag PLATINUM, signature_severity Major, created_at 2017_06_09, malware_family Dipsind, malware_family PLATINUM, performance_impact Low, updated_at 2017_06_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9290
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spectre Ransomware CnC Checkin"; flow:established,to_server; content:".php?mode="; http_uri; content:"&crypted="; http_uri; distance:0; content:"&id="; http_uri; distance:0; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http_header; fast_pattern:5,20; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,e8af7ef13b6ced37d08dce0f747d7d8b; classtype:trojan-activity; sid:2024373; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_09, malware_family Ransomware, malware_family Spectre, performance_impact Moderate, updated_at 2017_06_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9291
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Madness Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&mk="; http_uri; fast_pattern:only; content:"&rs="; http_uri; content:"&rq="; http_uri; content:"&ver="; http_uri; pcre:"/\?uid=\d{8}&ver=\d\.\d{2}&mk=[0-9a-zA-Z]{6}&os=[A-Za-z0-9]+&rs=[a-z]+&c=\d+&rq=\d/U"; metadata: former_category TROJAN; reference:url,www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/; reference:md5,f1ed53c4665d2893fd116a5b0297fc68; classtype:trojan-activity; sid:2018028; rev:4; metadata:created_at 2014_01_28, updated_at 2017_06_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9293
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Fake Windows Scam ScreenLocker"; flow:established,to_server; content:"GET"; http_method; content:"/lock.php"; http_uri; content:"User-Agent|3a 20|MyAgent|0d 0a|"; http_header; fast_pattern:1,20; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/lock\.php$/Ui"; metadata: former_category TROJAN; reference:md5,6443d8351f5ed62836003f103d8de20e; classtype:trojan-activity; sid:2024417; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_20, malware_family Screenlocker, performance_impact Moderate, updated_at 2017_06_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9302
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DragonOK KHRAT Downloader Receiving Payload"; flow:established,from_server; file_data; content:".DAT,K1|22 0d 0a|fso"; metadata: former_category TROJAN; reference:md5,404518f469a0ca85017136b6b5166ae3; classtype:trojan-activity; sid:2024418; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Targeted, tag APT, tag CNAPT, signature_severity Major, created_at 2017_06_20, malware_family DragonOK, malware_family KHRAT, performance_impact Low, updated_at 2017_06_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9303
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 85"; flow:to_server,established; dsize:>11; content:"|7f 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9f/s"; content:!"POST /"; content:!"microsoft.com"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6bc0070240a714175e44dd2d6bf98481; classtype:trojan-activity; sid:2020786; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2015_03_28, malware_family Gh0st, malware_family PCRAT, updated_at 2017_04_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9304
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN x0Proto File Contents Exfil Request"; flow:established,from_server; dsize:9; content:"DLOAD|0c|1|0c|1"; depth:9; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024423; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9306
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN x0Proto File Info Request"; flow:established,from_server; dsize:8; content:"REQF|0c|1|0c|1"; depth:8; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024424; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9307
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX OceanLotus Checkin"; flow:established,to_server; content:"|41 61 54 03|"; offset:1; depth:4; fast_pattern; content:"|63 63 63 63 63 63 63 63|"; distance:0; metadata: former_category TROJAN; reference:md5,researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/; classtype:trojan-activity; sid:2024425; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, tag Targeted, tag APT, tag OceanLotus, tag OSX, created_at 2017_06_26, malware_family OceanLotus, performance_impact Low, updated_at 2017_06_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9308
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Naoinstalad Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?MD="; http_uri; fast_pattern; content:"Naoinstalado"; http_uri; nocase; content:!"Mozilla"; http_user_agent; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,f136f9ec7f7f8cb1a12a9b835183be59; reference:url,www.malware-traffic-analysis.net/2017/06/08/index.html; classtype:trojan-activity; sid:2024427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_26, performance_impact Moderate, updated_at 2017_06_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9309
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (HiddenTear Variant CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|wwecuador.com"; distance:1; within:14; metadata: former_category TROJAN; reference:md5,02c1da1c668ac71995f56c2c198d7d73; classtype:trojan-activity; sid:2024433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_28, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Low, updated_at 2017_06_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9310
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown CnC"; flow:to_server,established; content:"POST"; http_method; urilen:7; content:"tinba/"; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0|28|compatible|3b| MSIE 10.0|3b| Windows NT 6.1|3b| Trident|2f|6.0|29|"; http_header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; reference:md5,d360ee49950e7da3978379494667260c; classtype:trojan-activity; sid:2024441; rev:2; metadata:created_at 2017_07_05, updated_at 2017_07_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9315
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Unk.Stealer Data Exfil Via HTTP"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary="; http_header; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; http_client_body; fast_pattern:32,20; pcre:"/^(?:(?:Passwords|PCinformation)\.txt|(?:Data|GrabbedTxtFiles)\.zip)\x22\r\n/RPi"; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:trojan-activity; sid:2024455; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_11, malware_family Unknown, performance_impact Moderate, updated_at 2017_07_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9317
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN LockPOS CnC"; flow:to_server,established; content:"POST"; http_method; content:"lock"; fast_pattern; http_user_agent; isdataat:!1,relative; content:"|00 00 00|"; offset:1; depth:3; http_client_body; metadata: former_category TROJAN; reference:md5,0ad35a566cfb60959576835ede75983b; reference:url,www.arbornetworks.com/blog/asert/lockpos-joins-flock/; classtype:trojan-activity; sid:2024461; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag POS, tag LockPOS, signature_severity Major, created_at 2017_07_12, malware_family PoS, updated_at 2017_07_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9323
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Striked Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; depth:4; content:".php|20|HTTP/1.1|0d 0a|Host|3a 20|"; distance:0; content:"|0d 0a|User-Agent|3a 20|python"; distance:0; fast_pattern; content:"|0d 0a 0d 0a|crid="; distance:0; content:"&dta="; distance:0; content:!"Referer|3a|"; reference:md5,80317e3194d8f7fd495b0bf06cae2295; classtype:trojan-activity; sid:2024465; rev:1; metadata:created_at 2017_07_13, updated_at 2017_07_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9324
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed DNS Query to Known Fenrir Ransomware CnC Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|fenrir-ransomware|0d|000webhostapp|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,a5ecf27bfab7fbb1ace3ec9a390b23bd; classtype:trojan-activity; sid:2024467; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_13, malware_family Ransomware, malware_family Fenrir, performance_impact Low, updated_at 2017_07_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9325
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Tinba Banker CnC Response"; flow:established,from_server; file_data; content:"|00 00 00 00 48 65 61 44|"; depth:8; fast_pattern; content:"|00 00|"; distance:0; within:5; metadata: former_category TROJAN; reference:md5,d360ee49950e7da3978379494667260c; classtype:trojan-activity; sid:2024442; rev:3; metadata:created_at 2017_07_05, updated_at 2017_07_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9326
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed Malicious DNS Query (Reyptson Ransomware CnC)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|37z2akkbd3vqphw5"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,2f60c2dc9b89a78a450839ded2a1737a; classtype:trojan-activity; sid:2024469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_17, malware_family Ransomware, malware_family Reyptson, performance_impact Low, updated_at 2017_07_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9327
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoinMiner Known Malicious Stratum Authline (2017-07-11 1)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|slavf1@yandex.ru|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; metadata: former_category TROJAN; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:trojan-activity; sid:2024454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_11, malware_family CoinMiner, performance_impact Moderate, updated_at 2017_07_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9328
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Win32/Parite.B Checkin 3"; flow:to_server,established; dsize:>1000; content:"|00 00 00 00 9c 00 00 00 06 00 00 00 01 00 00 00|"; offset:0; depth:16; content:"|b1 1d 00 00 02 00 00 00|"; distance:0; metadata: former_category TROJAN; reference:md5,d10d6d2a29dd27b44e015dd6bf4cb346; classtype:trojan-activity; sid:2024429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, deployment Internet, signature_severity Major, created_at 2017_06_27, malware_family Parite, performance_impact Moderate, updated_at 2017_07_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9329
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN CoinMiner Known Malicious Stratum Authline (2017-07-17 7)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|ownyaga@gmail.com|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; metadata: former_category TROJAN; reference:md5,3b24a327e60ee77668d09e5b96e27dc8; classtype:trojan-activity; sid:2024471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internet, signature_severity Major, created_at 2017_07_17, malware_family CoinMiner, performance_impact Moderate, updated_at 2017_07_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9330
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:!"."; http_uri; content:"/en-us/"; depth:7; http_uri; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; pcre:"/^\/en-us\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/U"; content:!"/im/"; http_uri; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:8; metadata:created_at 2015_03_25, updated_at 2015_03_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9339
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [442,443,446,447,8001] (msg:"ET TROJAN Win32/Ramnit Checkin"; flow:established,to_server; dsize:6; content:"|00 ff|"; depth:2; content:"|00 00|"; distance:1; within:2; metadata: former_category TROJAN; reference:md5,3fc81e102825a74b27faabbcd9408993; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; reference:md5,5740a73856128270b37ec4afae870d12; classtype:trojan-activity; sid:2018558; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2013_06_05, malware_family Ramnit, performance_impact Low, updated_at 2017_07_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9340
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Observed Malicious Domain SSL Cert in SNI (Unknown Stealer CnC)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; content:"|00 00 1b|4fp2u2ue4pyqdpfu"; fast_pattern; metadata: former_category TROJAN; reference:md5,2067d1cb1a25c6d6d371339fad9123ba; classtype:trojan-activity; sid:2024485; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_20, malware_family Unknown, performance_impact Moderate, updated_at 2017_07_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9343
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Shifr Ransomware Malicious Domain in SNI Observed"; flow:to_server,established; content:"|00 00 19|v5t5z6a55ksmt3oh.onion"; metadata: former_category TROJAN; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:trojan-activity; sid:2024486; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_20, malware_family Shifr, performance_impact Moderate, updated_at 2017_07_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9344
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Shifr Ransomware CnC DNS Query (v5t5z6a55ksmt3oh)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|v5t5z6a55ksmt3oh|05|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:trojan-activity; sid:2024491; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_25, malware_family Shifr, performance_impact Moderate, updated_at 2017_07_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9345
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Shifr Ransomware CnC DNS Query (ojdue4474qghybjb)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ojdue4474qghybjb|05|"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:trojan-activity; sid:2024492; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_25, malware_family Shifr, performance_impact Moderate, updated_at 2017_07_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9346
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TDTESS Backdoor User-Agent"; flow:established,to_server; content:"XXXXXXXXXXXXXXXXX/5.0 (Windows NT 6.1 WOW64|3b| Trident/7.0|3b| AS|3b| rv:11.0) like Gecko"; http_user_agent; metadata: former_category TROJAN; reference:md5,113ca319e85778b62145019359380a08; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; classtype:trojan-activity; sid:2024498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_25, performance_impact Moderate, updated_at 2017_07_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9347
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CopyKittens Matryoshka DNS Lookup 2 (twiter-statics . info)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|twiter|2d|statics|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:trojan-activity; sid:2024496; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_25, malware_family Matryoshka, performance_impact Moderate, updated_at 2017_07_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9349
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN CopyKittens Cobalt Strike DNS Lookup (cloudflare-analyse . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|cloudflare|2d|analyse|03|com|00|"; nocase; distance:0; fast_pattern; threshold:type limit, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:trojan-activity; sid:2024497; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_25, malware_family CobaltStrike, performance_impact Moderate, updated_at 2017_07_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9350
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Revcode RAT CnC"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"keyauth="; http_client_body; fast_pattern; depth:8; content:"&key="; http_client_body; distance:0; content:"&uid="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; content:"WinHttpRequest"; http_user_agent; metadata: former_category TROJAN; reference:md5,3f652d9bc17a4be3c0e497ea19848344; classtype:trojan-activity; sid:2024500; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_27, performance_impact Moderate, updated_at 2017_07_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9351
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Revcode RAT CnC 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"mode="; http_client_body; fast_pattern; depth:5; content:"&data="; http_client_body; distance:0; content:"&key="; http_client_body; distance:0; content:!"Referer|3a|"; http_header; content:"WinHttpRequest"; http_user_agent; metadata: former_category TROJAN; reference:md5,3f652d9bc17a4be3c0e497ea19848344; classtype:trojan-activity; sid:2024501; rev:2; metadata:created_at 2017_07_27, updated_at 2017_07_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9352
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ISMAgent Receiving Commands from CnC Server "; flow:from_server,established; content:"|23|command|23 23|systeminfo"; offset:36; fast_pattern; content:"&&"; distance:0; metadata: former_category TROJAN; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:trojan-activity; sid:2024503; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_28, malware_family Ismdoor, performance_impact Moderate, updated_at 2017_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9354
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN ISMAgent DNS Tunneling (microsoft-publisher . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|microsoft-publisher|03|com|00|"; nocase; distance:0; fast_pattern; threshold:type limit, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:trojan-activity; sid:2024504; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_28, malware_family Ismdoor, performance_impact Moderate, updated_at 2017_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9355
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ISMAgent CnC Checkin 1"; flow:to_server,established; content:"GET"; http_method; content:"/action2/"; http_uri; fast_pattern; content:"User-Agent|3a 20|Firefox|0d 0a|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:trojan-activity; sid:2024502; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_28, malware_family Ismdoor, performance_impact Moderate, updated_at 2017_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9356
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed DNS Query to Reborn/Ovidiy Stealer CnC Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|stealur|04|info|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,4daca05b0015efeaacebc58d007c32c4; classtype:trojan-activity; sid:2024506; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_31, malware_family Reborn_Stealer, malware_family Ovidiy_Stealer, performance_impact Low, updated_at 2017_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9357
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Observed Malicious Domain SSL Cert in SNI (JS_POWMET)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; content:"|00 00 0c|bogerando.ru"; fast_pattern; metadata: former_category TROJAN; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware; reference:md5,31f83bf81b139bcc69e51df2c76a0bf2; classtype:trojan-activity; sid:2024512; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_02, malware_family JS_POWMET, performance_impact Low, updated_at 2017_08_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9358
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Agent.ATS CnC Activity"; flow:established,to_server; content:"php?Hwid=S-"; http_uri; fast_pattern; content:"-"; http_uri; distance:0; content:"-"; http_uri; distance:0; content:"-"; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?Hwid=[^&]+[0-9](?:&(?:Pc|Etat)=[^&]+)?(?:&user=[^&]+&Ip=[^&]+&Ping=[^&]+&v=[^&]+&Ville=[^&]+&Pays=[^&]+&Region=[^&]+)?$/Ui"; metadata: former_category TROJAN; reference:md5,53d3ee595bc5df7e97403906f1415c21; classtype:trojan-activity; sid:2024528; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_08, performance_impact Moderate, updated_at 2017_08_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9371
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Observed DNS Query to Gryphon CnC Domain / GlobeImposter Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cr7icbfqm64hixta"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,c714c3fe13e515a85774b03787ee9d85; classtype:trojan-activity; sid:2024543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_08_14, malware_family GlobeImposter, malware_family Gryphon, performance_impact Moderate, updated_at 2017_08_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9388
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Datper CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"="; within:9; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.php\?[a-z]{3,8}=[a-f0-9]{16}[01][a-z]+$/Ui"; metadata: former_category TROJAN; reference:md5,eae5b16bef5f7dc37909ec91367fa807; reference:url,blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html; classtype:trojan-activity; sid:2024601; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_21, malware_family Datper, performance_impact Moderate, updated_at 2017_08_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9389
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN Spora Ransomware DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|5pr6hirtlfan3j76"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2024603; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2017_08_22, malware_family Spora, performance_impact Low, updated_at 2017_08_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9390
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/HTA Downloader Behavior M3"; flow:to_server,established; content:".php?cmd=p&id="; fast_pattern:only; http_uri; content:"&rnd="; http_uri; pcre:"/\.php\?cmd=p&id=\w+.*?&rnd=[\x2e\d]+$/Ui"; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,d3abaa6736d7d549eca8644c67e9fcfe; classtype:trojan-activity; sid:2023485; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_07, performance_impact Low, updated_at 2017_08_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9392
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN ISMAgent DNS Lookup (msoffice-cdn . com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|msoffice-cdn|03|com|00|"; nocase; distance:0; fast_pattern; metadata: former_category TROJAN; reference:md5,812d3c4fddf9bb81d507397345a29bb0; reference:url,www.clearskysec.com/ismagent/; classtype:trojan-activity; sid:2024620; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_29, performance_impact Moderate, updated_at 2017_08_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9394
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN CobianRAT Receiving Additional Commands From CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"more|7c 2d 7c|"; within:30; fast_pattern; pcre:"/^(?:FM|SM|CP|CM|MC|NF|CH|PS|PT)/R"; metadata: former_category TROJAN; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:trojan-activity; sid:2024653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_01, malware_family CobianRAT, performance_impact Low, updated_at 2017_09_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9409
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN CobianRAT Checkin to CnC"; flow:to_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"|02|LOGIN|7c 2d 7c|"; within:30; fast_pattern; metadata: former_category TROJAN; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:trojan-activity; sid:2024651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_01, malware_family CobianRAT, performance_impact Low, updated_at 2017_09_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9410
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN CobianRAT Receiving Commands From CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; fast_pattern; content:"|00 00 02|"; within:30; pcre:"/^(?:Lg|Execute|FLD|Sc)\x7c\x2d\x7c/R"; metadata: former_category TROJAN; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:trojan-activity; sid:2024652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_01, malware_family CobianRAT, performance_impact Low, updated_at 2017_09_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9411
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN CobianRAT Receiving Config Commands from CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"Svr|7c 2d 7c|"; within:100; fast_pattern; pcre:"/^(?:\x40|\x21|\x23|\x7e|\x24)/R"; metadata: former_category TROJAN; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:trojan-activity; sid:2024654; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_01, malware_family CobianRAT, performance_impact Low, updated_at 2017_09_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9412
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN CobianRAT Screenshot Exfil to CnC"; flow:to_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"|02|Sc|7c 2d 7c|"; within:30; fast_pattern; content:"JFIF"; within:10; metadata: former_category TROJAN; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:trojan-activity; sid:2024655; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_01, malware_family CobianRAT, performance_impact Low, updated_at 2017_09_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9413
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Tinba Checkin 4"; flow:established,to_server; content:"POST"; http_method; content:"Content-Length|3a 20|157"; nocase; http_header; fast_pattern:only; content:!"Content-Type"; nocase; http_header; content:!"Accept"; nocase; http_header; content:!"Referer:"; nocase; http_header; content:!"User-Agent|3a|"; nocase; http_header; content:"|00 80 00 00 00|"; http_client_body; offset:24; depth:5; flowbits:set,ET.Tinba.Checkin; metadata: former_category TROJAN; reference:md5,ade4d8f0447dac5a8edd14c3d44f410d; classtype:trojan-activity; sid:2024659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2017_09_04, malware_family Tinba, performance_impact Low, updated_at 2017_09_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9415
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Dragonfly Backdoor.Goodor Go Implant CnC Beacon 1"; flow:established,to_server; content:"GET"; http_method; content:"."; http_uri; content:"?"; distance:3; within:2; http_uri; content:"="; distance:3; within:1; http_uri; content:"&"; distance:32; within:1; http_uri; content:!"Referer|3a|"; http_header; content:"Go-http-client/1.1|0d 0a|"; http_header; pcre:"/\.(?:aspx|txt)\?[a-z0-9]{3}=[a-f0-9]{32}&[a-z0-9]{3}=[^&]+&[a-z0-9]{3}=[a-f0-9]{32}$/U"; metadata: former_category TROJAN; reference:md5,8943e71a8c73b5e343aa9d2e19002373; classtype:trojan-activity; sid:2024894; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Targeted, signature_severity Critical, created_at 2017_07_12, performance_impact Moderate, updated_at 2017_10_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9416
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ApolloLocker Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; depth:3; content:"&pname="; http_client_body; content:"&uname="; http_client_body; content:"&pkey="; http_client_body; content:"&aekey="; http_client_body; content:"&ppub="; http_client_body; content:"&userx=ApolloCrypto"; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,8acaa375c2146224d628bb408c3902ff; classtype:trojan-activity; sid:2024666; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_06, malware_family ApolloLocker, performance_impact Moderate, updated_at 2017_09_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9417
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ApolloLocker Ransomware CnC Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; depth:3; content:"&crypto=ApolloCrypto"; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,8acaa375c2146224d628bb408c3902ff; classtype:trojan-activity; sid:2024667; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_06, malware_family ApolloLocker, performance_impact Moderate, updated_at 2017_09_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9418
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Unk.Bot CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&os="; http_uri; distance:0; content:"&build="; http_uri; distance:0; content:"&cpu="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,92c3157d76c67668ca815541c6bb3ba8; classtype:trojan-activity; sid:2024679; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_08, performance_impact Moderate, updated_at 2017_09_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9419
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN ABUSE.CH Zloader CnC Domain Detected"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|1c|chinaandkoreacriminalaffairs"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; metadata: former_category TROJAN; reference:md5,7a57fcc1afab791f9995fbc479fe340e; classtype:trojan-activity; sid:2024680; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_08, malware_family Zloader, performance_impact Low, updated_at 2017_09_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9420
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Unk.Bot CnC Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&taskid="; http_uri; distance:0; content:"&status="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,92c3157d76c67668ca815541c6bb3ba8; classtype:trojan-activity; sid:2024692; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_11, performance_impact Moderate, updated_at 2017_09_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9428
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/ASPC Bot CnC Checkin M3"; flow:established,to_server; content:"POST"; http_method; content:".php?string="; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"Referer|3a|"; http_header; content:"string="; http_client_body; depth:7; pcre:"/\.php\?string=[a-zA-Z0-9+=]+$/Ui"; metadata: former_category TROJAN; reference:md5,f392c55f636e93f4b72f1a2aa5022730; classtype:trojan-activity; sid:2024625; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_30, performance_impact Moderate, updated_at 2017_09_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9430
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Lucifer Loader Requesting Payload"; flow:established,to_server; urilen:15; content:"/demonsgate.php"; fast_pattern; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,74a3c324a8565d7f567763bee960bcca; classtype:trojan-activity; sid:2024719; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_18, malware_family Lucifer_Loader, performance_impact Moderate, updated_at 2017_09_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9433
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (MalDoc DL)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|vinci-energie.co"; distance:1; within:17; metadata: former_category TROJAN; reference:md5,69f8181bfe4a53d9e0b73c81a4ae4587; classtype:trojan-activity; sid:2024757; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, deployment Perimeter, tag MalDoc, signature_severity Major, created_at 2017_09_21, malware_family Maldoc, performance_impact Moderate, updated_at 2017_09_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9439
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any  (msg:"ET TROJAN MSIL/CoalaBot CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a|"; http_header; content:"KAMA NT"; http_header; distance:0; within:50; fast_pattern; content:"BULLET|3b|"; http_header; distance:0; within:20; content:"REGION|3b|"; http_header; distance:0; within:20; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; pcre:"/^[A-Za-z0-9]{10,}[\-\)\(]{1,2}/Pi"; metadata: former_category TROJAN; reference:md5,523de838dd44cdd6f212d36c142d830c; classtype:trojan-activity; sid:2024531; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_08_09, malware_family CoalaBot, performance_impact Moderate, updated_at 2017_09_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9440
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Kwampirs Outbound GET request"; flow:to_server,established; content:"GET"; nocase; http_method; urilen:>21; content:"?q=KT"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:!"Accept"; http_header; content:"User-Agent|3a 20|Mozilla/"; http_header; depth:20; pcre:"/\.(?:aspx?|php)\?q=(?=KT)(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a/H"; reference:md5,1f1b5c16bbb62387fdf53e524a382006; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2016-081923-2700-99&tabid=2; classtype:trojan-activity; sid:2023595; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_09, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2016_12_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9441
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Observed GET Request to Jaff Domain (orhangazitur . com)"; flow:to_server,established; content:"GET"; http_method; content:"Host|3a 20|orhangazitur.com|0d 0a|"; fast_pattern:only; metadata: former_category TROJAN; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024338; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_05_31, malware_family Jaff_Ransomware, performance_impact Moderate, updated_at 2017_09_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9443
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Formgrabber Data Exfil"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"c="; depth:2; http_client_body; content:"&v="; http_client_body; distance:0; content:"&h="; http_client_body; distance:0; content:"&t="; fast_pattern; http_client_body; distance:0; content:!"Referer|3a|"; http_header; pcre:"/^c=[A-F0-9]{10,}&v=[^&]+&h=[^&]+&t=[0-9]$/Psi"; metadata: former_category TROJAN; reference:md5,cb066c5625aa85957d6b8d4caef4e497; reference:url,thisissecurity.stormshield.com/2017/09/28/analyzing-form-grabber-malware-targeting-browsers; classtype:trojan-activity; sid:2024781; rev:2; metadata:created_at 2017_09_28, updated_at 2017_09_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9453
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MAGICHOUND.FETCH CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".aspx?n="; http_uri; fast_pattern; content:"&m="; distance:0; http_uri; content:"&i="; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; metadata: former_category TROJAN; reference:md5,ed9e14a932b28f1ebdc4cd5b549af9da; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023951; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, malware_family MAGICHOUND_related, updated_at 2017_09_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9455
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET !5800 (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 21"; flow:to_server,established; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}\x70\x94[\x20-\x7e]/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3ae76f6b76e743fd8063e1831236ce24; classtype:trojan-activity; sid:2018057; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_02_03, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9464
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.JS.Agent.dwz Checkin"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"|00|"; http_client_body; content:"|61 3d|"; depth:2; fast_pattern; http_client_body; byte_extract:2,12,byte0,relative; byte_test:2,=,byte0,30,relative; isdataat:!33,relative; metadata: former_category TROJAN; reference:md5,f886dbf6bd47a0a015ef40fc2bed03a2; classtype:trojan-activity; sid:2024848; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_17, performance_impact Moderate, updated_at 2017_10_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9465
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Locky Intermediate Downloader"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"Windows-Update-Agent"; http_user_agent; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; metadata: former_category TROJAN; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024900; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Locky, signature_severity Major, created_at 2017_10_23, updated_at 2017_10_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9496
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|salegrutboy.eu"; distance:1; within:15; metadata: former_category TROJAN; reference:md5,3b79f06be1f6909149bcadfaacfad2d0; classtype:trojan-activity; sid:2024902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_23, malware_family Snatch, performance_impact Moderate, updated_at 2017_10_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9497
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lookmans.eu"; distance:1; within:12; metadata: former_category TROJAN; reference:md5,aa50e2ce1fc07ccfbc6b916ccdbfd19b; classtype:trojan-activity; sid:2024903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_23, malware_family Snatch, performance_impact Moderate, updated_at 2017_10_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9498
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trickbot Payload Request"; flow:to_server,established; content:"GET"; http_method; content:".png HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern:only;  content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; pcre:"/^\/(?:kas|ser|mac)[0-9]+\.png$/Ui"; metadata: former_category TROJAN; reference:md5,2c6cd25a31fe097ee7532422fc8eedc8; classtype:trojan-activity; sid:2024901; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Trickbot, signature_severity Major, created_at 2017_10_23, updated_at 2017_10_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9499
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any 53 (msg:"ET TROJAN BadRabbit Ransomware Payment Onion Domain"; dns_query; content:"caforssztxqzf2nm."; metadata: former_category TROJAN; reference:md5,fbbdc39af1139aebba4da004475e8839; classtype:trojan-activity; sid:2024910; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_24, performance_impact Low, updated_at 2017_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9508
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET !5800,!445 (msg:"ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 5"; flow:to_server,established; content:"|15 15|"; offset:2; depth:2; content:!"|15 15|"; within:2; content:"|15 15|"; distance:2; within:2; content:!"|15 15|"; within:2; content:"|15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15|"; pcre:"/[^\x15][^\x49\x3f\x3e\x28\x69\x2f\x2e\x37\x2a\x29\x2b\x39\x36][\x20-\x27\x2c\x2d\x30\x31\x33-\x36\x38\x3b-\x3d\x40-\x47\x4a-\x4d\x4f\x50-\x5f\x60\x68\x6b-\x6f\x70-\x74\x76-\x7f]{1,14}\x15/R"; metadata: former_category TROJAN; reference:md5,05054afcfc6a651a057e47cd0f013c7b; classtype:trojan-activity; sid:2020215; rev:5; metadata:created_at 2015_01_20, updated_at 2017_10_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9509
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SAD Ransomware CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&osname="; http_uri; content:"&pcname="; http_uri; content:"&key="; http_uri; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,f4c2f65b5b89d4f4e74099571b40c0d5; classtype:trojan-activity; sid:2024954; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_03, malware_family SAD_Ransomware, performance_impact Moderate, updated_at 2017_11_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9526
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Win32/Randrew!rfn CnC Activity"; flow:established,to_server; content:"botversion="; depth:11; http_client_body; content:"xfor="; within:22; http_client_body; content:"winver="; within:33; http_client_body; threshold:type limit,track by_src,count 1,seconds 30; metadata: former_category TROJAN; reference:md5,74dd0e38deaf778e621434a2ca9c7c74; reference:url,microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper:Win32/Randrew.A!bit; classtype:trojan-activity; sid:2024955; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_06, performance_impact Moderate, updated_at 2017_11_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9527
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Dinwod.Dropper Win32/Xtrat.B CnC Beacon"; flow:established,to_server; dsize:<30; content:"myversion|7C|"; depth:10; pcre:"/^\d/R"; metadata: former_category TROJAN; reference:md5,dd6a13ba9177a18a8cf16b52ff643abc; classtype:trojan-activity; sid:2018101; rev:5; metadata:created_at 2014_02_10, updated_at 2017_11_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9545
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/TrojanDownloader.Delf.BVP Win32/BioData CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php?b="; http_uri; content:!"&"; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:"form-data|3b 20|name=|22|unit|22 3b 20|"; fast_pattern:4,20; http_client_body; metadata: former_category TROJAN; reference:md5,68aab6163c29183ad8da1cf27a5a47c5; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; reference:url,researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families; classtype:trojan-activity; sid:2023545; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_11_23, updated_at 2017_11_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9546
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.Win32/Nitol.B Checkin"; flow:established,to_server; dsize:>1000; content:"|88 88 08 00|"; depth:4; fast_pattern; content:"|2E|"; distance:1; within:1; content:"|2F 73|"; distance:2; within:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; within:15; metadata: former_category TROJAN; reference:md5,f078e099b1f8afc7c43eb05b4badf9e7; classtype:trojan-activity; sid:2021111; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2015_05_16, malware_family Nitol_DDoS, performance_impact Low, updated_at 2017_11_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9547
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (IcedID CnC)"; flow:established,from_server; content:"|09 00 b9 5a 68 02 24 e5 3e 2e|"; fast_pattern; content:"|55 04 03|"; content:"|06|Server"; distance:1; within:7; metadata: former_category TROJAN; reference:url,securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research; reference:md5,de4ef2e24306b35d29891b45c1e3fbfd; classtype:trojan-activity; sid:2024979; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_13, performance_impact Moderate, updated_at 2017_11_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9550
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/RCAP CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/callback.php?k="; http_uri; fast_pattern; content:"&x="; http_uri; distance:0; content:"Connection|3a 20|close|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,3410af519f791af5f9554cbff7ece24a; classtype:trojan-activity; sid:2024984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_14, performance_impact Moderate, updated_at 2017_11_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9554
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/TinyNuke CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/client.php?"; http_uri; fast_pattern; content:"Content-Length|3a 20|9|0d 0a|"; http_header; pcre:"/\/client\.php\?[A-F0-9]{15,25}$/Ui"; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; flowbits:set,ET.TinyNuke; metadata: former_category TROJAN; reference:md5,917124e4d53057324aa129520fca73fb; classtype:trojan-activity; sid:2024991; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_27, performance_impact Low, updated_at 2017_11_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9561
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possibly Malicious Double Base64 Unicode Net.ServicePointManager M1"; flow:established,from_server; file_data; content:"VwB3AEIATwBBAEcAVQBBAGQAQQBBAHUAQQBGAE0AQQBaAFEAQgB5AEEASABZAEEAYQBRAEIAagBBAEcAVQBBAFUAQQBCAHYAQQBHAGsAQQBiAGcAQgAw"; metadata: former_category TROJAN; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023944; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_11_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9563
12/12/2018 -- 16:31:52 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possibly Malicious Double Base64 Unicode Net.ServicePointManager M2"; flow:established,from_server; file_data; content:"cAdwBCAE8AQQBHAFUAQQBkAEEAQQB1AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBVAEEAQgB2AEEARwBrAEEAYgBnAEIAM"; metadata: former_category TROJAN; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023945; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_11_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9564
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possibly Malicious Double Base64 Unicode Net.ServicePointManager M3"; flow:established,from_server; file_data; content:"XAHcAQgBPAEEARwBVAEEAZABBAEEAdQBBAEYATQBBAFoAUQBCAHkAQQBIAFkAQQBhAFEAQgBqAEEARwBVAEEAVQBBAEIAdgBBAEcAawBBAGIAZwBCAD"; metadata: former_category TROJAN; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023946; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_11_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9565
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M1"; flow:established,from_server; file_data; content:"VwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZ"; metadata: former_category TROJAN; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023941; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_11_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9566
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M2"; flow:established,from_server; file_data; content:"VwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZ"; metadata: former_category TROJAN; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023942; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_11_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9567
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M3"; flow:established,from_server; file_data; content:"XAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBn"; metadata: former_category TROJAN; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023943; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_16, updated_at 2017_11_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9568
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Book of Eli CnC Checkin "; flow:to_server,established; content:"POST"; http_method; nocase; content:"CharSet|3a| windows-1256|0d 0a|"; http_header; content:!"User-Agent|3a| "; http_header; content:"id_serial="; depth:10; http_client_body; content:"&id_cpu="; http_client_body; content:"&go_and_fuck_this_life="; http_client_body; content:"&system__="; fast_pattern:only; http_client_body; content:"&hard_id="; http_client_body; metadata: former_category TROJAN; reference:url,blog.eset.ie/2016/09/22/malware-in-libya-book-of-eli-african-targeted-attacks/; reference:md5,25e5744979b365dc58cce23d377b3835; reference:md5,d22857cebad4200c3b1e8ec17836b451; reference:url,www.virustotal.com/en/file/faa20341f7a7277114f5c61e5013b9871ab2b0356f383b6798013ce333a30ae5/analysis/; classtype:trojan-activity; sid:2023254; rev:4; metadata:created_at 2013_05_16, updated_at 2017_11_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9573
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bitshifter Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?root="; http_uri; fast_pattern; pcre:"/^[a-f0-9]{16}$/URi"; content:"Accept|3a 20|text/plain|0d 0a|"; http_header; content:!"Accept-"; http_header; content:"|20|HTTP/1.0|0d 0a|Host|3a|"; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,d01229914a6b57387e2c963e3aadbc1f; classtype:trojan-activity; sid:2024489; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_21, malware_family Ransomware, malware_family Bitshifter, performance_impact Moderate, updated_at 2017_07_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9574
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Malicious Invoice EXE"; flow:established,to_server; content:"GET"; http_method; content:"/invoice"; nocase; http_uri; fast_pattern:only; pcre:"/\/invoice[^a-z\/]*?\.(?:exe|zip|7z|rar|com|vbs|ps1)$/Ui"; metadata: former_category TROJAN; reference:md5,bdf12366779ce94178c2d1e495565d2b; classtype:trojan-activity; sid:2019158; rev:5; metadata:created_at 2014_09_11, updated_at 2017_11_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9575
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Andromeda Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Mozilla/4.0"; http_user_agent; depth:11; isdataat:!1,relative; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})([\r\n](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$/Pi"; reference:md5,41c33fdb9a95353a3b109393543f90dd; classtype:trojan-activity; sid:2016223; rev:10; metadata:created_at 2012_03_29, updated_at 2012_03_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9582
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/InstallMonster.Downloader Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/api"; http_uri; content:"Mozilla/3.0|20|(compatible|3b 20|Indy Library)"; http_user_agent; fast_pattern; pcre:"/Library\x29\r$/Hm"; http_header_names; content:!"Referer"; content:!"Content-Type"; http_protocol; content:"HTTP/1.0"; metadata: former_category TROJAN; reference:md5,70a6d9cb37e346b4dfd28bd4ea1f8671; classtype:trojan-activity; sid:2017656; rev:5; metadata:created_at 2013_11_01, updated_at 2017_10_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9583
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> any any (msg:"ET TROJAN Win32.Sality-GR Checkin"; flow:established,to_server; content:".gif?"; http_uri; fast_pattern; pcre:"/^[0-9a-f]{4,8}\x3d\x2d?\d+(?:&id\x3d\d+)?$/UR"; http_header_names; content:"|0d 0a|User-Agent"; depth:12; content:!"Accept"; content:!"Referer"; reference:md5,3a03a20bfefe3fdd01659d47d2ed76c8; classtype:trojan-activity; sid:2018340; rev:10; metadata:created_at 2013_06_06, updated_at 2013_06_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9584
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Taidoor Checkin"; urilen:32; content:".php?id="; http_uri; offset:6; depth:8; pcre:"/^[A-Z0-9]{18}$/UR"; content:"MSIE 6.0|3b|"; http_user_agent; reference:md5,f4b8b51b75f67e68d0c1a9639e2488c3; classtype:trojan-activity; sid:2015808; rev:6; metadata:created_at 2012_10_17, updated_at 2012_10_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9585
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox.ClickFraudBot POST CnC Beacon"; flow:established,to_server; urilen:<33; content:"POST"; http_method; content:"/b/"; http_uri; fast_pattern; pcre:"/^[a-z]{3,4}\x2F[a-f0-9]{24}$/URi"; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:trojan-activity; sid:2018098; rev:4; metadata:created_at 2014_02_10, updated_at 2014_02_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9589
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nivdort Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?email="; fast_pattern; http_uri; http_accept; content:"*/*"; http_connection; content:"close"; http_header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|Host|0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; metadata: former_category TROJAN; reference:md5,a80440b3d9cb09898c0f12aaa05980c0; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2025020; rev:6; metadata:created_at 2015_02_11, updated_at 2017_11_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9591
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Pykspa.C Public IP Check"; flow:established,to_server; urilen:1; content:"myip"; http_host; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|1.9.1.3) Gecko/20090824 Firefox/3.5.3"; http_user_agent; fast_pattern; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,b94e213153a1929db2f414f23d891d76; reference:md5,324ff262da1233ef874ff29213cf8f19; classtype:trojan-activity; sid:2018773; rev:4; metadata:created_at 2014_07_24, updated_at 2014_07_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9592
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Tinba Checkin 2"; flow:established,to_server; urilen:>1; content:"POST"; http_method; content:"/"; http_uri; isdataat:!1,relative; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:2,2,Tinba.Pivot,relative; byte_test:2,=,Tinba.Pivot,2,relative; byte_test:2,!=,Tinba.Pivot,5,relative; http_protocol; content:"HTTP/1.0"; http_content_len; byte_test:0,>,99,0,string,dec; http_header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; fast_pattern; content:!"User-Agent"; content:!"Accept"; flowbits:set,ET.Tinba.Checkin; reference:md5,7af6d8de2759b8cc534ffd72fdd8a654; classtype:trojan-activity; sid:2020418; rev:5; metadata:created_at 2015_02_12, updated_at 2015_02_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9596
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"?"; offset:2; depth:11; http_uri; content:"GET"; http_method; pcre:"/^\/[a-z0-9]{1,10}\/?\?.+?$/Ui"; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; http_user_agent; fast_pattern; http_header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:14; metadata:created_at 2012_11_29, updated_at 2012_11_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9600
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Neurevt.A/Betabot Check-in 4"; flow:established,to_server; content:"POST"; http_method; content:!".aspx"; http_uri; content:!"Accept"; http_header; content:!"id1="; http_client_body; content:"1="; http_client_body; content:"2="; http_client_body; distance:0; content:"3="; http_client_body; distance:0; content:"4="; distance:0; http_client_body; fast_pattern; pcre:"/&(?P<vname>[a-z]+)1=[A-F0-9]+&(?P=vname)2=[A-F0-9]+&(?P=vname)3=[A-F0-9]+&(?P=vname)4=[A-F0-9]/P"; content:!"lavasoft.com"; http_host; content:!"SmadavStat"; http_user_agent; http_content_type; content:"application/x-www-form-urlencoded"; http_header_names; content:"|0d 0a|Content-Type|0d 0a|"; depth:16; content:!"Referer"; metadata: former_category TROJAN; reference:md5,5eada3ed47d7557df375d8798d2e0a8b; classtype:trojan-activity; sid:2018784; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2014_07_25, malware_family Neurevt, performance_impact Low, updated_at 2017_11_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9607
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN DNS Query Possible Zbot Infection Query for networksecurityx.hopto.org"; dns_query; content:"networksecurityx.hopto.org"; isdataat:!1,relative; reference:md5,37782108e8b7f331a6fdeabef9c8a774; reference:md5,10fa9c6c27e6eb512d12dee8181e182f; classtype:trojan-activity; sid:2018008; rev:4; metadata:created_at 2014_01_24, updated_at 2014_01_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9608
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Chthonic Checkin"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/home/"; http_uri; http_header_names; content:!"Accept-"; content:!"Content-Type"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,6afc848066d274d8632c742340560a67; classtype:trojan-activity; sid:2017584; rev:8; metadata:created_at 2013_10_11, updated_at 2017_06_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9609
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Graftor EXE Download Common Header Order"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; content:"MSIE"; http_user_agent; http_header_names; content:"|0d 0a|Host|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Connection|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:76; http_connection; content:"close"; nocase; reference:md5,5d9d5b9089ad464e51ff391b14da1953; classtype:trojan-activity; sid:2018254; rev:4; metadata:created_at 2014_03_12, updated_at 2014_03_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9610
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT1 WEBC2-UGX Related Pingbed/Downbot User-Agent (Windows+NT+5.x)"; flow:established,to_server; content:"Windows+NT+5"; http_user_agent; flowbits:set,ET.webc2ugx; reference:url,www.mandiant.com/apt1; reference:md5,14cfaefa5b8bc6400467fba8af146b71; classtype:trojan-activity; sid:2009486; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9611
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Kelihos.F EXE Download Common Structure"; flow:established,to_server; urilen:12; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern; pcre:"/^(?:\/[a-z]+\d*?)?\/\d?\w+\d*?\.exe$/U"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/W"; http_header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; isdataat:!1,relative; reference:md5,f5bcc28e7868a68e473373d684a8c54a; classtype:trojan-activity; sid:2017598; rev:10; metadata:created_at 2013_10_15, updated_at 2013_10_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9612
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"data="; depth:5; http_client_body; fast_pattern; pcre:"/^[A-F0-9]{100,}$/PR"; content:!"driftmania"; http_header; content:!"coreftp.com"; http_host; content:"Mozilla"; http_user_agent; depth:7; http_header_names; content:!"Referer"; reference:md5,a3440b6117f3783989683753c9f394dd; classtype:trojan-activity; sid:2022504; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_02_10, malware_family Ransomware, malware_family Alphacrypt, malware_family TeslaCrypt, performance_impact Low, updated_at 2016_11_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9613
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Nurjax Retrieving Domains via JS"; flow:established,to_server; content:".txt?dummy="; http_uri; fast_pattern; pcre:"/^\d+$/UR"; content:"Mozilla"; http_user_agent; depth:7; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,1837561f9537d2fcc2b4f0ea6fd3a095; classtype:trojan-activity; sid:2020031; rev:4; metadata:created_at 2014_12_23, updated_at 2014_12_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9614
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Solarbot Check-in"; flow:established,to_server; content:"POST"; http_method; content:"v="; depth:2; http_client_body; content:"&u="; http_client_body; content:"&w="; http_client_body; content:"&c="; http_client_body; pcre:"/&s=\{?[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}\}?(?:&|$)/Pi"; http_header_names; content:!"Referer"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017742; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9617
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2016-03-31"; flow:established,to_server; content:"GET"; http_method; content:"/counter/?ad="; http_uri; nocase; content:"="; distance:0; http_uri; pcre:"/=\d+$/U"; http_header_names; content:!"Referer"; flowbits:set,ET.nemucod.exerequest; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,c5ad81d8d986c92f90d0462bc06ac9c6; classtype:trojan-activity; sid:2022692; rev:3; metadata:created_at 2016_03_31, updated_at 2016_03_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9619
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Zemot Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/mod_articles"; depth:13; http_uri; fast_pattern; content:"/"; http_uri; isdataat:!1,relative; http_header_names; content:"User-Agent"; content:!"Accept-"; content:!"Referer"; reference:md5,9a705a2c25a8b30de80e59dbb9adab83; classtype:trojan-activity; sid:2018644; rev:4; metadata:created_at 2014_07_07, updated_at 2014_07_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9620
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Fareit Checkin 2"; flow:to_server,established; content:"POST"; http_method; urilen:20; content:"/forum/viewtopic.php"; http_uri; isdataat:!1,relative; content:"Windows 98)"; http_user_agent; isdataat:!1,relative; fast_pattern; http_content_type; content:"application/octet-stream"; metadata: former_category TROJAN; reference:md5,10baa5250610fc2b5b2cdf932f2007c0; classtype:trojan-activity; sid:2016550; rev:6; metadata:created_at 2013_01_11, updated_at 2017_11_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9622
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ixeshe/Mecklow Checkin"; flow:established,to_server; content:"GET"; http_method; content:!"&"; http_uri; content:"."; http_uri; content:"sp?"; distance:1; within:3; http_uri; content:"MSIE 5.01|3b 20|Windows NT 5.0|29|"; http_user_agent; fast_pattern; pcre:"/\/[A-Z0-9]+\.[aj]sp\?[a-zA-Z0-9+/\x20=]+$/U"; http_header_names; content:!"Accept"; content:!"Referer"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fMecklow.A&ThreatID=-2147325849; reference:md5,3422e76cf4c99ec1091f8c342a3aedaa; reference:url,www.kahusecurity.com/2011/apec-spearphish-2/; classtype:trojan-activity; sid:2018379; rev:11; metadata:created_at 2011_04_26, updated_at 2011_04_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9623
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ixeshe/Mecklow Checkin 2"; flow:established,to_server; http_header_names; content:"|0d 0a|x_bigfix_client_string|0d 0a|"; depth:26; fast_pattern; content:!"Accept"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,df9ce5d06498419a3c93ad95a2ed82fd; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fMecklow.A&ThreatID=-2147325849; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf; classtype:trojan-activity; sid:2018380; rev:7; metadata:created_at 2012_06_19, updated_at 2017_11_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9626
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Fareit/Pony Downloader Checkin 3"; flow:established,to_server; content:"GET"; http_method; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0"; depth:33; http_user_agent; content:"Windows 98)"; http_user_agent; fast_pattern; distance:0; isdataat:!1,relative; http_accept; content:"*/*"; http_connection; content:"close"; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; flowbits:set,ET.Fareit.chk; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014234; rev:11; metadata:created_at 2012_02_17, updated_at 2012_02_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9631
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious UA (^IE[\d\s])"; flow:established,to_server; content:"IE"; http_user_agent; depth:2; nocase; fast_pattern; pcre:"/^[\d\s]/VR"; content:!"symantec"; nocase; http_header; content:!"norton"; nocase; http_header; content:!".bing.com"; http_host; reference:md5,209e6701da137084c2f60c90d64505f2; classtype:trojan-activity; sid:2018010; rev:5; metadata:created_at 2014_01_24, updated_at 2014_01_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9633
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Win32.VBKrypt.cugq/Umbra Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/bot.php"; nocase; http_uri; fast_pattern; isdataat:!1,relative; content:"mode="; nocase; http_client_body; pcre:"/^\d/PRi"; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:url,securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya; classtype:trojan-activity; sid:2018518; rev:8; metadata:created_at 2011_04_28, updated_at 2017_11_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9634
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Urausy.C Checkin"; flow:established,to_server; urilen:>80; content:"GET"; http_method; pcre:"/^\/[a-z-_]+?\.(php|html)$/Ui"; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"; fast_pattern; http_user_agent; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Accept"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:trojan-activity; sid:2016553; rev:4; metadata:created_at 2013_03_07, updated_at 2013_03_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9635
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Simda.C Checkin"; flow:established,to_server; content:"/?"; nocase; http_uri; content:"=%96%"; http_raw_uri; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Trident/4.0|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 1.1.4322|3b 20|.NET CLR 3.0.04506.590|3b 20|.NET CLR 3.0.04506.648|3b 20|.NET CLR 3.5.21022|3b 20|.NET CLR 3.0.4506.2152|3b 20|.NET CLR 3.5.30729)"; fast_pattern; http_user_agent; http_header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; reference:md5,10642e1067aca9f04ca874c02aabda5c; classtype:trojan-activity; sid:2016300; rev:5; metadata:created_at 2012_07_19, updated_at 2012_07_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9637
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious HTTP Referer C Drive Path"; flow:established,to_server; http_referer; content:"res|3a 2f 2f|c|3a 5c|"; depth:9; nocase; reference:md5,8ef81f2555725f7eeae00b3e31229e0e; classtype:trojan-activity; sid:2014302; rev:4; metadata:created_at 2012_03_05, updated_at 2012_03_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9640
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 3"; flow:to_server,established; content:"GET"; http_method; content:".asp?resid="; http_uri; fast_pattern; content:"&photoid="; http_uri; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:trojan-activity; sid:2021201; rev:3; metadata:created_at 2015_06_08, updated_at 2015_06_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9642
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Pift DNS TXT CnC Lookup ppift.net"; dns_query; content:"ppift.net"; nocase; isdataat:!1,relative; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015460; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9644
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BandarChor Ransomware Checkin"; flow:established,to_server; content:"POST"; http_method; content:"number="; depth:7; http_client_body; content:"&id="; distance:0; http_client_body; content:"&pc="; distance:0; http_client_body; content:"&tail="; http_client_body; fast_pattern; http_header_names; content:!"Referer"; reference:md5,fba4af888ae0e838dd083d4cfebc8f39; reference:md5,d32b6c067e64c141b0c239d23ab1ffd1; reference:url,f-secure.com/weblog/archives/00002795.html; classtype:trojan-activity; sid:2021685; rev:7; metadata:created_at 2015_08_18, updated_at 2015_08_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9647
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gatak CnC"; flow:established,to_server; content:"/report"; depth:7; http_uri; fast_pattern; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; http_user_agent; pcre:"/^\/report[0-9]?_(?:v[0-9])?[A-Z]?[A-F0-9_-]+_[0-9]{1,3}_(?:st(?:arted|ep)|already|mark|p(?:rocess|a(?:ge|yload))|watch2|http|image|gdiplus|crc|DIRRR|finished|(?:ex(cept|ecuted)))/Ui"; http_header_names; content:!"Accept"; content:!"Referer"; reference:md5,636a911cc059415963da7009277bae17; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/stegoloader-a-stealthy-information-stealer/; classtype:trojan-activity; sid:2021268; rev:10; metadata:created_at 2015_06_15, updated_at 2015_06_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9649
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN AlphaCrypt CnC Beacon 6"; flow:established,to_server; urilen:>250; content:"GET"; http_method; content:".php?"; http_uri; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|WOW64|3b 20|Trident/7.0|3b 20|Touch|3b 20|rv|3a|11.0) like Gecko"; http_user_agent; fast_pattern; pcre:"/\/[a-z]+\.php\?[A-F0-9]{250,}$/U"; http_header_names; content:!"Accept"; content:!"Referer"; reference:md5,66bbfc1e5b027eb48c76078129194015; classtype:trojan-activity; sid:2022300; rev:3; metadata:created_at 2015_12_22, updated_at 2015_12_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9651
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Bladabindi/njRAT (HAMAD versions)"; flow:established,to_server; dsize:<200; content:"|00|"; depth:4; content:"HAMAD"; fast_pattern; distance:0; within:10; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; metadata: former_category TROJAN; reference:md5,cc18ad38eccdf096f0ac5840f380ef4f; classtype:trojan-activity; sid:2025074; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_27, malware_family Bladabindi, malware_family njrat, performance_impact Low, updated_at 2017_11_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9656
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN AlphaCrypt CnC Beacon 5"; flow:established,to_server; urilen:>250; content:"GET"; http_method; content:"/misc.php?"; http_uri; fast_pattern; pcre:"/^[A-F0-9]{250,}$/RU"; content:"User-Agent|3a 20|"; http_header; depth:12; http_header_names; content:!"Accept"; content:!"Referer"; reference:md5,66bbfc1e5b027eb48c76078129194015; classtype:trojan-activity; sid:2022284; rev:3; metadata:created_at 2015_12_18, updated_at 2015_12_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9657
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Zemot Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/b/shoe/"; depth:8; http_uri; fast_pattern; pcre:"/^\d+?$/UR"; content:"Mozilla/4.0|20|"; http_user_agent; depth:12; http_header_names; content:!"Referer"; reference:md5,e1cbdba0c57ddb5ab70aa1306dbacaa9; classtype:trojan-activity; sid:2018643; rev:4; metadata:created_at 2014_02_27, updated_at 2014_02_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9658
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SUSPICIOUS UA (iexplore)"; flow:established,to_server; content:"iexplore"; depth:8; fast_pattern; http_user_agent; nocase; content:!"su.pctools.com"; http_host; content:!".advent.com"; http_host; reference:md5,b0e8ce16c42dee20d2c1dfb1b87b3afc; classtype:bad-unknown; sid:2017365; rev:11; metadata:created_at 2013_08_21, updated_at 2013_08_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9659
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan Generic - POST To gate.php with no accept headers"; flow:established,to_server; content:"POST"; content:"/gate.php"; http_uri; nocase; fast_pattern; http_header_names; content:!"Accept"; metadata: former_category TROJAN; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022985; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_26, malware_family Zeus, performance_impact Low, updated_at 2017_04_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9662
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Bladabindi/njRAT (Dd19271927)"; flow:established,to_server; content:"|00|llDd19271927"; fast_pattern; offset:2; depth:14; dsize:<512; metadata: former_category TROJAN; reference:md5,18fcc5f04f74737ca8a3fcf65a45629c; classtype:trojan-activity; sid:2025077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_11_28, malware_family njrat, performance_impact Moderate, updated_at 2017_11_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9666
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Upatre Common URI Struct Dec 01 2014"; flow:established,to_server; content:"GET"; http_method; content:"-SP"; http_uri; fast_pattern; content:"/0/"; http_uri; distance:0; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; http_header_names; content:!"Referer"; content:!"Accept-"; reference:md5,fd0f57fd1f93c13b7bd63f811ac7939e; classtype:trojan-activity; sid:2019847; rev:13; metadata:created_at 2014_12_03, updated_at 2014_12_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9670
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Chroject.B Requesting ClickFraud Commands from CnC"; flow:to_server,established; content:"GET"; http_method; content:!"."; http_uri; content:"/"; offset:1; http_uri; content:"="; distance:0; http_uri; pcre:"/^\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/U"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/W"; content:" like Gecko|29| Chrome/"; http_user_agent; fast_pattern; flowbits:set,ET.Chroject; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Referer"; metadata: former_category TROJAN; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020747; rev:8; metadata:created_at 2015_03_25, updated_at 2017_11_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9672
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 1"; flow:established,to_server; content:".asp?imageid="; http_uri; fast_pattern; http_header_names; content:!"Content-Type"; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:trojan-activity; sid:2016139; rev:5; metadata:created_at 2013_01_03, updated_at 2013_01_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9673
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Agent.BAAB Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/debug/trace/"; fast_pattern; http_uri; content:"NSISDL/1.2|20|(Mozilla)"; depth:20; http_user_agent; pcre:"/^\/debug\/trace\/(?:Fw(?:Downloaded|Check)|N(?:oFw|sis))$/U"; http_header_names; content:!"Referer"; content:"Accept"; metadata: former_category TROJAN; reference:md5,406fea6262d8ee05e0ab4247c1083443; reference:url,www.virustotal.com/en/file/b0baed750f09ff058e5bd28d6443da833496dc1d1ed674ee6b2caf91889f648e/analysis/1389133969/; classtype:trojan-activity; sid:2017946; rev:4; metadata:created_at 2014_01_08, updated_at 2017_11_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9674
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Poweliks Clickfraud CnC M2"; flow:to_server,established; content:"GET"; http_method; content:".php?q="; http_uri; content:"redirect|3a|"; http_header; fast_pattern; content:"version|3a 20|"; http_header; content:"aid|3a 20|"; http_header; content:"builddate|3a 20|"; http_header; content:"pid|3a 20|"; http_header; http_header_names; content:!"Referer"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:trojan-activity; sid:2021227; rev:3; metadata:created_at 2015_06_10, updated_at 2015_06_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9675
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Necurs Common POST Header Structure"; flow:established,to_server; content:"POST"; http_method; urilen:10<>20; content:".php"; http_uri; content:!"NSIS|5f|Inetc |28|Mozilla|29|"; http_user_agent; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:62; fast_pattern; content:!"Accept"; content:!"Referer"; http_content_type; content:"application/x-www-form-urlencoded"; isdataat:!1,relative; http_content_len; byte_test:0,<=,400,0,string,dec; http_connection; content:"keep-alive"; nocase; reference:md5,d11a453d4de6e6fd991967d67947c0d7; classtype:trojan-activity; sid:2021995; rev:3; metadata:created_at 2015_10_23, updated_at 2015_10_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9678
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Nurjax Checkin"; flow:established,to_server; content:"update.php?"; http_uri; content:"&key="; http_uri; distance:0; content:"&dummy="; http_uri; fast_pattern; distance:0; http_header_names; content:!"Referer"; reference:md5,1837561f9537d2fcc2b4f0ea6fd3a095; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-121000-1027-99&tabid=2; classtype:trojan-activity; sid:2020034; rev:3; metadata:created_at 2014_12_23, updated_at 2014_12_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9680
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WIN32/KOVTER.B Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; fast_pattern; http_uri; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; content:!".foxitservice.com"; http_host; http_content_type; content:"application/x-www-form-urlencoded"; http_header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:50; content:!"Referer"; content:!"Accept"; reference:md5,7943a103d7b79f87843655e6b2f8e80c; classtype:trojan-activity; sid:2020181; rev:8; metadata:created_at 2015_01_14, updated_at 2015_01_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9682
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Generic gate[.].php GET with minimal headers"; flow:established,to_server; content:"GET"; http_method; content:"/gate.php"; http_uri; nocase; fast_pattern; http_header_names; content:!"Referer"; content:!"Accept"; reference:md5,ad4045887298439f5a21700bdbc7a311; classtype:trojan-activity; sid:2022818; rev:3; metadata:created_at 2016_05_18, updated_at 2016_05_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9686
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 2"; flow:to_server,established; content:"GET"; http_method; content:".jpg?resid="; http_uri; fast_pattern; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:trojan-activity; sid:2021200; rev:3; metadata:created_at 2015_06_08, updated_at 2015_06_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9691
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Jadtree Downloader rar"; flow:established,to_server; content:".rar"; nocase; http_uri; isdataat:!1,relative; pcre:"/^\d{4}$/V"; reference:md5,13cbc8d458c6dd30e94f46b00f8bda00; classtype:trojan-activity; sid:2018046; rev:3; metadata:created_at 2014_01_30, updated_at 2014_01_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9692
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FakeAV checkin"; flow:established,to_server; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; http_user_agent; fast_pattern; http_header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:!"Accept"; reference:md5,dd4d18c07e93c34d082dab57a38f1b86; reference:md5,5a864ccfeee9c0c893cfdc35dd8820a6; classtype:trojan-activity; sid:2016089; rev:5; metadata:created_at 2012_12_21, updated_at 2012_12_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9693
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Win32/Hupigon ip.txt with a Non-Mozilla UA"; flow:established,to_server; content:"/ip.txt"; http_uri; nocase; isdataat:!1,relative; fast_pattern; content:!"Mozilla"; http_user_agent; content:!"%E5%A4%A7%E4%BC%97%E7%82%B9%E8%AF%84"; http_header; reference:md5,4d23395fcbab1dabef9afe6af81df558; classtype:trojan-activity; sid:2016950; rev:4; metadata:created_at 2013_05_31, updated_at 2013_05_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9695
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Atraps Receiving Config via Image File (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|FF D9 23|"; distance:0; content:"$|3a|1|3a|$"; distance:0; fast_pattern; pcre:"/^[A-Za-z0-9+/=]+\x24\x3a\d+\x3a\x24$/R"; metadata: former_category TROJAN; reference:md5,3dce01df285b3570738051672664068d; classtype:trojan-activity; sid:2025070; rev:3; metadata:created_at 2016_04_06, updated_at 2017_11_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9697
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Zemot Requesting PE"; flow:established,to_server; content:"GET"; http_method; content:"ho"; http_uri; content:"ping/mod_"; within:10; http_uri; fast_pattern; content:"/"; http_uri; distance:0; isdataat:!1,relative; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,08aab7cdbfc2446fbca2a2f350df4ea2; classtype:trojan-activity; sid:2019759; rev:5; metadata:created_at 2014_11_20, updated_at 2014_11_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9699
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Scieron Retrieving Information"; flow:established,to_server; content:"GET"; http_method; urilen:7; content:"/ip.txt"; http_uri; fast_pattern; http_header_names; content:!"Accept"; content:!"Referer"; flowbits:set,ET.Trojan.Scieron.Ret; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020296; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9702
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gulpix/PlugX Client Request"; flow:established,to_server; content:"POST"; http_method; content:"1|3a 20|"; http_header; content:"2|3a 20|"; http_header; distance:0; content:"3|3a 20|"; http_header; distance:0; pcre:"/^(?P<vname>[^\r\n\x3a]+)(?P<n1>[0-4])\x3a\x20\d+\r\n(?P=vname)(?P<n2>((?!(?P=n1))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?P<n3>((?!((?P=n1)|(?P=n2)))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?:(?!((?P=n1)|(?P=n2)))[0-4])\x3a\x20\d+\r\n/Hm"; http_header_names; content:!"Referer"; reference:md5,663d7774b6727a070b558676cee9fe43; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html; classtype:trojan-activity; sid:2018169; rev:5; metadata:created_at 2014_02_21, updated_at 2014_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9704
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KINS/ZeusVM Variant Retrieving Config"; flow:established,to_server; content:"GET"; http_method; content:"/config"; http_uri; fast_pattern; content:".jpg"; http_uri; distance:0; isdataat:!1,relative; content:"Cache-Control|3a 20|no-cache"; http_header; pcre:"/\/config[^\x2e\x2f]*?\.jpg$/U"; pcre:"/(?:\x20MSIE\x20|rv\x3a11)/V"; http_header_names; content:!"Accept-"; content:!"Referer"; http_connection; content:"close"; nocase; metadata: former_category TROJAN; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021528; rev:5; metadata:created_at 2015_07_23, updated_at 2017_10_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9705
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2016-01-28"; flow:to_server,established; urilen:>82; content:"GET"; http_method; content:"/counter/?id="; http_uri; nocase; content: "&rnd="; http_uri; nocase; pcre:"/\/counter\/\?id=[A-Z0-9_-]{60,}&rnd=\d{1,}$/iU"; flowbits:set,ET.nemucod.exerequest; http_header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,d5c5cc9cae2e9a7a2d3a77efcb526e4c; classtype:trojan-activity; sid:2022483; rev:6; metadata:created_at 2016_02_02, updated_at 2016_11_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9706
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2"; flow:established,to_server; content:"od"; offset:2; depth:2; nocase; http_uri; content:".exe"; nocase; http_uri; isdataat:!1,relative; fast_pattern; pcre:"/^\/[mp]od[12]\/[^\/]+?\.exe$/Ui"; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent"; reference:md5,9db28205c8dd40efcf7f61e155a96de5; classtype:trojan-activity; sid:2018395; rev:5; metadata:created_at 2014_04_16, updated_at 2014_04_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9709
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 6"; flow:to_server,established; content:"POST"; http_method; content:".asp?cookie="; http_uri; fast_pattern; content:"&type="; http_uri; content:"&vid="; http_uri; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:trojan-activity; sid:2021569; rev:3; metadata:created_at 2015_07_31, updated_at 2015_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9710
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox.ClickFraudBot CnC Beacon"; flow:established,to_server; urilen:31; content:"/b/eve/"; http_uri; depth:7; fast_pattern; pcre:"/^[a-f0-9]{24}$/URi"; metadata: former_category TROJAN; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:trojan-activity; sid:2018096; rev:3; metadata:created_at 2014_02_10, updated_at 2017_11_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9711
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WORM_VOBFUS Checkin Generic"; flow:established,to_server; content:"GET"; http_method; urilen:5; content:"/1/?"; http_uri; fast_pattern; depth:4; isdataat:!2,relative; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; http_user_agent; http_header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2015976; rev:3; metadata:created_at 2012_12_03, updated_at 2012_12_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9713
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any 53 (msg:"ET TROJAN HTTPBrowser/Pisloader Covert DNS CnC Channel TXT Lookup"; content:"|01 00 00 01 00 00 00 00 00 00 11|"; depth:11; offset:2; fast_pattern; pcre:"/^[A-Z0-9]{17}/R"; content:"|00 00 10|"; distance:0; threshold:type limit, track by_src, count 1, seconds 300; content:!"|03|prs|0a|proofpoint|03|com|00|"; reference:md5,985eba97e12c3e5bce9221631fb66d68; reference:url,researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/; classtype:trojan-activity; sid:2022842; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_05_31, performance_impact Low, updated_at 2016_07_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9716
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Ransomware Locky .onion Payment Domain"; dns_query; content:"6dtxgqam4crv6rr6"; nocase; depth:16; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022548; rev:2; metadata:created_at 2016_02_18, updated_at 2016_02_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9718
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Locky CnC Beacon"; flow:established,to_server; urilen:9; content:"POST"; http_method; content:"/main.php"; http_uri; fast_pattern; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/Ps"; http_header_names; content:!"Referer"; http_content_len; byte_test:0,<,110,0,string,dec; byte_test:0,>=,100,0,string,dec; http_connection; content:"Keep-Alive"; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022538; rev:6; metadata:created_at 2016_02_17, updated_at 2016_02_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9719
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative;  http_header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; fast_pattern; content:!"Referer"; content:"Accept"; http_accept; pcre:"/^(?!m(?:ultipart|essage|odel)|a(?:pplication|udio|ccept)|(?:exampl|imag)e|video|text|\*)/i"; reference:md5,35a6de1e8dbea19bc44cf49ae0cae59e; classtype:trojan-activity; sid:2022502; rev:4; metadata:created_at 2016_02_10, updated_at 2016_02_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9720
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/Nemucod requesting EXE payload 2016-02-01"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; isdataat:!1,relative; nocase; pcre:"/\/[0-9]{2}\.exe$/iU"; http_header_names; content:!"Referer"; flowbits:set,ET.nemucod.exerequest; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,8bdc81393a4fcfaf6d1b8dc01486f2f0; classtype:trojan-activity; sid:2022482; rev:3; metadata:created_at 2016_02_02, updated_at 2016_02_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9721
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET TROJAN W32/Dridex POST CnC Beacon"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Mozilla/5.0 (Windows NT 6.1|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko"; http_user_agent; fast_pattern; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/W"; http_connection; content:"Close"; isdataat:!1,relative; http_content_type; content:"octet/binary"; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,d37256439d5ab7f25561cc390d8aa1ea; classtype:trojan-activity; sid:2019891; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2014_12_08, malware_family Dridex, performance_impact Moderate, updated_at 2017_05_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9723
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad"; flow:established,to_server; content:"/gate.php"; nocase; http_uri; fast_pattern; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/W"; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022986; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_07_26, malware_family Zeus, performance_impact Low, updated_at 2016_07_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9726
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ransomware Locky CnC Beacon 2"; flow:established,to_server; urilen:13; content:"POST"; http_method; content:"/userinfo.php"; http_uri; fast_pattern; pcre:"/[\x80-\xff]/P"; http_content_type; content:"www-form-urlencoded"; isdataat:!1,relative; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; content:!"Accept"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:trojan-activity; sid:2022769; rev:3; metadata:created_at 2016_04_27, updated_at 2016_04_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9728
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3)"; dns_query; content:"epmhyca5ol6plmx3"; nocase; depth:16; metadata: former_category TROJAN; reference:md5,a6061196c9df9364d48c01bea83d6cb7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~EccKrypt-D/detailed-analysis.aspx; classtype:trojan-activity; sid:2020882; rev:3; metadata:created_at 2015_04_08, updated_at 2017_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9730
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o)"; dns_query; content:"7tno4hib47vlep5o"; nocase; depth:16; metadata: former_category TROJAN; reference:md5,9377710d4787d1a9ee1c724dce8bf13a; classtype:trojan-activity; sid:2024106; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, signature_severity Major, created_at 2015_02_09, updated_at 2017_03_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9732
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $HOME_NET any -> any any (msg:"ET TROJAN MewsSpy.AE Onion Domain (cxkefbwo7qcmlelb in DNS Lookup)"; dns_query; content:"cxkefbwo7qcmlelb"; nocase; depth:16; metadata: former_category TROJAN; reference:md5,e69b3a5b8fccd8607e08dd6d34ae99a9; classtype:trojan-activity; sid:2025121; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag DNS_Onion_Query, signature_severity Major, created_at 2017_12_05, performance_impact Low, updated_at 2017_12_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9736
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN njRAT/Bladabindi Variant (Lime) CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|ll"; within:6; content:"TGltZV8"; distance:0; within:30; fast_pattern; pcre:"/^[0-9]{2,3}\x00\x6c\x6c(?P<var>[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e][\x20-\x7e]+?[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?P=var)[^\r\n]+(?P=var)$/s"; metadata: former_category TROJAN; reference:md5,ce37b5b473377810bc76e0491533b4e7; classtype:trojan-activity; sid:2025136; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_06, malware_family njrat, performance_impact Moderate, updated_at 2017_12_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9737
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18 2015"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/U"; content:"office"; http_user_agent; nocase; fast_pattern; pcre:"/ms-?office/V"; content:!".money-media.com"; http_host; content:!"ad.payclick.it"; http_host; content:!"sellercore.com"; http_host; metadata: former_category TROJAN; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:7; metadata:created_at 2015_08_18, updated_at 2017_12_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9738
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 8"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; isdataat:!1,relative; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; http_user_agent; isdataat:!1,relative; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; byte_test:0,<,100,0,string,dec; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|"; depth:51; fast_pattern; metadata: former_category TROJAN; reference:md5,5b0e06e3e896d541264a03abef5f30c7; classtype:trojan-activity; sid:2025142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_07, updated_at 2017_12_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9740
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat C1 (no alert)"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.Netwire.HB; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018281; rev:4; metadata:created_at 2014_03_14, updated_at 2014_03_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9742
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN GratefulPOS Covert DNS CnC Initial Checkin"; dns_query; content:".grp"; within:12; content:"ping.adm."; distance:0; within:15; fast_pattern; isdataat:30,relative; pcre:"/^[a-f0-9]{8}\.grp[0-9]*\.ping\.adm\.(?:[a-f0-9]+\.){2,}/"; metadata: former_category TROJAN; reference:md5,67a53bd24ee8499fed79c8c368e05f7a; reference:url,community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season; classtype:trojan-activity; sid:2025144; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_11, malware_family Grateful_POS, performance_impact Moderate, updated_at 2017_12_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9743
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Randrew.A CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".aspx?A="; http_uri; fast_pattern; pcre:"/^[A-Z0-9\-]{30,42}$/RU"; content:"Accept-Language|3a 20|zh-TW"; http_header; http_header_names; content:"Referer|3a 20|"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,BFB3C542AD815436EC3F2FD71582AD08B7E7301C; classtype:trojan-activity; sid:2025145; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_11, malware_family Randrew_A, performance_impact Low, updated_at 2017_12_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9744
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Netwire RAT Client HeartBeat C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:trojan-activity; sid:2018283; rev:5; metadata:created_at 2014_03_14, updated_at 2014_03_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9745
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Downloader.Small.BIL CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?a=Te"; http_uri; fast_pattern; isdataat:!1,relative; pcre:"/^Host\x3a\x20[^\r\n]+\r\nConnection\x3a\x20[^\r\n]+\r\n(?:\r\n)?$/Hi"; http_header_names; content:!"User-Agent"; content:!"Referer"; content:!"Cache"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,4C669A60719FC1051FB336CB25B209FD; classtype:trojan-activity; sid:2025147; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_13, malware_family Downloader_Small_BIL, performance_impact Low, updated_at 2017_12_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9746
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bot.Sezin CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?machine_id="; http_uri; fast_pattern; content:"&x64"; http_uri; distance:0; content:"&version="; http_uri; distance:0; content:"&video_card="; http_uri; distance:0; content:"&cpu="; http_uri; distance:0; content:"&junk="; http_uri; distance:0; http_header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,73611bd5d1d0ad865cd26b003aa525b4; classtype:trojan-activity; sid:2025148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_13, malware_family Bot_Sezin, performance_impact Low, updated_at 2017_12_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9747
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 7"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; depth:1; content:"/"; http_uri; distance:0; isdataat:!1,relative; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; content:"63"; fast_pattern; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_05, updated_at 2017_12_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9748
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.YesMaster CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"x-user-agent|3a 20|YesMaster|0d 0a|"; http_header; fast_pattern; http_header_names; content:"|0d 0a|x-user-agent|0d 0a|"; content:"|0d 0a|x-whoami|0d 0a|"; content:"|0d 0a|x-pwd|0d 0a|"; content:"|0d 0a|x-hostname|0d 0a|"; content:"|0d 0a|x-isadm|0d 0a|"; content:"|0d 0a|x-is64Env|0d 0a|"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,4941501aca63cb8bdc86dadeffc9c29c; classtype:trojan-activity; sid:2025157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_20, malware_family YesMaster, performance_impact Moderate, updated_at 2017_12_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9751
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WooSIP Downloader CnC CreateFolderOnServer"; flow:established,to_server; content:"GET"; http_method; content:"/process_ad.php?sDir="; http_uri; nocase; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; metadata: former_category TROJAN; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:trojan-activity; sid:2025165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9752
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WooSIP Downloader CnC DeleteFileOnServer"; flow:established,to_server; content:"GET"; http_method; content:"/process_ad.php?fileDel="; http_uri; nocase; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; metadata: former_category TROJAN; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:trojan-activity; sid:2025166; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9753
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WooSIP Downloader CnC WriteMetadataOnServer"; flow:established,to_server; content:"GET"; http_method; content:"/write_meta.php?sDir="; http_uri; nocase; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; metadata: former_category TROJAN; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:trojan-activity; sid:2025167; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9754
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Smurf2 CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Mozilla/5.0"; http_user_agent; content:"teststr="; depth:8; nocase; http_client_body; fast_pattern; content:"&testval="; nocase; distance:0; http_client_body; http_accept; content:"??"; metadata: former_category TROJAN; reference:md5,e2d136bb63edc092d2f3d26885b239d9; classtype:trojan-activity; sid:2025168; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2017_12_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9755
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin M1"; flow:established,to_server; http_request_line; content:"GET|20|/api/up.php|20|HTTP/1.1"; fast_pattern; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(?:Connection\r\n)?\r\n$/R"; content:!"Content-Type"; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:trojan-activity; sid:2025170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, performance_impact Moderate, updated_at 2017_12_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9759
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Agent.qweydh CnC Checkin M2"; flow:established,to_server;  content:"POST"; http_method; content:"/update.php"; http_uri; isdataat:!1,relative; fast_pattern; content:"data="; http_client_body; depth:5; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/PRsi"; http_header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:trojan-activity; sid:2025171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, performance_impact Moderate, updated_at 2017_12_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9760
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Backdoor.Agent.qweydh CnC Activity"; flow:established,to_server; content:".php?mac="; http_uri; fast_pattern; pcre:"/^[0-9A-F]{12}$/RU"; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(?:Connection\r\n)?\r\n$/R"; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:trojan-activity; sid:2025172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_22, performance_impact Moderate, updated_at 2017_12_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9761
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Zeus Panda CnC Domain (in DNS Lookup)"; dns_query; content:"pprulispikosqcsiwef.info"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,20adfac68ced5225c9021bc051e66d18; classtype:trojan-activity; sid:2025177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_29, malware_family Zeus_Panda, performance_impact Moderate, updated_at 2017_12_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9762
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 9"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; urilen:1; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; content:"63"; fast_pattern; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025178; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_29, updated_at 2017_12_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9763
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MedusaHTTP CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; http_user_agent; fast_pattern; isdataat:!1,relative; content:"xyz="; http_client_body; depth:4; content:"|7c|"; http_client_body; distance:0; content:"|7c|"; http_client_body; distance:0;  http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,d463ee91a2d7b8482554c23bb7d9aa3d; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:trojan-activity; sid:2025187; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_05, malware_family MedusaHTTP, performance_impact Moderate, updated_at 2018_01_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9791
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 20000: -> $HOME_NET 1024: (msg:"ET TROJAN Sourtoff Receiving Simda Payload"; flow:established,from_server; flowbits:isset,ET.TROJAN.Sourtoff; dsize:1300<>1500; content:"|0a c0|"; depth:2; metadata: former_category TROJAN; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019313; rev:3; metadata:created_at 2014_09_29, updated_at 2018_01_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9792
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bitter RAT HTTP CnC Beacon M2"; flow:established,to_server; content:"GET"; http_method; content:".php?TIe="; http_uri; fast_pattern; pcre:"/^[a-zA-Z0-9\x21\x2a\x2f\x2e\x3b\x3a\x5b\x5d]+$/RU";content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; threshold: type both, count 5, seconds 120, track by_src; metadata: former_category TROJAN; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/10/malspam-delivers-bitter-rat-07-01-2018; reference:md5,cc58dd8592555ff6275196e62af3242e; classtype:trojan-activity; sid:2025198; rev:2; metadata:created_at 2018_01_11, updated_at 2018_01_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9793
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Mami CnC Checkin"; flow:established,to_server; content:"User-Agent|3a 20 0d 0a|"; http_header; fast_pattern; content:"r="; http_client_body; depth:2; content:"&rc="; distance:0; http_client_body; http_request_line; content:"POST|20|/|20|HTTP/1.1"; depth:15; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,objective-see.com/blog/blog_0x26.html; reference:md5,8482fc5dbc6e00da151bea3eba61e360; classtype:trojan-activity; sid:2025199; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_14, malware_family Mami, performance_impact Moderate, updated_at 2018_01_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9794
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> [82.163.143.135,82.163.142.137] any (msg:"ET TROJAN OSX/Mami Possible DNS Query to Evil DNS Server"; threshold:type limit, track by_src, count 1, seconds 60; metadata: former_category TROJAN; reference:md5,8482fc5dbc6e00da151bea3eba61e360; reference:url,objective-see.com/blog/blog_0x26.html; classtype:trojan-activity; sid:2025200; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, malware_family Mami, performance_impact Moderate, updated_at 2018_01_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9795
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Observed Evrial Domain (cryptoclipper .ru in TLS SNI)"; flow:established,to_server; tls_sni; content:"cryptoclipper.ru"; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025201; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, malware_family Evrial, performance_impact Moderate, updated_at 2018_01_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9796
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Trojan.Downloader VBA Script obfuscation (binary_getter)"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"(Chr((((asc(Mid("; depth:300; content:",1,1))-65))*25+(asc(Mid("; within:100; content:",2,1))-65)-"; within:100; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,bad07f85a7baaeaa8aeb72997712aa98; classtype:trojan-activity; sid:2025202; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, updated_at 2018_01_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9797
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MoneroPay Ransomware Payment Activity"; flow:established,to_server; content:"GET"; http_method; content:"/paid?id="; http_uri; fast_pattern; pcre:"/^[a-f0-9]{16}$/RU"; http_header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; content:!"Connection"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,14ea53020b4d0cb5acbea0bf2207f3f6; classtype:trojan-activity; sid:2025204; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_16, malware_family Ransomware, performance_impact Moderate, updated_at 2018_01_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9798
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Adwind SSL Certificate Observed"; flow:established,from_server; tls_cert_serial; content: "70:FE:E3:2F"; fast_pattern; tls_cert_issuer; content:"hgfyuilijhk"; metadata: former_category TROJAN; reference:md5,f2bf38a25919e24f0c96d9ec30e4e8d4; classtype:trojan-activity; sid:2025209; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_18, malware_family Adwind, malware_family Qarallex, performance_impact Low, updated_at 2018_01_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9800
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Formbook 0.3 Checkin"; flow:to_server,established; content:"POST"; http_method; content:"Mozilla"; http_user_agent; depth:7; content:"dat="; depth:4; http_client_body; nocase; fast_pattern; pcre:"/^[a-z0-9_\/+-]{1000}/PRi"; metadata: former_category TROJAN; reference:md5,6886a2ebbde724f156a8f8dc17a6639c; classtype:trojan-activity; sid:2024436; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_29, malware_family Password_Stealer, updated_at 2017_11_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9804
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Rodecap/Travle/PYLOT CnC Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; fast_pattern:5,20; http_header; content:"l"; http_client_body; depth:1; content:"=OTl"; within:8; http_client_body; content:"&e"; http_client_body; distance:0; content:"="; http_client_body; within:6; content:"&m"; http_client_body; distance:0; content:"="; http_client_body; within:6; metadata: former_category TROJAN; reference:md5,ba6dcea82f59799d86111fa28ae95641; reference:url,securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455; classtype:trojan-activity; sid:2025234; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_22, malware_family travle, malware_family PYLOT, malware_family Rodecap, performance_impact Moderate, updated_at 2018_01_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9807
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/SamMiner CnC Checkin M1"; flow:established,to_server; content:"GET"; http_method; content:".php?act=hi&uid="; http_uri; fast_pattern; content:"&ver="; http_uri; content:"&dotnetver="; http_uri; content:"&onwork="; http_uri; http_header_names; content:!"Referer"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:trojan-activity; sid:2025235; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_22, performance_impact Moderate, updated_at 2018_01_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9808
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/SamMiner CnC Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php?act=info&uid="; http_uri; fast_pattern; content:"&ver="; http_uri; content:"info="; depth:5; http_client_body; http_header_names; content:!"Referer"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:trojan-activity; sid:2025237; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_22, performance_impact Moderate, updated_at 2018_01_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9809
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Brazilian Banker CnC Activity"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Embarcadero URI Client/1.0"; http_user_agent; content:"AS100="; fast_pattern; http_client_body; content:"AS200="; distance:0; http_client_body; metadata: former_category TROJAN; reference:md5,94cd521945da6ab73bc7a1462283d22a; classtype:trojan-activity; sid:2025241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_01_22, malware_family Banking_Trojan, performance_impact Low, updated_at 2018_01_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9810
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ELF/TooEasy Miner CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?p="; http_uri; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|msg|22|"; http_client_body; content:"|0d 0a|Downloading files|0d 0a|"; http_client_body; fast_pattern; content:"curl/"; http_user_agent; depth:5; http_header_names; content:!"Accept-"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,dc62dd14321dfa9f14c094a7b1e20979; classtype:trojan-activity; sid:2025251; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_25, performance_impact Moderate, updated_at 2018_01_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9811
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/GandCrab Ransomware CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:".php?token="; http_uri; fast_pattern; pcre:"/^[0-9]{2,6}$/RU"; content:"data="; http_client_body; depth:5; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/RPs"; http_content_len; byte_test:0,>,200,0,string,dec; http_header_names; content:!"Referer"; content:!"Accept"; content:!"Cookie"; metadata: former_category TROJAN; reference:md5,aedf80c426fb649bb258e430a3830d85; classtype:trojan-activity; sid:2025254; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_26, malware_family GandCrab, performance_impact Moderate, updated_at 2018_01_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9813
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed Evrial Domain (cryptoclipper .ru in DNS Lookup)"; dns_query; content:"cryptoclipper.ru"; isdataat:!1,relative; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025256; rev:2; metadata:created_at 2018_01_29, updated_at 2018_01_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9814
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Observed Evrial Domain (projectevrial .ru in TLS SNI)"; flow:established,to_server; tls_sni; content:"projectevrial.ru"; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025257; rev:2; metadata:created_at 2018_01_29, updated_at 2018_01_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9815
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Evrial Stealer CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:"/upload.php?user="; http_uri; fast_pattern; content:"&hwid="; http_uri; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; http_client_body; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,485069677e997ff6ce193be7258c783f; classtype:trojan-activity; sid:2025266; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_01_29, malware_family Evrial, performance_impact Moderate, updated_at 2018_01_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9816
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Kuriyama Loader Checkin"; flow: established, to_server; content:"?hwid="; http_uri; content:"&group="; http_uri; fast_pattern; content:"&os="; http_uri; content:"&cpu="; http_uri; content:"GET"; http_method;  content:!"Referer|3a|"; http_header; threshold: type both, track by_src, count 2, seconds 60; metadata: former_category TROJAN; reference:url,darkwebs.ws/threads/41806/; reference:md5,e18c73ec38cbdd0bb0c66f360183e6d9; classtype:trojan-activity; sid:2025253; rev:4; metadata:created_at 2018_01_26, updated_at 2018_01_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9817
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check"; flow:established,to_server; content:"GET"; http_method; content:"/kb/"; http_uri; depth:4; fast_pattern; pcre:"/^\d{4,8}$/UR"; content:!"Microsoft Outlook"; http_user_agent; http_header_names; content:!"Referer"; content:"User-Agent"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025120; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Smoke_Loader, signature_severity Major, created_at 2017_12_05, updated_at 2018_01_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9818
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan-Dropper.Delf Checkin"; flow:established,to_server; content:"/autoupdate/versaoatual.txt"; fast_pattern; content:"Mozilla/3.0 (compatible|3b| Indy Library)"; http_user_agent; metadata: former_category TROJAN; reference:md5,52765b346c12d55e255a669bb8cfebb8; classtype:trojan-activity; sid:2025283; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_01, malware_family Dropper, performance_impact Low, updated_at 2018_02_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9820
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Elise Style IP Check"; flow:to_server,established; urilen:16; content:"/myip?format=txt"; http_uri; content:"api.ipaddress.com"; http_host; fast_pattern; content:"Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/4.0|3b| SLCC2|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.5.30729|3b| .NET CLR 3.0.30729|3b| Media Center PC 6.0|3b| .NET4.0C|3b| .NET4.0E)"; http_user_agent; http_header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:trojan-activity; sid:2025289; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_01, malware_family elise, performance_impact Moderate, updated_at 2018_02_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9821
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Elise CnC Beacon 2 M2"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/[a-z]{3,6}\/[a-z]{3,6}\.[a-z]{3}$/U"; content:"=|3b 20|"; http_cookie; content:"=|3b 20|"; http_cookie; distance:0; content:"=|3b|"; http_cookie; distance:0; isdataat:!1,relative; http_header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|Cookie|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:trojan-activity; sid:2025291; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, malware_family elise, performance_impact Moderate, updated_at 2018_02_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9824
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed ExecPS/Cobolt Domain (getfreshnews .com in DNS Lookup)"; dns_query; content:"getfreshnews.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,5d4d3ba6823a07f070f5a42cbcc7a5c8; classtype:trojan-activity; sid:2025304; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, performance_impact Moderate, updated_at 2018_02_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9825
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/SPARS/ARS Stealer Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?action="; http_uri; content:"&hwid="; http_uri; distance:0; content:"&access="; fast_pattern; http_uri; distance:0; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,76516b465b3589547a9c7c7d955238d8; classtype:trojan-activity; sid:2025344; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_12, malware_family Ars_Stealer, performance_impact Moderate, updated_at 2018_02_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9831
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Evrial Stealer Retrieving CnC Information"; flow:established,to_server; content:"GET"; http_method; content:"/Project-Evrial-C2-DOMAIN-"; http_uri; fast_pattern; nocase; http_header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; metadata: former_category TROJAN; reference:md5,540c736b7e11287805ddd4f3a9d37934; classtype:trojan-activity; sid:2025346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_13, malware_family Evrial, performance_impact Moderate, updated_at 2018_02_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9832
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Agent.BIC Variant CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?response="; http_uri; content:"&cpu="; http_uri; distance:0; content:"&gpu="; http_uri; distance:0; content:"&ram="; http_uri; distance:0; content:"&name="; http_uri; distance:0; content:"&os="; http_uri; distance:0; http_header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,C6C781F0ED065476A4297C2AC96A6D83; classtype:trojan-activity; sid:2025359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_15, malware_family Agent_BIC, performance_impact Low, updated_at 2018_02_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9833
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Win32/Backdoor.Small.ao CnC Checkin"; flow:established,to_server;  content:"POST"; http_method; urilen:8; content:"/waiting"; http_uri; fast_pattern; content:"BC_Vic_"; http_user_agent; depth:7; content:"BC_SPL"; http_user_agent; distance:0; isdataat:!1,relative; threshold: type limit, track by_dst, seconds 30, count 1; http_header_names; content:"Expect"; content:!"Referer"; content:!"Accept"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c; classtype:trojan-activity; sid:2025370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_19, malware_family Backdoor_Small, performance_impact Low, updated_at 2018_02_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9834
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Evrial Stealer CnC Activity M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|report - "; http_client_body; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; http_client_body; distance:19; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,ecd56f1f42f932865e98fd319301e1a5; classtype:trojan-activity; sid:2025375; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_21, malware_family Evrial, performance_impact Moderate, updated_at 2018_02_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9835
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MalDoc Retrieving Malicious Payload (Possibly Ursnif)"; flow:established,to_server; content:".bin"; http_uri; isdataat:!1,relative; content:"Microsoft BITS/"; http_user_agent; depth:15; fast_pattern; content:!"microsoft.com"; http_host; content:!"pdfcomplete.com"; http_host; content:!"mymitchell.com"; http_host; content:!"azureedge.net"; http_host; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,dbba37d4aec066a525f9cf3d9bdb27d8; classtype:trojan-activity; sid:2024420; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Microsoft_Word, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_23, performance_impact Moderate, updated_at 2018_02_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9836
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN [PTsecurity] QRat.Java.RAT (state_alive)"; flow:established,to_server; content:"|00 11 7b 22 73 74 61 74 65 22 3a 22 61 6c 69 76 65 22 7d|"; depth:19; isdataat:!1,relative; threshold: type both, track by_src, count 10, seconds 30; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025391; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Qrat, signature_severity Major, created_at 2018_02_26, malware_family QRat, updated_at 2018_03_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9846
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/FlawedAmmyy RAT CnC Checkin"; flow:established,to_server; content:"|00 00 00 69 64 3d|"; depth:10; content:"|26 6f 73 3d|"; distance:0; within:30; content:"|26 70 72 69 76 3d|"; distance:0; within:20; content:"|26 63 72 65 64 3d|"; distance:0; within:20; content:"|26 70 63 6e 61 6d 65 3d|"; distance:0; content:"|26 61 76 6e 61 6d 65 3d|"; distance:0; content:"|26 62 75 69 6c 64 5f 74 69 6d 65 3d|"; distance:0; fast_pattern; content:"|26 63 61 72 64 3d|"; distance:0; metadata: former_category TROJAN; reference:md5,32485b8cedc5b79aa1bf2d7ceae0ef31; classtype:trojan-activity; sid:2025408; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_01, malware_family FlawedAmmyy, performance_impact Moderate, updated_at 2018_03_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9852
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Bancos Variant CnC)"; flow:established,to_client; tls_cert_subject; content:"CN=www.instrumentshigh.com.br"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,f8b2e89717f77633c7d112c98f2d22ab; classtype:trojan-activity; sid:2025433; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2018_03_14, malware_family Bancos, performance_impact Moderate, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9854
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Oracle America)"; tls_cert_issuer; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; fast_pattern; tls_cert_subject; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc.";  metadata: former_category TROJAN; reference:md5,a0bbfdb2d4dbfb2f3c182bd394099803; classtype:trojan-activity; sid:2025413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9855
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Yahoo)"; tls_cert_issuer; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; fast_pattern; tls_cert_subject; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc.";  metadata: former_category TROJAN; reference:md5,ce413a29e6cde5701a26e7e4e02ecc66; classtype:trojan-activity; sid:2025412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9856
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Google)"; tls_cert_issuer; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; fast_pattern; tls_cert_subject; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc.";  metadata: former_category TROJAN; reference:md5,8c7722acb2f7400df1027fa6741e37d5; classtype:trojan-activity; sid:2025414; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9857
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Fake SSL Certificate Observed (Oracle canada)"; tls_cert_issuer; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; fast_pattern; tls_cert_subject; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc.";  metadata: former_category TROJAN; reference:md5,f71d168b5b987d9fde792098ca5cca19; classtype:trojan-activity; sid:2025415; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_12, malware_family QRat, performance_impact Low, updated_at 2018_03_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9858
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Arkei Stealer IP Lookup"; flow:established,to_server;  content:"POST"; http_method; content:"Arkei/"; http_user_agent; depth:6; fast_pattern; content:"ip-api.com"; http_host; metadata: former_category TROJAN; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Stealer, signature_severity Major, created_at 2018_03_13, malware_family Arkei, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9859
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Arkei Stealer Config Download Request"; flow:established,to_server;  content:"POST"; http_method; content:"/grubConfig"; http_uri; content:"Arkei/"; http_user_agent; depth:6; fast_pattern; metadata: former_category TROJAN; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Stealer, signature_severity Major, created_at 2018_03_13, malware_family Arkei, updated_at 2018_04_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9860
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Cobalt Group SSL Certificate Detected"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|dns-verifon.com"; distance:1; within:16; metadata: former_category TROJAN; reference:md5,26406f5cc72e13c798485f80ad3cbbdb; classtype:trojan-activity; sid:2025438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_26, malware_family Cobalt_Group, performance_impact Low, updated_at 2018_03_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9865
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Spy.Banker.AAQD Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"valor="; depth:6; http_client_body; content:"verde"; http_client_body; content:"branco"; http_client_body; content:"vermelho"; fast_pattern:only; http_client_body; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,759db11b07f3a370338f2e0a28eb1def; reference:url,www.virusradar.com/en/Win32_Spy.Banker.AAQD/description; classtype:trojan-activity; sid:2018516; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2014_04_24, performance_impact Low, updated_at 2018_03_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9866
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check M2"; flow:established,to_server; content:"GET"; http_method; content:"/vstudio"; http_uri; fast_pattern; urilen:8; content:"msdn.microsoft.com"; http_host; http_header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025439; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_27, malware_family Smoke_Loader, updated_at 2018_03_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9867
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Sharik/Smoke Loader Microsoft Connectivity check M3"; flow:established,to_server; content:"GET"; http_method; content:"/visualstudio/"; http_uri; fast_pattern; urilen:14; content:"www.microsoft.com"; http_host; http_header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025440; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_27, malware_family Smoke_Loader, updated_at 2018_03_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9868
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 10"; flow:established,to_server; content:"POST"; http_method; pcre:"/\/\d+\/$/U"; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_content_len; content:"63"; fast_pattern; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|User-Agent"; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025441; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_27, malware_family Smoke_Loader, performance_impact Moderate, updated_at 2018_03_27;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9869
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed GandCrab Ransomware Domain (chlenaverasiskihe .sex in DNS Lookup)"; dns_query; content:"chlenaverasiskihe.sex"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025454; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family GandCrab, performance_impact Moderate, updated_at 2018_04_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9871
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Quant Loader Download Request"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; http_uri; fast_pattern; content:"&c="; distance:0; nocase; http_uri; content:"&mk="; distance:0; nocase; http_uri; content:"&il="; distance:0; nocase; http_uri; content:"&vr="; distance:0; nocase; http_uri; content:"&bt="; distance:0; nocase; http_uri; content:!"Referer"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,23646295E98BD8FA022299374E4F76E0; classtype:trojan-activity; sid:2024452; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_10, performance_impact Moderate, updated_at 2018_04_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9874
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Sending Data to CnC"; flow:established,to_server; content:"POST"; http_method; content:".js"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; fast_pattern; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; metadata: former_category TROJAN; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025464; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, malware_family OceanLotus, performance_impact Low, updated_at 2018_04_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9877
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/OceanLotus.D Requesting Commands from CnC"; flow:established,to_server; content:"GET"; http_method; content:".css"; http_uri; isdataat:!1,relative; content:"curl/"; http_user_agent; content:"|0d 0a|Cookie|3a 20|m_pixel_ratio="; fast_pattern; pcre:"/^m_pixel_ratio=[a-f0-9]{32}\x3b$/C"; http_header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; threshold:type limit, count 1, seconds 30, track by_src; metadata: former_category TROJAN; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:trojan-activity; sid:2025465; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_05, performance_impact Low, updated_at 2018_04_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9878
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/DanijBot User-Agent"; flow:established,to_server; content:"Botnet by Danij"; http_user_agent; fast_pattern; depth:15; isdataat:!1,relative;  http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_06, malware_family DanijBot, performance_impact Moderate, updated_at 2018_04_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9882
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/DanijBot CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?hwid="; http_uri; content:"&bit="; http_uri; content:"&info=Windows|3a 20|"; http_uri; content:"Botnet by Danij"; http_user_agent; fast_pattern; depth:15; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025470; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_06, malware_family DanijBot, performance_impact Moderate, updated_at 2018_04_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9883
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/DanijBot CnC Task Status"; flow:established,to_server; content:"GET"; http_method; content:"?hwid="; http_uri; content:"&taskId="; http_uri; distance:0; content:"Botnet by Danij"; http_user_agent; fast_pattern; depth:15; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_06, malware_family DanijBot, performance_impact Moderate, updated_at 2018_04_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9884
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN QRat.Java.RAT Post-Checkin Request"; flow:established,to_server; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; depth:10; offset:2; fast_pattern; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|2c 22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025393; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Qrat, signature_severity Major, created_at 2018_02_26, malware_family QRat, updated_at 2018_03_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9885
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pontoeb CnC"; flow:established,to_server; content:"N0PE"; depth:4; http_user_agent; fast_pattern; content:"mode="; depth:5; http_client_body; metadata: former_category TROJAN; reference:md5,1a44b59105e584bac969408f9617133f; reference:url,urlhaus.abuse.ch/url/4452/; classtype:trojan-activity; sid:2025484; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2018_04_11, malware_family Pontoeb, performance_impact Low, updated_at 2018_04_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9886
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Iron/Maktub Locker Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"{|22|encry|22 3a 22|"; http_client_body; depth:10; fast_pattern; content:"|22|randk|22 3a 22|"; http_client_body; distance:0; content:"|22|guid|22 3a 22|"; http_client_body; distance:0; content:"|22|start|22 3a 22|"; http_client_body; distance:0; content:"|22|market|22 3a 22|"; http_client_body; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,1e60050db59e3d977d2a928fff3d34a6; reference:url,bartblaze.blogspot.com/2018/04/maktub-ransomware-possibly-rebranded-as.html; classtype:trojan-activity; sid:2025486; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_12, malware_family Iron_Locker, performance_impact Moderate, updated_at 2018_04_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9887
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (CoreBot C2)"; flow:established,from_server; tls_cert_subject; content:"CN=ok.investments"; fast_pattern; nocase; reference:md5,75368c9240a3c238aa3b5518906a3cdb; classtype:trojan-activity; sid:2025485; rev:3; metadata:created_at 2018_04_11, updated_at 2018_04_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9888
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN LokiBot Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Key|3a 20|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20/Hi"; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,5ba6cf36f57697a1eb5ac8deaa377b4b; classtype:trojan-activity; sid:2025381; rev:4; metadata:created_at 2015_11_23, updated_at 2018_04_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9890
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN LokiBot Fake 404 Response"; flow:established,from_server; flowbits:isset,ET.LokiBot; content:"404"; http_stat_code; file_data; content:"|08 00 00 00 00 00 00 00|File not found."; depth:23; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CA427D578AFA51B262272C78D1C04AB9; classtype:trojan-activity; sid:2025483; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_10, malware_family lokibot, performance_impact Low, updated_at 2018_04_13;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9900
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Quant Loader Download Response M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"exe=http://"; within:30; nocase; fast_pattern; content:"|2e|exe|3b|"; distance:0; nocase; metadata: former_category TROJAN; reference:md5,aa0b114a64683d89f62d26a088e164f6; classtype:trojan-activity; sid:2024206; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_04_17, performance_impact Moderate, updated_at 2017_04_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9908
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN HawkEye Keylogger FTP"; flow:established,to_server; content:"STOR HawkEye"; nocase; pcre:"/^(?:_|Keylogger)/Ri"; reference:md5,85f3b302afa0989a91053af6092f3882; classtype:trojan-activity; sid:2020410; rev:4; metadata:created_at 2015_02_11, updated_at 2015_02_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9911
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/G1 Stealer/GravityRAT Requesting Payload"; flow:established,to_server; content:"GET"; http_method; content:"?Value=13&idPayload="; http_uri; fast_pattern; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025539; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9912
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/G2 Stealer/GravityRAT CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?Value="; http_uri; content:"UserCode="; http_uri; distance:0; content:"MacId="; http_uri; distance:0; content:"HitDate="; http_uri; distance:0; content:"FingerPrint="; http_uri; distance:0; fast_pattern; content:"CurrentIp="; http_uri; http_header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; content:!"Connection"; metadata: former_category TROJAN; reference:md5,6899c2219764bac56007ce80021bfcbf; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9913
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/GX Stealer/GravityRAT Uploading File"; flow:established,to_server; content:"POST"; http_method; content:".php?VALUE=2&Type="; http_uri; fast_pattern; content:"&SIGNATUREHASH="; http_uri; distance:0; http_header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,ec629f648434fc3d17e9561532d038c8; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9914
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/G1 Stealer/GravityRAT Uploading File"; flow:established,to_server; content:"GET"; http_method; content:"?Value=11&FileName="; http_uri; fast_pattern; content:"&FileSize="; http_uri; distance:0; content:"&Macid="; http_uri; distance:0; content:"&UserCode="; http_uri; distance:0; metadata: former_category TROJAN; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_26, malware_family GravityRAT, performance_impact Low, updated_at 2018_04_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9915
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely GandCrab Ransomware Domain in HTTP Host M1"; content:".bit"; http_host; isdataat:!1,relative; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/W"; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025547; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_30, malware_family GandCrab, updated_at 2018_04_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9919
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely GandCrab Ransomware Domain in HTTP Host M2"; content:".coin"; http_host; isdataat:!1,relative; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/W"; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025548; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_30, malware_family GandCrab, updated_at 2018_04_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9920
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)"; dns_query; content:"ransomware.bit"; nocase; isdataat:!1,relative; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family GandCrab, performance_impact Moderate, updated_at 2018_04_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9921
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup)"; dns_query; content:"zonealarm.bit"; nocase; isdataat:!1,relative; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025453; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_02, malware_family GandCrab, performance_impact Moderate, updated_at 2018_05_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9922
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup)"; dns_query; content:"carder.bit"; isdataat:!1,relative; threshold: type both, track by_src, count 1, seconds 120; metadata: former_category TROJAN; reference:md5,9faf6dedd3e0cd018d2e45bc8855bd4a; classtype:trojan-activity; sid:2025546; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_30, malware_family GandCrab, updated_at 2018_05_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9923
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN RedLeaves HOGFISH APT Implant CnC"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; http_uri; nocase; isdataat:!1,relative; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|.NET4.0C|3b 20|.NET4.0E)"; http_user_agent; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_accept; content:"*/*"; http_connection; content:"Keep-Alive"; http_content_len; byte_test:0,<,110,0,string,dec; http_header_names; content:!"Referer"; content:!"Accept-Encoding"; content:!"Content-Type"; metadata: former_category TROJAN; reference:md5,2d9ac00470a104b9841d851ddf33cad7; reference:md5,627b903657b28f3a2e388393103722c8; reference:url,www.accenture.com/t20180423T055005Z__w__/us-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf; classtype:trojan-activity; sid:2025557; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT10, signature_severity Major, created_at 2018_05_02, updated_at 2018_05_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9925
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN BKransomware Domain (3whyfziey2vr41yq in DNS Lookup)"; dns_query; content:"3whyfziey2vr41yq";depth:16; metadata: former_category TROJAN; reference:md5,892da86e60236c5aaf26e5025af02513; classtype:trojan-activity; sid:2025559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_07, malware_family Ransomware, updated_at 2018_05_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9926
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/GandCrab Ransomware CnC Activity M2"; flow:established,to_server; content:"POST"; http_method; pcre:"/^\/[a-z]{3,20}(?:\?[a-z]{3,20}=[a-z]{0,10}&[a-z]{3,20}=[a-z]{0,10})?$/U"; pcre:"/\.(?:bit|coin|sex|com|gandcrab\d*)$/W";content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http_user_agent; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Psi"; http_content_len; byte_test:0,>,4000,0,string,dec; http_header_names; content:"|0d 0a|Host|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:67; fast_pattern; content:!"Accept"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,8b7d3093c477b2e99effde5065affbd5; classtype:trojan-activity; sid:2025455; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_03_06, performance_impact Moderate, updated_at 2018_04_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9927
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Iron Ransomware Domain (y5mogzal2w25p6bn .ml in DNS Lookup)"; dns_query; content:"y5mogzal2w25p6bn.ml"; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,5f1ab58f0639b5e43fca508eb0d4f97e; classtype:trojan-activity; sid:2025567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_08, malware_family Ransomware, updated_at 2018_05_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9928
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Patchwork.Backdoor CnC Check-in M2"; flow:established,to_server; content:"POST"; http_method; content:".php?b="; http_uri; nocase; pcre:"/^[A-F0-9]{30}$/URi"; http_content_len; content:"0"; metadata: former_category TROJAN; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:trojan-activity; sid:2025164; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2018_05_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9931
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Patchwork.Backdoor Communicating with CnC"; flow:established,to_server; content:"POST"; http_method; content:".php?cx="; http_uri; nocase; fast_pattern; content:"&b="; http_uri; nocase; distance:0; content:"&gt="; http_uri; nocase; distance:0; content:"&tx="; http_uri; nocase; distance:0; pcre:"/\.php\?cx=[A-F0-9]+&b=[A-F0-9]+&gt=[A-F0-9]+&tx=[A-F0-9]+$/Ui"; http_content_len; content:"0"; metadata: former_category TROJAN; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:trojan-activity; sid:2025163; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_21, updated_at 2018_05_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9932
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN InfoBot Sending Machine Details"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"infobot"; http_user_agent; depth:7; isdataat:!1,relative; content:"|7b 22|bits|22 3a 20 22|"; http_client_body; depth:10; content:"|22|cpun|22 3a 20 22|"; http_client_body; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,3549c3af4417a344b5cbf53dbe7ab36c; classtype:trojan-activity; sid:2025577; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_16, performance_impact Moderate, updated_at 2018_05_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9933
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN InfoBot Sending LAN Details"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"|7b 22 4c 61 6e 43 6e 74 22 3a 20 22|"; http_client_body; depth:12; fast_pattern; content:"|22 7d|"; http_client_body; distance:0; within:3; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,6daa7e95d172c2e54953adae7bdfaffc; classtype:trojan-activity; sid:2025578; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_16, performance_impact Moderate, updated_at 2018_05_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9934
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Unk.Stealer CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:"/check.php"; http_uri; isdataat:!1,relative; fast_pattern; content:"m="; http_client_body; depth:2; pcre:"/^m=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/Psi"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,b38a63aea75bcf06fed11067cc75cc7e; classtype:trojan-activity; sid:2025580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_16, performance_impact Moderate, updated_at 2018_05_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9935
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Karmen Ransomware CnC Activity"; flow:established,to_server; content:"GET"; http_method; content:"data.php?id="; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.php\?id=[A-Za-z0-9]{10,20}(?:&key=[A-Za-z0-9]{10,30})?$/Ui"; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?$/Hmi"; metadata: former_category TROJAN; reference:md5,05427ed1c477cc01910eb9adbf35068d; classtype:trojan-activity; sid:2024239; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_03_14, malware_family Karmen_Ransomware, performance_impact Moderate, updated_at 2018_05_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9936
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Vibem.C CnC Activity"; flow:established,to_server; content:"|63 76 c4 52 99 1d 04 80 a9 1b 2d|"; depth:11; content:!"|00|"; metadata: former_category TROJAN; reference:md5,bef6faabe3d80037c18fa7b806f4488e; classtype:trojan-activity; sid:2025581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_18, updated_at 2018_05_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9938
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DDoS.XOR Checkin via HTTP"; flow:established,to_server; content:"MSIE 6.0|3b 20|Windows NT 5.2|3b 20|SV1|3b 20|TencentTraveler|20 3b 20|.NET CLR 1.1.4322"; http_user_agent; fast_pattern:21,20; metadata: former_category TROJAN; reference:md5,d818d056bbf7e227151d40c8bd539976; reference:url,blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf; classtype:trojan-activity; sid:2021336; rev:5; metadata:affected_product Linux, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2015_06_23, malware_family DDoS_XOR, performance_impact Low, updated_at 2018_05_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9939
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Aurora/OneKeyLocker Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?generate="; http_uri; fast_pattern; content:"/-"; http_uri; distance:0; content:"&hwid="; http_uri; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,31d65e315115c823f619a381576984f8; classtype:trojan-activity; sid:2025586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_30, malware_family Aurora, malware_family OneKeyLocker, performance_impact Moderate, updated_at 2018_05_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9941
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBase Keylogger Uploading Screenshots"; flow:established,to_server; content:"POST"; http_method;  content:"/image/upload.php"; http_uri; fast_pattern; content:"filename=|22|"; http_client_body; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.(?:jpg|png)\x22\x0d\x0a/PR"; http_header_names; content:!"User-Agent"; content:!"Referer"; content:"|0d 0a|Expect|0d 0a|"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021441; rev:3; metadata:created_at 2015_07_20, updated_at 2015_07_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9942
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/AutoIt.NU Miner Dropper CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/?id="; http_uri; depth:5; content:"&pt="; http_uri; distance:0; within:20; fast_pattern; pcre:"/^[a-f0-9]{32}$/Vi"; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Pi"; http_content_type; content:"application/x-www-form-urlencoded"; http_header_names; content:"Accept"; content:!"Accept-"; content:!"Cache"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,cd7a49513771efd9d4de873956ef8af5; classtype:trojan-activity; sid:2025598; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Dropper, signature_severity Major, created_at 2018_06_21, malware_family Autoit_NU, performance_impact Low, updated_at 2018_06_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9949
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [eSentire] VBS Retrieving Malicious Payload"; flow:established,to_server; content:"HEAD"; http_method; content:".php1"; http_uri; isdataat:!1,relative; fast_pattern; content:"Microsoft BITS/"; http_user_agent; content:!"Referer|3a|"; http_header; pcre:"/\/[0-9]{10}.php1$/U"; metadata: former_category TROJAN; reference:md5,aa56a1de9b91446c66d53f12f797bef5; classtype:trojan-activity; sid:2025626; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_06_25, updated_at 2018_06_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9958
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Remcos RAT Checkin 23"; flow:established,to_server; dsize:<500; content:"|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|"; depth:11; fast_pattern; content:"|da b1|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,f4f2425e9735f92cc9f75711aa8cb210; classtype:trojan-activity; sid:2025637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_03, updated_at 2018_07_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9965
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Fareit/Pony Downloader Checkin 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a|Content-Encoding|3a 20|binary|0d 0a|"; http_header; fast_pattern; content:"|0d 0a|Accept-Encoding|3a 20|identity,|20 2a 3b|q=0|0d 0a|"; http_header; content:"|20|MSIE|20|"; http_user_agent; http_header_names; content:!"Referer"; http_protocol; content:"HTTP/1.0"; flowbits:set,ET.Fareit.chk; metadata: former_category TROJAN; reference:md5,99FAB94FD824737393F5184685E8EDF2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014411; rev:12; metadata:created_at 2012_03_22, updated_at 2018_07_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9966
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Zeus P2P Variant Check-in"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"/update"; http_uri; fast_pattern; pcre:"/^[a-z0-9]+\.(?:biz|com|net|org)/W"; http_header_names; content:!"User-Agent"; metadata: former_category TROJAN; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018667; rev:4; metadata:created_at 2014_07_11, updated_at 2017_03_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9967
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN [eSentire] Unknown Banker CnC Checkin"; flow:to_server,established; dsize:<35; content:"|3c 7c|"; depth:2; content:"|7c 3e|OPERADOR|3c 7c 3e|"; fast_pattern; distance:0; metadata: former_category TROJAN; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:trojan-activity; sid:2025652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_11, malware_family Banking_Trojan, updated_at 2018_07_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9970
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Rostpay Downloader User-Agent"; flow:established,to_server; content:"Rostpay Downloader"; nocase; depth:18; isdataat:!1,relative; http_user_agent; metadata: former_category TROJAN; reference:md5,6887e8e2fb391a1ca84f192efd5c8331; classtype:trojan-activity; sid:2025697; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_16, updated_at 2018_07_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9971
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN QRat.Java.RAT Checkin Response"; flow:established,to_client; content:"|7b 22 6d 61 73 6d 61 67 22 3a 22|"; within:48; fast_pattern; content:"|22 2c 22 6d 61 73 76 65 72 22 3a|"; distance:0; content:"|2c 22 6d 61 73 69 64 22 3a 22|"; distance:0; content:"|22 2c 22 6e 65 65 64 2d 6d 6f 72 65 22 3a|"; distance:0; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; distance:0; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; metadata: former_category TROJAN; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025392; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_26, malware_family QRat, updated_at 2018_07_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9973
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern; pcre:"/^(?:\?[0-9])?/UR"; pcre:"/\/wp-(?:content|admin|includes)\//U"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,adabe1b995e6633dee19fdd2fdc4957a; classtype:trojan-activity; sid:2021697; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Wordpress, signature_severity Major, created_at 2015_08_20, performance_impact Low, updated_at 2018_07_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9974
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN AZORult Variant.4 Checkin M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"|4a 2f fb|"; fast_pattern; http_client_body; content:"|2f fb|"; http_client_body; depth:11; content:!"Referer"; http_header; metadata: former_category TROJAN; reference:md5,0ac55b5056364cdac63aaf05f9d7f654; reference:url,twitter.com/James_inthe_box/status/1020522733984100352?s=03; classtype:trojan-activity; sid:2025885; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_23, malware_family AZORult, updated_at 2018_07_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9975
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN OilRig QUADAGENT CnC Domain in SNI"; flow:to_server,established; tls_sni; content:"www.cpuproc.com"; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025891; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family QuadAgent, performance_impact Low, updated_at 2018_07_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9976
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (OilRig QUADAGENT CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; tls_cert_subject; content:"CN=cpuproc.com"; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; metadata: former_category TROJAN; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025892; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family QuadAgent, performance_impact Low, updated_at 2018_07_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9977
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any 53 (msg:"ET TROJAN OilRig QUADAGENT DNS Tunneling"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|mail|06|"; distance:0; nocase; pcre:"/^\d{6}/Ri"; content:"|07|cpuproc|03|com|00|"; fast_pattern; distance:0; within:13; nocase; threshold: type limit, count 1, seconds 60, track by_src; metadata: former_category TROJAN; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025894; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_25, malware_family QuadAgent, performance_impact Low, updated_at 2018_07_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9978
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [eSentire] Remcos RAT Checkin 24"; flow:established,to_server; dsize:<380; content:"|e8 ee 51 c7 05 29 cd 17 31 7b fd|"; depth:11; fast_pattern; content:"|55 47|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,98202283d7752779abd092665e80af71; classtype:trojan-activity; sid:2025921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2018_07_31, malware_family Remcos, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9980
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/ks8d"; http_uri; depth:5; content:"akspbu.txt"; http_uri; isdataat:!1,relative; content:"Mozilla/4.0|20 28|compatible|3b|MSIE|20|6.0|3b|"; http_user_agent; content:"|81 b2 a8 97 7e a3 1b 91|"; http_client_body; depth:8; fast_pattern; isdataat:!1,relative; pcre:"/^\/ks8d(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)akspbu\.txt$/Ui"; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9981
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Bisonal RC4 Encrypted 8 Byte Static CnC Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:<100; content:"|81 b2 a8 97 7e a3 1b 91|"; http_client_body; depth:8; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9982
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 4"; dns_query; content:"euiro8966.organiccrap.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025927; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9983
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 3"; dns_query; content:"kted56erhg.dynssl.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025926; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9984
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 2"; dns_query; content:"www.hosting.tempors.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025925; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9985
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 1"; dns_query; content:"jennifer998.lookin.at"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025924; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9986
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Win32/Bisonal DNS Lookup 5"; dns_query; content:"games.my-homeip.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_31, malware_family Bisonal, performance_impact Low, updated_at 2018_07_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9987
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Aurora Ransomware CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?generate="; http_uri; fast_pattern; content:"/"; http_uri; distance:0; content:"&hwid="; http_uri; distance:0; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,2409c058a86cd8743abb10a5735ef487; classtype:trojan-activity; sid:2025931; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_30, malware_family Aurora_Ransomware, performance_impact Moderate, updated_at 2018_08_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9988
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [eSentire] Remcos RAT Checkin 25"; flow:established,to_server; dsize:<380; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; fast_pattern; content:"|35 03|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,41c292b0cb2a4662381635a3316226f4; classtype:trojan-activity; sid:2025984; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_09, malware_family Remcos, updated_at 2018_08_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9989
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Associated with Lazarus Downloader (JEUSD)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|celasllc.com"; distance:1; within:13; fast_pattern; metadata: former_category TROJAN; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; reference:url,blogs.360.cn/blog/apt-c-26/; classtype:trojan-activity; sid:2025990; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Lazarus, signature_severity Major, created_at 2018_08_15, malware_family JEUSD, performance_impact Low, updated_at 2018_08_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9990
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Lazarus Downloader (JEUSD) CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a 20|form-data|3b| name=|22|upload|22 3b| filename=|22|temp.gif|22 0d 0a|"; http_client_body; fast_pattern:48,20; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,blogs.360.cn/blog/apt-c-26/; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; classtype:trojan-activity; sid:2025991; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Lazarus, signature_severity Critical, created_at 2018_08_15, malware_family JEUSD, performance_impact Low, updated_at 2018_08_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9991
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Arkei Stealer Client Data Upload"; flow:established,to_server;  content:"POST"; http_method; content:"form-data|3b 20|name=|22|hwid|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|os|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|platform|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|user|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|pcount|22|"; http_client_body; nocase; distance:0; content:"form-data|3b 20|name=|22|cccount|22|"; http_client_body; nocase; distance:0; metadata: former_category TROJAN; reference:md5,72bcbfd1020d002d2e20e0707b8ef700; classtype:trojan-activity; sid:2025431; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Stealer, signature_severity Major, created_at 2018_03_13, malware_family Arkei, updated_at 2018_08_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9992
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 11"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; urilen:1; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; content:"63"; fast_pattern; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Referer|0d 0a|User-Agent"; metadata: former_category TROJAN; reference:md5,d110be58537aa8420a9c25f4879ca77b; classtype:trojan-activity; sid:2025993; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_15, malware_family Sharik, malware_family Smoke_Loader, malware_family SmokeLoader, updated_at 2018_08_15;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 9993
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Tinba (Banking Trojan) Check-in"; flow:established,to_server; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; http_user_agent; depth:64; fast_pattern; content:"|0d 0a 0d 0a|"; depth:2000; byte_extract:2,0,byte0,relative; byte_extract:2,0,byte1,relative; byte_test:2,=,byte1,6,relative; byte_test:2,!=,byte1,7,relative; byte_test:2,=,byte1,10,relative; byte_test:2,!=,byte1,11,relative; byte_test:2,!=,byte1,23,relative; byte_test:2,!=,byte0,25,relative; byte_test:2,!=,byte1,27,relative; byte_test:2,=,byte0,40,relative; byte_test:2,=,byte1,42,relative; byte_test:2,=,byte0,44,relative; byte_test:2,=,byte1,46,relative; byte_test:2,=,byte0,48,relative; byte_test:2,=,byte1,50,relative; content:!"|00 00|"; depth:30; http_client_body; content:"|00 00|"; offset:34; depth:2; http_client_body; content:"|00 00|"; distance:2; within:2; http_client_body; content:"|00 00|"; distance:2; within:2; http_client_body; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:md5,be312fdb94f3a3c783332ea91ef00ebd; classtype:trojan-activity; sid:2026002; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Tinba, signature_severity Major, created_at 2018_08_20, updated_at 2018_08_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10002
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 26"; flow:established,to_server; stream_size:server,=,1; content:"|5a 95 2a 22 4d 37 9e 51 83 55 8f|"; depth: 11; metadata: former_category TROJAN; reference:md5,8f8d778bea33bc542b58c0631cf9d7e0; classtype:trojan-activity; sid:2026004; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Remcos, signature_severity Major, created_at 2018_08_21, updated_at 2018_08_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10003
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)"; flow:established,from_server; content:"|55 04 0a|"; content:"|27|Agency Protocols Management of Internet"; distance:1; within:40; content:"|55 04 03|"; distance:0; content:"|0d|bestylish.com"; distance:1; within:14; fast_pattern; metadata: former_category TROJAN; reference:md5,ecda8c6613fb458102fcb6f70b1cd594; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2022209; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, tag Banking_Trojan, signature_severity Major, created_at 2015_12_02, malware_family Bancos, malware_family DarkTequila, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10005
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 26"; flow:established,to_server; dsize:<500; content:"|24 8a 91 18 92 bb 4b 55 39 bc ed|"; depth:11; fast_pattern; content:"|c5 de|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,81cecc440bd57a736ef6e473e77d5a1b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:trojan-activity; sid:2026016; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10007
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 27"; flow:established,to_server; dsize:<500; content:"|bf 9b b2 d8 b7 a9 86 78 26 d6 10|"; depth:11; fast_pattern; content:"|0e 24|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,5c52234cf35ab8d08b10fcc3c2a9d32b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:trojan-activity; sid:2026017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10008
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 28"; flow:established,to_server; dsize:<500; content:"|ea 7f 70 7a 80 7c 4a a9 1b 68 8e|"; depth:11; fast_pattern; content:"|81 9c|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,29a0d1bc5abfbbf0bdf15ffa762cac27; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.htm; classtype:trojan-activity; sid:2026018; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10009
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 29"; flow:established,to_server; dsize:<500; content:"|5e 0d 10 db 92 bf 73 6c 7d 6f 5d|"; depth:11; fast_pattern; content:"|67 04|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,5cb07299cedd69f096b09358754831e0; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:trojan-activity; sid:2026019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10010
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Remcos RAT Checkin 30"; flow:established,to_server; dsize:<500; content:"|81 29 6b 48 7f c7 22 ec 9b 9e b6|"; depth:11; fast_pattern; content:"|d8 95|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; metadata: former_category TROJAN; reference:md5,63d36de591491d04071b4dc0a39d5fab; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:trojan-activity; sid:2026020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_08_23, malware_family Remcos, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10011
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN MSIL/BISKVIT DNS Lookup (bigboss .x24hr .com)"; dns_query; content:"bigboss.x24hr.com"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026021; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_23, malware_family BISKVIT, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10012
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN MSIL/BISKVIT DNS Lookup (secured-links .org)"; dns_query; content:"secured-links.org"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026022; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_23, malware_family BISKVIT, performance_impact Low, updated_at 2018_08_23;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10013
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET !139 (msg:"ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2"; flow:to_server,established; content:"|12 12|"; offset:2; depth:2; content:!"|12 12|"; within:2; content:"|12 12|"; distance:2; within:2; content:!"|12 12|"; within:2; content:"|12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12|"; pcre:"/[^\x12][^\x4e\x38\x39\x2f\x6e\x28\x29\x30\x2d\x2e\x2c\x3e\x31\x18][\x40-\x48\x4a-\x4d\x31-\x34\x3a-\x3c\x3f\x50-\x5f\x60-\x6c\x6f\x73-\x7f\x70\x71\x20-\x27\x2a\x2b]{1,14}\x12/R"; reference:md5,00ccc1f7741bb31b6022c6f319c921ee; classtype:trojan-activity; sid:2019202; rev:4; metadata:created_at 2014_09_22, updated_at 2014_09_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10015
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32.FakeEzQ.kr Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"MyAgent"; isdataat:!1,relative; http_user_agent; fast_pattern; http_header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,7afebc844a3313eb2a89b3028fbba7a6; reference:url,otx.alienvault.com/pulse/5b8844d6db17df1779153624; classtype:trojan-activity; sid:2026071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_08_31, updated_at 2018_08_31;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10017
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:100<>325; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"/index.php"; http_uri; pcre:"/^\/[a-z]{3,10}\.php\?[a-z]{3,10}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/U"; content:!"desktopad.com"; http_header; content:!"DriverUpdate"; http_header; content:!"act=bkw9"; http_uri; nocase; content:!"mydlink.com"; http_header; content:!"remocam.com"; http_host; metadata: former_category TROJAN; reference:md5,cd2d9c7bd5de6d12718785f495ce1bb4; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019378; rev:13; metadata:created_at 2014_10_09, updated_at 2018_09_03;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10018
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/BanloadDownloader.XZY Retrieving Payload"; flow:to_server,established; content:"GET"; http_method; content:"/sosdoudou_V3/"; http_uri; fast_pattern; content:"WinHttp.WinHttpRequest"; http_user_agent; content:!"Accept-"; http_header; content:!"Referer|3a 20|"; http_header; metadata: former_category TROJAN; reference:md5,98376de10118892f0773617da137c2be; reference:md5,599ea45f5420f948e0836239eb3ce772; classtype:trojan-activity; sid:2024499; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_26, malware_family Banload, performance_impact Moderate, updated_at 2018_09_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10026
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Suspected Monero Miner CnC Channel TXT Lookup"; dns_query; content:".c2kgw8jt5869nspr4.com"; fast_pattern; threshold:type limit, track by_src, count 1, seconds 300; metadata: former_category TROJAN; reference:md5,2a2219f1dbb6039f52a5792a87cf760a; classtype:trojan-activity; sid:2026097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_05, malware_family CoinMiner, performance_impact Moderate, updated_at 2018_09_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10027
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Suspected Monero Miner CnC Channel Secondary Domain Lookup"; dns_query; content:"mylog.icu"; threshold:type limit, track by_src, count 1, seconds 300; metadata: former_category TROJAN; reference:md5,2a2219f1dbb6039f52a5792a87cf760a; classtype:trojan-activity; sid:2026098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_05, malware_family CoinMiner, performance_impact Moderate, updated_at 2018_09_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10028
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Aura Ransomware CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:"{KIARA}"; http_user_agent; fast_pattern; content:"id="; http_client_body; depth:3; content:"&guid="; http_client_body; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:trojan-activity; sid:2026099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_06, malware_family Aura, performance_impact Moderate, updated_at 2018_09_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10029
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Eredel Stealer CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?hwid="; http_uri; content:"&os="; http_uri; content:"&cookie="; http_uri; content:"&pswd="; http_uri; fast_pattern; content:"&telegram="; http_uri; content:"&version=v"; http_uri; http_header_names; content:!"Referer"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,4b5e27e843e1b26aedec66f9e87c9960; classtype:trojan-activity; sid:2025982; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_17, malware_family Eredel, performance_impact Moderate, updated_at 2018_08_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10030
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Win32/Ramnit Stage 0 Communicating with CnC"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"WAIT|20|"; depth:15; content:"CERT|20|"; fast_pattern; distance:0; within:20; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/RQi"; metadata: former_category TROJAN; reference:md5,20148e48668cb5e0b22d437ee0443cfe; reference:url,research.checkpoint.com/ramnits-network-proxy-servers/; classtype:trojan-activity; sid:2026113; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_14, malware_family Ramnit, performance_impact Low, updated_at 2018_09_14;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10032
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|5c|x57|5c|x53|5c|x63|5c|x72|5c|x69|5c|x70|5c|x74|5c|x2E|5c|x53|5c|x68|5c|x65|5c|x6C|5c|x6C"; fast_pattern; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026332; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, signature_severity Major, created_at 2018_09_20, malware_family Xbash, performance_impact Low, updated_at 2018_09_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10042
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTML/Xbash Hex Encoded PowerShell Args Inbound - Stage 1"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|5c|x70|5c|x6F|5c|x77|5c|x65|5c|x72|5c|x73|5c|x68|5c|x65|5c|x6C|5c|x6C|5c|x2E|5c|x65|5c|x78|5c|x65"; content:"|5c|x2D|5c|x65|5c|x78|5c|x65|5c|x63|5c|x75|5c|x74|5c|x69|5c|x6F|5c|x6E|5c|x70|5c|x6F|5c|x6C|5c|x69|5c|x63|5c|x79|5c|x20|5c|x62|5c|x79|5c|x70|5c|x61|5c|x73|5c|x73"; distance:0; fast_pattern; content:"|5c|x2D|5c|x77|5c|x69|5c|x6E|5c|x64|5c|x6F|5c|x77|5c|x73|5c|x74|5c|x79|5c|x6C|5c|x65|5c|x20|5c|x68|5c|x69|5c|x64|5c|x64|5c|x65|5c|x6E"; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026331; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, signature_severity Major, created_at 2018_09_20, malware_family Xbash, performance_impact Low, updated_at 2018_09_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10043
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HTML/Xbash Hex Encoded PS WebClient Object Inbound - Stage 1"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"|5c|x73|5c|x79|5c|x73|5c|x74|5c|x65|5c|x6D|5c|x2E|5c|x6E|5c|x65|5c|x74|5c|x2E|5c|x77|5c|x65|5c|x62|5c|x63|5c|x6C|5c|x69|5c|x65|5c|x6E|5c|x74|5c|x29|5c|x2E|5c|x64|5c|x6F|5c|x77|5c|x6E|5c|x6C|5c|x6F|5c|x61|5c|x64|5c|x66|5c|x69|5c|x6C|5c|x65|5c|x28"; fast_pattern; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026333; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, signature_severity Major, created_at 2018_09_20, malware_family Xbash, performance_impact Low, updated_at 2018_09_20;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10044
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Scarsi Variant CnC Activity"; flow:to_server,established; content:"/WP"; http_uri; content:".php"; distance:0; within:50; http_uri; isdataat:!1,relative; content:"Content-Length|3a 20|"; http_header; byte_test:1,>,0x30,0,relative; content:!"Referer|3a 20|"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|3b| Charset=UTF-8|0d 0a|"; http_header; fast_pattern:44,20; pcre:"/\/WP(?:Security|CoreLog)\/(?:data\/)?\w+\.php$/Ui"; pcre:"/^[\x20-\x25\x27-\x3c\x3e-\x7e]{25,}$/Psi"; metadata: former_category TROJAN; reference:md5,52c193a7994a6bb55ec85addc8987c10; classtype:trojan-activity; sid:2024758; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, performance_impact Low, updated_at 2017_09_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10047
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MS_D0wnl0ad3r Screenshot Upload"; flow:to_server,established; content:"POST"; http_method; content:"boundary=MS_D0wnl0ad3r"; http_header; metadata: former_category TROJAN; reference:md5,f40248a592ed711d95eb8b48b31a1ed8; classtype:trojan-activity; sid:2026361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_09_24, malware_family Downloader, updated_at 2018_09_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10049
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN Reaper (APT37) DNS Lookup (kmbr1 .nitesbr1 .org)"; dns_query; content:"kmbr1.nitesbr1.org"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:trojan-activity; sid:2026432; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT37, tag Reaper, signature_severity Major, created_at 2018_10_01, malware_family Final1stspy, malware_family DOGCALL, performance_impact Low, updated_at 2018_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10055
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Final1stspy CnC Checkin (Reaper/APT37 Stage 1 Payload)"; flow:established,to_server; content:"GET"; http_method; content:".php?MachineId="; http_uri; content:"&InfoSo="; http_uri; distance:0; content:"&Index="; http_uri; distance:0; content:"&Account="; http_uri; distance:0; content:"&List="; http_uri; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/RUi"; content:"Host|20|Process|20|Update"; http_user_agent; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:trojan-activity; sid:2026431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT37, tag ReaperGroup, signature_severity Major, created_at 2018_10_01, malware_family Final1stspy, performance_impact Low, updated_at 2018_10_01;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10056
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Win32/Remcos RAT Checkin 51"; flow:established,to_server;stream_size:server,=,1; content:"|4139 2f55 647c c126 8775 8f|"; depth:11; metadata: former_category TROJAN; reference:md5,4f3cc55c79b37a52d8f087dbf7093dcd; classtype:trojan-activity; sid:2026433; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_02, malware_family Remcos, updated_at 2018_10_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10057
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.YordanyanActiveAgent CnC Reporting"; flow:established,to_server; content:"GET"; http_method; content:"client?mac_address="; http_uri; content:"&agent_id="; http_uri; distance:0; content:"agent_file_version"; content:"cpprestsdk/"; http_user_agent; fast_pattern; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:trojan-activity; sid:2026435; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_04, malware_family ActiveAgent, updated_at 2018_10_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10058
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.YordanyanActiveAgent Generic CnC Pattern"; flow:established,to_server; content:"/rest/v"; http_uri; content:"/clients/client?"; http_uri; distance:0; content:"&agent_id="; http_uri; distance:0; fast_pattern; content:!"Mozilla"; http_user_agent; content:!"Referer"; http_header; content:!"Accept"; http_header; metadata: former_category TROJAN; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:trojan-activity; sid:2026436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_04, malware_family ActiveAgent, updated_at 2018_10_04;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10059
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=www.windowsdriversupd.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:trojan-activity; sid:2026467; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_10, malware_family Gadwats, performance_impact Low, updated_at 2018_10_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10067
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=www.windowswsusonline.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:trojan-activity; sid:2026468; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_10, malware_family Gadwats, performance_impact Low, updated_at 2018_10_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10068
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET 1024: -> $HOME_NET any  (msg:"ET TROJAN [eSentire] Win32/Spy.Banker CnC Command (DOWNLOAD)"; flow:from_server,established; dsize:11; content:"DOWNLOAD1|0d 0a|"; depth:11; metadata: former_category TROJAN; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:trojan-activity; sid:2025651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_11, malware_family Banking_Trojan, updated_at 2018_10_10;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10071
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kraken Ransomware Start Activity 1"; flow:established,to_server; content:!"."; http_uri; content:!"&"; http_uri; content:!"?"; http_uri; content:"-"; offset:2; depth:1; http_user_agent; content:"|3a|Begin"; distance:0; http_user_agent; isdataat:!1,relative; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aBegin$/V"; http_header_names; content:!"Accept"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_11, malware_family Kraken_Ransomware, performance_impact Moderate, updated_at 2018_10_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10072
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kraken Ransomware End Activity"; flow:established,to_server; content:!"."; http_uri; content:!"&"; http_uri; content:!"?"; http_uri; content:"-"; offset:2; depth:1; http_user_agent; content:"|3a|End"; distance:0; http_user_agent; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aEnd(?:\x3a[0-9]{1,5})?$/V"; http_header_names; content:!"Accept"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026473; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_11, malware_family Kraken_Ransomware, performance_impact Moderate, updated_at 2018_10_11;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10074
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 69"; flow:established,to_server; content:"|e3 34 a1 ef b4 32 58 d0 f0 3d 66|"; depth:11; metadata: former_category TROJAN; reference:md5,f9dbf2c028d3ad58328c190a6adb3301; classtype:trojan-activity; sid:2026509; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10090
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 70"; flow:established,to_server; content:"|35 cd 13 07 49 3a 45 81 02 35 bb|"; depth:11; metadata: former_category TROJAN; reference:md5,8e99866b89e9349c21b34e6575f2412f; classtype:trojan-activity; sid:2026510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10091
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 71"; flow:established,to_server; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; metadata: former_category TROJAN; reference:md5,24bf188785e18db8fcb7dfa50363b3f5; classtype:trojan-activity; sid:2026511; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10092
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 72"; flow:established,to_server; content:"|eb e7 a2 ec 6e 3e cc a8 34 b5 91|"; depth:11; metadata: former_category TROJAN; reference:md5,98a010ad867f4c36730cc6a87c94528c; classtype:trojan-activity; sid:2026512; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10093
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity] Remcos RAT Checkin 73"; flow:established,to_server; content:"|2e 11 6e fe 1c 00 92 21 3c ce 31|"; depth:11; metadata: former_category TROJAN; reference:md5,9e31ee4bb378d3cf6f80f9f30e9f810f; classtype:trojan-activity; sid:2026513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_16, malware_family Remcos, performance_impact Low, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10094
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN XLS.Unk DDE rar Drop Attempt (.online)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:".online"; http_host; isdataat:!1,relative; fast_pattern; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; flowbits:set,ET.xls.dde.drop; metadata: former_category TROJAN; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_16, malware_family MalDocGeneric, malware_family Maldoc, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10095
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN XLS.Unk DDE rar Drop Attempt (.club)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:".club"; http_host; fast_pattern; isdataat:!1,relative; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; flowbits:set,ET.xls.dde.drop; metadata: former_category TROJAN; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_16, malware_family MalDocGeneric, malware_family Maldoc, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10096
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN XLS.Unk DDE rar Drop Fake 404 Response"; flow:established,to_client; content:"200"; http_stat_code; flowbits:isset,ET.xls.dde.drop; file_data; content:"<h1>404 Not Found</h1><span>The resource requested could not be found on this server!</span>"; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_16, malware_family MalDocGeneric, malware_family Maldoc, updated_at 2018_10_16;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10097
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN XLS.Unk DDE rar Drop Attempt (.live)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:".live|0d 0a|Conne"; http_header; fast_pattern; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; flowbits:set,ET.xls.dde.drop; metadata: former_category TROJAN; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026514; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_17, malware_family MalDocGeneric, malware_family Maldoc, updated_at 2018_10_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10098
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Locky CnC Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:14; content:"/imageload.cgi"; fast_pattern; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http_header; content:"www-form-urlencoded|0d 0a|"; http_header; pcre:"/^[A-Za-z]{1,10}=[^&]+(?:&[A-Za-z]{1,10}=[^&]+){10,}$/Ps"; metadata: former_category TROJAN; reference:md5,40ebefdec6870263827ce6425702e785; classtype:trojan-activity; sid:2026517; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Locky, signature_severity Major, created_at 2018_10_17, updated_at 2018_10_17;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10100
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/BlackCarat Response from CnC"; flow:established,from_server; dsize:13; content:"|72 50 bf 9e|"; offset:9; depth:4; fast_pattern; metadata: former_category TROJAN; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:trojan-activity; sid:2026524; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_18, malware_family CaratRAT, performance_impact Low, updated_at 2018_10_18;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10102
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Zebrocy Backdoor CnC Activity"; flow:to_server,established; content:"POST"; http_method; content:".php?"; http_uri; content:"Mozilla v5.1 (Windows NT 6.1|3b 20|rv|3a|6.0.1) Gecko/20100101 Firefox/6.0.1"; http_user_agent; fast_pattern; content:"%0D%0AHost%20Name|3a|"; http_client_body; pcre:"/^(?:\d{1,3}\.)\d{1,3}$/W"; metadata: former_category TROJAN; reference:md5,961e79a33f432ea96d2c8bf9eb010006; classtype:trojan-activity; sid:2026527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Zebrocy, signature_severity Major, created_at 2018_10_19, updated_at 2018_10_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10103
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sidewinder Stage 2 VBS Downloader Reporting Successful Infection"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/"; http_uri; depth:9; content:"/true/true/done"; http_uri; distance:0; fast_pattern; isdataat:!1,relative; content:"WinHttp.WinHttpRequest."; http_user_agent; http_header_names; content:"Referer"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,dfad7d4a7ecb2eed6d69abfbfb5f94c9; reference:url,medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739; classtype:trojan-activity; sid:2026545; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag VBS, signature_severity Major, created_at 2018_10_24, malware_family Sidewinder, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10104
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MICROPSIA CnC Domain Observed in SNI (samwinchester .club)"; flow:established,to_server; tls_sni; content:"samwinchester.club"; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026546; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10105
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MICROPSIA HTTP Failover CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/api/hazard/"; http_uri; depth:12; fast_pattern; content:"compatible|3b 20|Googlebot|2f|"; http_user_agent; http_content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; http_accept_enc; content:"UTF8"; depth:4; isdataat:!1,relative; threshold:type limit, count 1, seconds 30, track by_dst; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026547; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10106
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MICROPSIA HTTP Failover Response M1"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"common|20|soon"; depth:11; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026548; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10107
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MICROPSIA HTTP Failover Response M2"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"loub"; depth:4; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026549; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10108
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MICROPSIA Sending JPG Screenshot to CnC with .his Extension"; flow:established,to_server; content:"POST"; http_method; content:"compatible|3b 20|Googlebot|2f|"; http_user_agent; content:"name=|22|kerna|22 3b 20|filename"; http_client_body; fast_pattern; content:".his|22 0d 0a|"; http_client_body; distance:0; within:20; content:"|0d 0a 0d 0a ff d8 ff|"; http_client_body; distance:0; content:"JFIF"; http_client_body; distance:0; within:15; http_content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; http_accept_enc; content:"UTF8"; depth:4; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026550; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10109
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MICROPSIA HTTP Failover Reporting Infected System Information and RAT Version"; flow:established,to_server; content:"POST"; http_method; content:"compatible|3b 20|Googlebot|2f|"; http_user_agent; content:"|3a|1.0.2|0d 0a 2d 2d 2d 2d 2d|"; http_client_body; fast_pattern; http_content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; http_accept_enc; content:"UTF8"; depth:4; isdataat:!1,relative; threshold:type limit, count 1, seconds 30, track by_dst; metadata: former_category TROJAN; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026551; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_24, malware_family MICROPSIA, performance_impact Low, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10110
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible APT28 DOC Uploader SSL/TLS Certificate Observed"; flow:established,to_client; tls_cert_serial; content:"03:04:FF:5D:C9:BB:AC:50:C1:7B:3E:4C:1C:68:26:15:F0:3E"; tls_cert_subject; content:"CN=mvtband.net"; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; metadata: former_category TROJAN; reference:md5,9b10685b774a783eabfecdb6119a8aa3; classtype:trojan-activity; sid:2026539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT28, signature_severity Major, created_at 2018_10_24, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10111
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible DarkTequila SSL/TLS Certificate Observed"; flow:established,to_client; tls_cert_serial; content:"00:ED"; tls_cert_subject; content:"C=US, ST=OH, O=International Security Depart, CN=the-ebooks-store.com/emailAddress=contact@infws.com"; tls_cert_issuer; content:"O=International Security Depart, emailAddress=contact@infws.com, L=Greater Cleveland, ST=OH, C=US, CN=International Security Depart Ca"; metadata: former_category TROJAN; reference:md5,9fbdc5eca123e81571e8966b9b4e4a1e; classtype:trojan-activity; sid:2026540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DarkTequila, signature_severity Major, created_at 2018_10_24, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10112
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Octopus Malware Initial Connectivity Check"; flow:established,to_server; content:"GET"; http_method; content:".php?check"; http_uri; fast_pattern; isdataat:!1,relative; pcre:"/^\/d[0-9]?\.php\?check$/Ui"; http_accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http_header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Octopus, signature_severity Major, created_at 2018_10_24, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10113
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Octopus Malware CnC Server Request"; flow:established,to_server; content:"GET"; http_method; content:".php?servers"; http_uri; fast_pattern; isdataat:!1,relative; pcre:"/^\/d[0-9]?\.php\?servers$/Ui"; http_accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http_header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Octopus, signature_severity Major, created_at 2018_10_24, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10114
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Octopus Malware CnC Server Connectivity Check"; flow:established,to_server; content:"GET"; http_method; content:".php?check="; http_uri; fast_pattern; pcre:"/^\/[a-z]\.php\?check=[a-f0-9]{32}$/Ui"; http_accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http_header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026543; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Octopus, signature_severity Major, created_at 2018_10_24, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10115
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Octopus Malware CnC Activity"; flow:established,to_server; content:"POST"; http_method; content:".php?query="; http_uri; fast_pattern; content:"eyJpZCI6"; http_client_body; pcre:"/^\/[a-z]\.php\?query=[a-f0-9]{32}$/Ui"; http_accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http_content_type; content:"multipart/form-data|3b|"; http_protocol; content:"HTTP/1.0"; metadata: former_category TROJAN; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Octopus, signature_severity Major, created_at 2018_10_24, updated_at 2018_10_24;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10116
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Sharik/Smoke Fake 404 Response with Payload Location"; flow:established,from_server; content:"404"; http_stat_code; file_data; content:"|00 00|Location|3a 20|"; depth:12; fast_pattern; metadata: former_category TROJAN; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:trojan-activity; sid:2026556; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Fake_404, signature_severity Major, created_at 2018_10_25, malware_family Sharik, malware_family SmokeLoader, performance_impact Low, updated_at 2018_10_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10117
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/KeyRedirEx Banker Requesting Redirect/Inject List"; flow:established,to_server; content:"GET"; http_method; content:"/red/info.php"; http_uri; depth:13; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; metadata: former_category TROJAN; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026562; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_29, malware_family KeyRedirEx, performance_impact Low, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10118
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MSIL/KeyRedirEx Banker Receiving Redirect/Inject List"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"REDIR|3b|"; depth:6; content:"|7c 2d 7c|http"; distance:0; within:50; fast_pattern; metadata: former_category TROJAN; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026563; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_29, malware_family KeyRedirEx, performance_impact Low, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10119
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN MSIL/KeyRedirEx Banker Receiving Exit Instruction"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"EXIT|3b|"; depth:5; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banker, signature_severity Major, created_at 2018_10_29, malware_family KeyRedirEx, performance_impact Low, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10120
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TrueBot/Silence.Downloader CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; isdataat:!1,relative; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|C|3a 5c|"; http_client_body; content:".DAT|22 3b 0d 0a|"; http_client_body; distance:0; content:"|0d 0a|Host Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http_client_body; distance:0; content:"|0d 0a|OS Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http_client_body; distance:0; content:"|0d 0a|OS Version|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http_client_body; distance:0; http_header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:trojan-activity; sid:2026559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_29, malware_family TrueBot, malware_family Silence_Downloader, performance_impact Moderate, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10121
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN TrueBot/Silence.Downloader Keep-Alive"; flow:established,to_server; content:"GET"; http_method; content:".php?dns="; http_uri; fast_pattern; pcre:"/^[a-f0-9]{8}$/RUs"; http_header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:trojan-activity; sid:2026560; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_29, malware_family TrueBot, malware_family Silence_Downloader, performance_impact Moderate, updated_at 2018_10_29;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10122
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.BackNet Checkin"; flow:established,to_server; content:"POST"; http_method; content:"data=%7B%22host_key%22%3A%22"; http_client_body; depth:28; http_header_names; content:!"Referer"; content:!"User-Agent"; metadata: former_category TROJAN; reference:md5,aebb382b54e1521ad1309f66d29a1d1c; classtype:trojan-activity; sid:2026572; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_02, malware_family Stealer, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10125
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL/Lordix Stealer Exfiltrating Data"; flow:established,to_server; content:"POST"; http_method; content:".php?hw="; http_uri; content:"&ps="; http_uri; distance:0; content:"&ck="; http_uri; distance:0; content:"&fl="; http_uri; distance:0; content:"log.txt"; http_client_body; content:"cookies/Chrome_Cookies.txt"; http_client_body; distance:0; fast_pattern; http_header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:trojan-activity; sid:2026571; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, tag Stealer, signature_severity Major, created_at 2018_11_02, malware_family Lordix, performance_impact Low, updated_at 2018_11_02;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10126
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT33/CharmingKitten JS/HTA Stage 1 CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?anti="; http_uri; content:"&cliname="; http_uri; distance:0; fast_pattern; http_accept; content:"*/*"; isdataat:!1,relative; http_accept_enc; content:"gzip, deflate"; isdataat:!1,relative; http_header_names; content:"User-Agent"; content:!"Cache"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,e15b3d2c39888fe459dc2d9c8dec331d; classtype:trojan-activity; sid:2026575; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10127
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT33/CharmingKitten Shellcode Communicating with CnC"; flow:established,to_server; dsize:<150; content:"|16 03|"; depth:2; content:"|00|"; distance:1; within:1; content:"|01 00 00|"; distance:1; within:3; content:"|03|"; distance:1; within:1; content:"|5b e0 37|"; distance:1; within:3; fast_pattern; content:"|00|"; distance:0; content:"|00|"; distance:1; within:1; content:"|00|"; distance:1; within:1; threshold: type limit, count 1, seconds 30, track by_dst; metadata: former_category TROJAN; reference:md5,a60f127a06e5b3dcacd1ec346f7995c5; classtype:trojan-activity; sid:2026576; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33_CharmingKitten, tag Shellcode, signature_severity Major, created_at 2018_11_05, malware_family Shellcode, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10128
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN APT33/CharmingKitten Retrieving New Payload (flowbit set)"; flow:established,to_server; content:"GET"; http_method; content:"/images/static/content/"; http_uri; depth:23; fast_pattern; isdataat:!1,relative; http_header_names; content:!"Cache"; content:!"Accept"; content:!"Referer"; flowbits:set,ET.APT33CharmingKitten.1; metadata: former_category TROJAN; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:trojan-activity; sid:2026577; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_12_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10129
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN APT33/CharmingKitten Encrypted Payload Inbound"; flow:established,from_server; content:"200"; http_stat_code; content:"|0d 0a|CacheControl|3a 20|"; http_header; fast_pattern; file_data; pcre:"/^(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=|[A-Z0-9+\/]{4})$/i"; flowbits:isset,ET.APT33CharmingKitten.1; metadata: former_category TROJAN; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:trojan-activity; sid:2026578; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10130
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Perl/Shellbot.SM IRC CnC Checkin"; flow:established,to_server; content:"JOIN"; depth:4; content:"Procesor - model name"; distance:0; content:"Numar Procesoare"; distance:0; fast_pattern; content:"|3a|uid="; distance:0; content:"gid="; distance:0; content:"groups="; distance:0; metadata: former_category TROJAN; reference:md5,ca42fda581175fd85ba7dab8243204e4; classtype:trojan-activity; sid:2026579; rev:1; metadata:attack_target Client_and_Server, deployment Perimeter, tag Perl, signature_severity Major, created_at 2018_11_05, malware_family Shellbot_SM, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10131
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Observed Malicious SSL Cert (MICROPSIA CnC Domain)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; tls_cert_subject; content:"CN=new.young-spencer.com"; fast_pattern; metadata: former_category TROJAN; reference:md5,738b3370230bd3168a97a7171d17ed64; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025918; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_27, malware_family MICROPSIA, performance_impact Low, updated_at 2018_11_05;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10132
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M1"; dns_query; content:"mynetwork.ddns.net"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:trojan-activity; sid:2026573; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10134
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M2"; dns_query; content:"mypsh.ddns.net"; nocase; fast_pattern; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:trojan-activity; sid:2026574; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag APT33, tag CharmingKitten, signature_severity Major, created_at 2018_11_05, performance_impact Low, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10135
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaRAT CnC Init Activity"; flow:established,to_client; dsize:11; content:"AUT_packet_"; depth:11; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026580; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, malware_family JavaRAT, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10136
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaRAT CnC Checkin"; flow:established,to_server; dsize:<150; content:"aut_sep_"; depth:8; fast_pattern; content:"_sep_"; distance:0; content:"_packet_"; distance:0; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10137
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaRAT Keep-Alive (inbound)"; flow:established,to_client; dsize:11; content:"PNG_packet_"; depth:11; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026582; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10138
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaRAT Keep-Alive (outbound)"; flow:established,to_server; dsize:11; content:"PNG_packet_"; depth:11; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026583; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10139
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaRAT Sending Screen Size"; flow:established,to_server; dsize:<50; content:"sc.op_sep_"; depth:10; nocase; fast_pattern; content:"_packet_"; distance:0; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10140
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JavaRAT Sending Screenshot"; flow:established,to_server; dsize:>1000; content:"sc.cap_sep_"; depth:11; nocase; fast_pattern; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, malware_family JavaRAT, performance_impact Moderate, updated_at 2018_11_06;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10141
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Sharik/Smoke CnC Beacon 12"; flow:established,to_server; content:"POST"; http_method; urilen:<6; content:"/"; http_uri; isdataat:!1,relative; content:!"."; http_uri; content:!"&"; http_uri; pcre:"/(?:MSIE|rv\x3a)/V"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http_content_len; content:"63"; fast_pattern; depth:2; isdataat:!1,relative; http_content_type; content:"application/x-www-form-urlencoded"; http_connection; content:"keep-alive"; nocase; http_header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Host|0d 0a|Referer|0d 0a|User-Agent"; metadata: former_category TROJAN; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:trojan-activity; sid:2026555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_10_25, malware_family Sharik, malware_family SmokeLoader, performance_impact Low, updated_at 2018_10_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10142
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaRAT Requesting Screenshot"; flow:established,to_client; dsize:<50; content:"SC.CAP_sep_"; depth:11; nocase; content:"_sep_"; distance:0; content:"_packet_"; distance:0; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026587; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, malware_family JavaRAT, performance_impact Moderate, updated_at 2018_11_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10143
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN JavaRAT Requesting Screen Size"; flow:established,to_client; dsize:13; content:"SC.OP_packet_"; depth:13; isdataat:!1,relative; nocase; metadata: former_category TROJAN; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_06, performance_impact Moderate, updated_at 2018_11_07;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10144
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ArrobarLoader CnC Checkin M1"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:"4RR0B4R 4 X0T4 D4 TU4 M4E"; http_user_agent; fast_pattern; content:"0"; http_client_body; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Cache"; metadata: former_category TROJAN; reference:md5,3d7436bcf635a7e56a785c9d26ed3767; classtype:trojan-activity; sid:2026528; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loader, signature_severity Major, created_at 2018_02_07, malware_family ArrobarLoader, performance_impact Low, updated_at 2018_11_08;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10145
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MSIL.Kraken.v2 HTTP Pattern"; flow:established,to_server; content:"Kraken web request agent/"; http_user_agent; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,e1aee9ef64d71e0c9bb8eee9742efdef; reference:url,securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/; classtype:trojan-activity; sid:2026588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2018_11_09, malware_family Ransomware, malware_family Kraken_Ransomware, updated_at 2018_11_09;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10146
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET !80 -> $EXTERNAL_NET [!25,!445,!1500] (msg:"ET TROJAN Win32/BlackCarat XORed (0x77) CnC Checkin"; flow:established,to_server; dsize:>800; content:"|77 77|"; offset:2; depth:2; content:"|77|"; distance:1; within:1; content:"|77 77 77 77 77 77 77 77 77 77 77 77 77|"; distance:1; within:13; fast_pattern; metadata: former_category TROJAN; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:trojan-activity; sid:2026525; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_10_18, malware_family BlackCarat, performance_impact Low, updated_at 2018_11_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10148
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DarkGate CNC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"id="; http_client_body; depth:3; content:"&data="; http_client_body; distance:0; content:"&action="; http_client_body; distance:0; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|Synapse|29|"; http_user_agent; isdataat:!1,relative; fast_pattern; flowbits:set,ET.DarkGate.1; http_protocol; content:"HTTP/1.0"; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026629; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_11_19, malware_family DarkGate, performance_impact Low, updated_at 2018_11_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10161
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DarkGate CnC Requesting Data Exfiltration from Bot"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"getbotdata"; depth:10; fast_pattern; isdataat:!1,relative; flowbits:isset,ET.DarkGate.1; metadata: former_category TROJAN; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag RAT, signature_severity Major, created_at 2018_11_19, malware_family DarkGate, performance_impact Low, updated_at 2018_11_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10162
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SC.Backdoor/TeleRAT Checkin"; flow:to_server,established; content:".php?a="; http_uri; content:"&b="; http_uri; distance:0; content:"&c="; http_uri; distance:0; content:"Windows|20|"; http_uri; distance:0; fast_pattern; content:"&d="; http_uri; distance:0; content:"&e="; http_uri; distance:0; http_header_names; content:!"User-Agent"; content:!"Referer"; metadata: former_category TROJAN; reference:md5,a1bdb1889d960e424920e57366662a59; classtype:trojan-activity; sid:2026641; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_21, malware_family RAT, updated_at 2018_11_21;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10177
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN L0rdix Stealer CnC Sending Screenshot"; flow:established,to_server; content:"POST"; http_method; content:".php?h="; http_uri; fast_pattern; content:"&o="; http_uri; content:"&c="; http_uri; content:"&g="; http_uri; content:"&w="; http_uri; content:"&p="; http_uri; content:"&r="; http_uri; content:"&f="; http_uri; content:"&rm="; http_uri; content:"&d="; http_uri; content:"img="; http_client_body; depth:4; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,blog.ensilo.com/l0rdix-attack-tool; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:trojan-activity; sid:2026670; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_28, malware_family L0rdix, performance_impact Moderate, updated_at 2018_11_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10184
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN L0rdix Stealer CnC Data Exfil"; flow:established,to_server; content:"POST"; http_method; content:".php?hw="; http_uri; fast_pattern; content:"&ps="; http_uri; content:"&ck="; http_uri; content:"&fl="; http_uri; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; http_header_names; content:!"Referer"; metadata: former_category TROJAN; reference:url,blog.ensilo.com/l0rdix-attack-tool; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:trojan-activity; sid:2026671; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_28, malware_family L0rdix, performance_impact Moderate, updated_at 2018_11_28;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10185
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop dns $HOME_NET any -> any any (msg:"ET TROJAN DNS Query for DNSpionage CnC Domain"; dns_query; content:".0ffice36o.com"; nocase; isdataat:!1,relative; metadata: former_category TROJAN; reference:md5,c00c9f6ebf2979292d524acff19dd306; classtype:trojan-activity; sid:2026557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag DNSpionage, tag DNS_tunneling, signature_severity Major, created_at 2018_10_26, updated_at 2018_10_26;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10189
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IcedID WebSocket Request"; flow:established,to_server; content:"GET"; http_method; content:"/data2.php?"; http_uri; pcre:"/^[A-F0-9]{16}$/UR"; content:"Upgrade|3a 20|websocket|0d 0a|Connection|3a 20|Upgrade|0d 0a|"; http_header; isdataat:!1,relative; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category TROJAN; reference:md5,b17a729efb71d1781405c6c00052c85e; classtype:trojan-activity; sid:2026673; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_29, malware_family IcedID, updated_at 2018_12_12;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10224
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud wg.txt Checkin"; flow:established,to_server; content:"/wg.txt"; http_uri; reference:md5,a89f7289d5cce821a194542e90026082; reference:md5,fd56ce176889d4fbe588760a1da6462b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; classtype:trojan-activity; sid:2014402; rev:2; metadata:created_at 2012_03_19, updated_at 2012_03_19;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10226
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:31:53 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Njw0rm CnC Beacon"; flow:established,to_server; content:"lv0njxq80"; depth:9; content:"njxq80"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-brother-from-the-same-mother.html; reference:md5,4c60493b14c666c56db163203e819272; reference:md5,b0e1d20accd9a2ed29cdacb803e4a89d; classtype:trojan-activity; sid:2017404; rev:3; metadata:created_at 2013_08_30, updated_at 2013_08_30;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 10227
12/12/2018 -- 16:31:55 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:31:55 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"<html><body><script>"; content:"var"; within:3; distance:1; content:"document.createElement"; content:"iframe"; within:6; distance:2; content:".setAttribute("; distance:0; content:"document.body.appendChild("; distance:0; fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26961; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 12328
12/12/2018 -- 16:31:55 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:31:55 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".jar"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.jar/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 12341
12/12/2018 -- 16:31:55 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:31:55 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".exe"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 12342
12/12/2018 -- 16:31:56 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:31:56 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; dsize:<1201; byte_extract:4,1,file_length,relative; isdataat:!file_length,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4138; reference:cve,2017-2933; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39309; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 14267
12/12/2018 -- 16:31:56 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:31:56 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; dsize:<1201; byte_extract:4,1,file_length,relative; isdataat:!file_length,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4138; reference:cve,2017-2933; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39308; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 14268
12/12/2018 -- 16:31:56 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:31:56 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|127.0.0.1"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|127.0.0.1"; distance:0; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39543; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 14335
12/12/2018 -- 16:31:56 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:31:56 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|localhost"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|localhost"; distance:0; nocase; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39540; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 14338
12/12/2018 -- 16:31:57 - <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,7,6,relative,bitmask 0xF0
12/12/2018 -- 16:31:57 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; byte_test:1,=,7,6,relative,bitmask 0xF0; content:"|00 00 FF E2|"; within:4; distance:11; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4936; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46261; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 14627
12/12/2018 -- 16:31:57 - <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,7,6,relative,bitmask 0xF0
12/12/2018 -- 16:31:57 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; byte_test:1,=,7,6,relative,bitmask 0xF0; content:"|00 00 FF E2|"; within:4; distance:11; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4936; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46260; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 14628
12/12/2018 -- 16:31:58 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
12/12/2018 -- 16:31:58 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes  4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45822; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 16266
12/12/2018 -- 16:31:58 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
12/12/2018 -- 16:31:58 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes  4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45821; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 16267
12/12/2018 -- 16:31:58 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
12/12/2018 -- 16:31:58 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes  4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45820; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 16268
12/12/2018 -- 16:31:58 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
12/12/2018 -- 16:31:58 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes  4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45819; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 16269
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,4,1,relative,bitmask 0x7f
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"|08 40|"; within:2; distance:12; byte_test:1,=,4,1,relative,bitmask 0x7f; byte_extract:4,2,regionSize,relative,little; byte_test:4,>,regionSize,8,little,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12762; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47683; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 16381
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,4,1,relative,bitmask 0x7f
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"|08 40|"; within:2; distance:12; byte_test:1,=,4,1,relative,bitmask 0x7f; byte_extract:4,2,regionSize,relative,little; byte_test:4,>,regionSize,8,little,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12762; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47682; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 16382
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 17256
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 17257
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 17258
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 17259
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:31:59 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 17260
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 17810
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 17889
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 18007
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|0A|User-Agent|3A 20|tiehttp"; fast_pattern; nocase; http_header; content:"Content-Disposition|3A 20|"; nocase; http_client_body; content:"form-data|3B| name=|22|filename|22|"; distance:0; nocase; http_client_body; content:"|0D 0A 0D 0A|"; within:4; http_client_body; pcre:"/^\d{0,10}_passes_\d{1,10}\.xm/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/f9775d5fc61ec53a7cab4b432ec2d227/detection; classtype:trojan-activity; sid:21760; rev:6;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 18215
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Koobface variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/cap/?a=get&i="; nocase; http_uri; pcre:"/\d+&/miR"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16484; rev:9;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 18363
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 18440
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 18578
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 18597
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 18598
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 18619
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chewbacca outbound connection"; flow:to_server,established; urilen:4; dsize:<200; content:"/ip/"; depth:4; fast_pattern; http_uri; content:"Keep-Alive|3A 20|300|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/chewbacca-latest-malware-to-take-a-liking-to-tor/103220; reference:url,www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware; classtype:trojan-activity; sid:29440; rev:5;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 18761
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 18815
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:00 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 18821
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ANDR.Trojan.FakeApp outbound connection"; flow:established, to_server; content:"/cp/server.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B| boundary=Aab03x"; http_header; content:"User-Agent: Dalvik"; http_header; file_data; content:"AaB03x"; content:"name=|22|phone"; distance:0; content:"name=|22|type"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,securityaffairs.co/wordpress/22465/cyber-crime/banking-trojan-hit-islamic-mobile.html; reference:url,www.virustotal.com/file/66911EE32FC4777BB9272F9BE9EB8970B39440768B612FBAB4AC01D8E23F9AA1/analysis/; classtype:trojan-activity; sid:29978; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 18847
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Critroni outbound connection"; flow:to_server,established; dsize:174; urilen:1; content:"/"; http_uri; content:"Host|3A| ip.telize.com|0D 0A|Accept|3A| */*|0D 0A|User-Agent|3A| Mozilla/5.0 |28|Windows NT 6.1|3B| WOW64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/31.0.1650.63 Safari/537.36"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b3c92d7a9dead6011f3c99829c745c384dd776d88f57bbd60bc4f9d66641819b/analysis/; classtype:trojan-activity; sid:31718; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19109
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro outbound connection"; flow:to_server,established; dsize:<200; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/"; http_header; content:"ompatible|3B| MSIE 31|3B| "; within:20; distance:6; fast_pattern; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f5c716890a2a76785d53e8f9a5db2268501a30df807df4c4323967672efe452c/analysis/; classtype:trojan-activity; sid:31813; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19132
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rehtesyk outbound connection"; flow:to_server,established; content:"User-Agent: Firefox|0D 0A|"; fast_pattern:only; content:"first="; depth:6; http_client_body; content:"&data="; within:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea/analysis/; classtype:trojan-activity; sid:32311; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19223
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19291
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19292
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)"; fast_pattern:only; http_header; content:"/"; depth:1; offset:9; http_uri; content:"/"; within:1; distance:8; http_uri; content:"Host:"; http_header; content:":8080"; within:30; http_header; content:"POST"; http_method; dsize:<480; pcre:"/^\/[a-f0-9]{8}\/[a-f0-9]{8}\/$/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/27c298c77e16bbc3f056653034c2d918418f877bb0193a9ca533b5527d830a94/analysis/; classtype:trojan-activity; sid:32770; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19307
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19368
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19396
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.AAEH variant outbound connection"; flow:to_server,established; urilen:<15; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| SV1)"; fast_pattern:only; content:"Host: "; nocase; http_header; content:"|3A|"; within:16; http_header; content:!"Referer: "; nocase; http_header; content:!"Accept"; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0ccade380fd3a9ef7635e5c4e54b82c4ccd434c0bc3bbf76af3a99d744a1c5e7/analysis/; classtype:trojan-activity; sid:34246; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19538
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Panskeg outbound connection"; flow:to_server,established; file_data; dsize:10; content:"|79 40 1F F2 03 3C 20 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/81c6fa11d46bf173932b067c32a852f048ba51873210c3e24ac367c95e799e42/analysis/; classtype:trojan-activity; sid:36610; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19787
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&syspath="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"&macid="; nocase; http_client_body; content:"&os1="; distance:0; nocase; http_client_body; content:"&os2="; distance:0; nocase; http_client_body; content:"&syspath="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36630; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19791
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&vs="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"v="; nocase; http_client_body; content:"&id="; distance:0; nocase; http_client_body; content:"&uid="; distance:0; nocase; http_client_body; content:"&vs="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36629; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19792
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC Win.Trojan.Trochulis variant outbound connection"; flow:to_server,established; file_data; content:"|BF BF AF AF 7E 00 00 00|"; fast_pattern:only; dsize:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/da6905d96cc860b443deb5f27271a2cfb2ce17f067a59ca7f0fd12c1d70c4372/analysis/; classtype:trojan-activity; sid:37370; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19861
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19935
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19936
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Helminth variant outbound connection"; flow:to_server,established; content:"UIET9fWR"; fast_pattern:only; content:"User-Agent: Mozilla/5.0"; http_header; content:"|20|Trident/5.0|0D 0A|"; within:14; distance:39; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/632be0a3d8d298f2ded928a4ac27846904ed842ad08b355acab53132d31eaf24/analysis/; classtype:trojan-activity; sid:39176; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 19991
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Erebus variant outbound connection"; flow:to_server,established; file_data; urilen:1; content:"h="; depth:2; http_client_body; content:"&v="; within:3; distance:8; http_client_body; content:"&k="; within:3; distance:3; fast_pattern; http_client_body; content:"Expect|3A| 100-continue|0D 0A 0D 0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert, service http; reference:url,virustotal.com/en/file/0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f/analysis/; classtype:trojan-activity; sid:43351; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 20297
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 20495
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt"; flow:to_server,established; file_data; content:"User-Agent"; nocase; http_header; content:"Rarog"; within:200; fast_pattern; nocase; http_header; pcre:"/User-Agent\s*:[^\r\n]*Rarog/iH"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46240; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 20593
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/4.0/method/"; depth:12; nocase; http_uri; pcre:"/\/4\.0\/method\/(check|cores|installSuccess|modules|threads|blacklist)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46239; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 20594
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/2.0/method/"; depth:12; nocase; http_uri; pcre:"/\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46238; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 20595
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_uri" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Outbound malicious vbscript attempt"; flow:to_server,established; file_data; content:"/ilha/"; fast_pattern; nocase; http_uri; content:"logs.php"; within:9; distance:2; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46792; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 20678
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banking download attempt initiated"; flow:to_client; file_data; content:"pgs99.online"; content:"painelhost.uol.com.br"; fast_pattern:only; content:!"User-Agent:"; nocase; http_header; content:!"Referer:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/91781126feeae4d1a783f3103dd5ed0f8fc4f2f8e6f51125d1bfc06683b01c39; classtype:trojan-activity; sid:48356; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 20902
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 20931
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 21390
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 21391
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45444; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 21420
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
12/12/2018 -- 16:32:02 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45443; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 21421
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00 00 00 00 00|"; depth:6; offset:4; content:"|00 00 29|"; within:3; distance:2; content:"|FE|"; within:1; distance:8; byte_test:2,>,4,-3,relative; byte_math:bytes 2,offset -3,oper -,rvalue 4,result rdlen_minus_four,relative; byte_test:2,>,rdlen_minus_four,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14496; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44482; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 21954
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server,established,only_stream; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20395; rev:5;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22020
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19389; rev:8;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22021
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22022
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_UNDEFINED_VAR(101)] - Variable "SIP_PORTS" is not defined in configuration file
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22023
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow"; flow:to_server,established; content:"APSCOOKIE"; fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|"; nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6909; reference:url,fortiguard.com/advisory/FG-IR-16-023; classtype:attempted-admin; sid:40241; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22359
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:0; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44502; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22490
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_CONFLICTING_RULE_KEYWORDS(141)] - rule contains conflicting keywords.
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4592 (msg:"SERVER-OTHER Advantech WebAccess buffer overflow attempt"; flow:to_server,established; dce_iface:5d2b62aa-ee0a-4a95-91ae-b064fdb471fc; dce_opnum:1; file_data; content:"|81 38 01 00|"; content:!"|00|"; within:12; distance:8; metadata:policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:cve,2016-0851; reference:url,www.advantech.com/industrial-automation/webaccess/introduction; classtype:attempted-user; sid:44501; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22491
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'.
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|00 00 00 07|"; within:4; distance:5; fast_pattern; content:"|00 00 00 01|"; within:4; distance:4; byte_math:bytes 4,offset 0,oper +,rvalue 8,result sub_len_plus_eight,relative; byte_test:4,!=,sub_len_plus_eight,-8,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-0171; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2; classtype:attempted-dos; sid:46468; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22540
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22564
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,1,2,relative,bitmask 0x01
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba tree connect andx memory corruption attempt"; flow:to_server,established; content:"|FF|SMB|75|"; fast_pattern:only; content:"|04 75 00|"; byte_test:1,=,1,2,relative,bitmask 0x01; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14746; classtype:attempted-user; sid:45255; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22565
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMemcachedAdmin path traversal attempt"; flow:to_server,established; content:"live_stats_id"; fast_pattern:only; content:"live_stats_id"; http_cookie; content:"="; within:1; distance:32; http_cookie; content:"../"; distance:0; http_cookie; metadata:policy security-ips drop, service http; reference:cve,2014-8731; reference:url,securityfocus.com/archive/1/533968; classtype:web-application-attack; sid:32611; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22664
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34056; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22709
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34055; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22710
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt"; flow:to_server,established; content:"/borderpost/imp/compose.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_raw_cookie; content:"%3B"; distance:0; nocase; http_raw_cookie; pcre:"/sid=[^\x3b]*?%3B/Ki"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:attempted-admin; sid:35573; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22834
12/12/2018 -- 16:32:03 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
12/12/2018 -- 16:32:04 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36102; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22860
12/12/2018 -- 16:32:04 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
12/12/2018 -- 16:32:04 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36101; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 22861
12/12/2018 -- 16:32:04 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:04 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera multipart boundary stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; nocase; http_uri; content:"usrBeatHeart"; fast_pattern:only; content:"Boundary="; nocase; http_raw_header; isdataat:256,relative; content:!"|0A|"; within:256; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2830; reference:url,www.talosintelligence.com/reports/TALOS-2017-0331/; classtype:web-application-attack; sid:42437; rev:3;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 23372
12/12/2018 -- 16:32:04 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:04 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_pattern:only; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 23520
12/12/2018 -- 16:32:04 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
12/12/2018 -- 16:32:04 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 23693
12/12/2018 -- 16:32:04 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
12/12/2018 -- 16:32:04 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt"; flow:to_server,established; content:"query=--open-files-in-pager"; fast_pattern:only; content:"/tree/"; http_uri; content:"/search"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:47599; rev:1;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/suricata.rules at line 23785
12/12/2018 -- 16:32:05 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "secunia". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:32:05 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDF-"; within:6; flowbits:set,ET.pdf.in.http; flowbits:noalert; reference:cve,CVE-2008-2992; reference:bugtraq,30035; reference:secunia,29773; classtype:not-suspicious; sid:2015671; rev:10; metadata:created_at 2010_09_25, updated_at 2010_09_25;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/flowbit-required.rules at line 166
12/12/2018 -- 16:32:05 - <Error> -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "md5". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
12/12/2018 -- 16:32:05 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Petite Packed Binary Download"; flow:to_client,established; flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|43 6F 6D 70 72 65 73 73 65 64 20 62 79 20 50 65 74 69 74 65 20 28 63 29 31 39 39 39 20 49 61 6E 20 4C 75 63 6B 2E 00 00|"; distance:-44; flowbits:set,ET.http.binary; reference:md5,fa2c0e8b486c879f4baee1d5bebdf0a2; classtype:trojan-activity; sid:2020973; rev:5; metadata:created_at 2015_04_22, updated_at 2015_04_22;)" from file /usr/local/etc/suricata/suricata_8280_em4/rules/flowbit-required.rules at line 190
12/12/2018 -- 16:32:05 - <Info> -- 2 rule files processed. 22461 rules successfully loaded, 2069 rules failed
12/12/2018 -- 16:32:05 - <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210042, gid 1: unknown rule
12/12/2018 -- 16:32:05 - <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210044, gid 1: unknown rule
12/12/2018 -- 16:32:05 - <Warning> -- [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2210054, gid 1: unknown rule
12/12/2018 -- 16:32:05 - <Info> -- Threshold config parsed: 15 rule(s) found
12/12/2018 -- 16:32:05 - <Info> -- 22462 signatures processed. 363 are IP-only rules, 5413 are inspecting packet payload, 11074 inspect application layer, 102 are decoder event only
12/12/2018 -- 16:32:13 - <Info> -- fast output device (regular) initialized: alerts.log
12/12/2018 -- 16:32:13 - <Info> -- http-log output device (regular) initialized: http.log
12/12/2018 -- 16:32:13 - <Info> -- Syslog output initialized
12/12/2018 -- 16:32:13 - <Info> -- Using 2 live device(s).
12/12/2018 -- 16:32:13 - <Notice> -- all 6 packet processing threads, 2 management threads initialized, engine started.
13/12/2018 -- 01:10:32 - <Notice> -- Signal Received.  Stopping engine.
13/12/2018 -- 01:10:32 - <Info> -- time elapsed 31099.357s
13/12/2018 -- 01:10:33 - <Info> -- Alerts: 0
13/12/2018 -- 01:10:33 - <Info> -- cleaning up signature grouping structure... complete
13/12/2018 -- 01:10:33 - <Notice> -- Stats for 'em4':  pkts: 0, drop: 0 (nan%), invalid chksum: 0
13/12/2018 -- 01:10:33 - <Notice> -- Stats for 'em4+':  pkts: 4988, drop: 0 (0.00%), invalid chksum: 0