[101626 - Suricata-Main] 2026-05-13 11:29:39 Notice: suricata: This is Suricata version 8.0.3 RELEASE running in SYSTEM mode [101626 - Suricata-Main] 2026-05-13 11:29:39 Info: cpu: CPUs/cores online: 4 [101626 - Suricata-Main] 2026-05-13 11:29:39 Info: suricata: Setting engine mode to IDS mode by default [101626 - Suricata-Main] 2026-05-13 11:29:39 Info: app-layer-htp-mem: HTTP memcap: 67108864 [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: logopenfile: alert-pf output device (regular) initialized: block.log [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Loading and parsing Pass List from: /usr/local/etc/suricata/suricata_22112_ix0/passlist. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Pass List /usr/local/etc/suricata/suricata_22112_ix0/passlist processed: Total entries parsed: 12, IP addresses/netblocks/aliases added to No Block list: 12, IP addresses/netblocks ignored because they were covered by existing entries: 0. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: pfSense Suricata Custom Blocking Module initialized: pf-table=snort2c block-ip=both kill-state=yes block-drops-only=no passlist-debugging=no [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Creating initial automatic firewall interface IP address pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface ix0 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e34 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface ix0 IPv4 address 10.20.0.254 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface ix1 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e35 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface ix1 IPv4 address 10.0.0.250 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface ix2 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e34 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface ix3 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e34 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e36 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2010 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e36 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2010 IPv4 address 10.20.1.254 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2020 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e36 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2020 IPv4 address 10.20.2.254 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2030 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e36 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2030 IPv4 address 10.20.3.254 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2040 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e36 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2040 IPv4 address 10.20.4.254 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2050 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e36 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2050 IPv4 address 10.20.5.254 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2060 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e36 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2060 IPv4 address 10.20.6.254 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2070 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e36 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2070 IPv4 address 10.20.7.254 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2080 IPv6 address fe80:0000:0000:0000:02e0:edff:fef0:3e36 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: alert-pf: Adding firewall interface lagg0.2080 IPv4 address 10.20.8.254 to automatic interface IP pass list. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: logopenfile: fast output device (regular) initialized: alerts.log [101572 - Suricata-Main] 2026-05-13 11:29:39 Warning: log-httplog: The http-log output has been deprecated and will be removed in Suricata 9.0. [101572 - Suricata-Main] 2026-05-13 11:29:39 Info: logopenfile: http-log output device (regular) initialized: http.log [180593 - Suricata-IM#01] 2026-05-13 11:29:39 Info: alert-pf: Firewall Interface IP Address Change Monitor Thread IM#01 initializing. [180593 - Suricata-IM#01] 2026-05-13 11:29:39 Info: alert-pf: Firewall Interface IP Address Change Monitor Thread IM#01 startup completed successfully. [101572 - Suricata-Main] 2026-05-13 11:30:02 Error: detect-tls-ja3-hash: ja3 support is not enabled [101572 - Suricata-Main] 2026-05-13 11:30:02 Error: detect: error parsing signature "alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CIS] Gootloader C2 Activity - Windows Server 2016 - barefootinc.com[.]au"; flow:established,to_server; ja3.hash; content:"ae76f123158d52fd84c2c313c0c724ac"; tls.sni; bsize:18; content:"barefootinc.com.au"; nocase; startswith; fast_pattern; threshold: type limit, track by_src, seconds 3600, count 1; classtype:domain-c2; sid:2058287; rev:1; metadata:affected_product Windows_Server_2016, attack_target Client_Endpoint, created_at 2024_12_15, deployment Perimeter, malware_family GootLoader, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol; target:dest_ip;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 17139 [101572 - Suricata-Main] 2026-05-13 11:30:14 Error: detect: previous sticky buffer has no matches [101572 - Suricata-Main] 2026-05-13 11:30:14 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_server,established; file_data; file_data; content:"for (let i = 0|3B| i < n|3B| i++) {|0D 0A 20 20 20 20 20 20 20 20|new cls()|3B|"; content:"0x00010000"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0590; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0590; classtype:attempted-user; sid:49129; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 33249 [101572 - Suricata-Main] 2026-05-13 11:30:16 Error: detect: previous sticky buffer has no matches [101572 - Suricata-Main] 2026-05-13 11:30:16 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement object use-after-free attempt"; flow:to_client,established; file_data; file_data; content:"createTextRange"; content:".execCommand"; within:20; content:"InsertIFrame"; within:20; fast_pattern; nocase; content:"innerHTML"; within:500; content:"onpropertychange"; within:50; nocase; content:"removeAttribute"; within:150; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2491; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35975; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 34044 [101572 - Suricata-Main] 2026-05-13 11:30:19 Error: detect: previous sticky buffer has no matches [101572 - Suricata-Main] 2026-05-13 11:30:19 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_server,established; file_data; file_data; content:".getSelection"; content:".anchorNode.splitText("; fast_pattern; content:".focusNode"; within:60; content:"CollectGarbage"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26637; rev:6;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 34719 [101572 - Suricata-Main] 2026-05-13 11:30:19 Error: detect: previous sticky buffer has no matches [101572 - Suricata-Main] 2026-05-13 11:30:19 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_client,established; file_data; file_data; content:".getSelection"; content:".anchorNode.splitText("; content:".focusNode"; within:60; content:"CollectGarbage"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26636; rev:6;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 34720 [101572 - Suricata-Main] 2026-05-13 11:30:20 Error: detect: previous sticky buffer has no matches [101572 - Suricata-Main] 2026-05-13 11:30:20 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Cisco WebEx extension command execution attempt"; flow:to_server,established; file_data; file_data; content:"CustomEvent"; nocase; content:"connect"; within:50; nocase; content:"CustomEvent"; nocase; content:"message"; within:50; nocase; content:"message_type"; nocase; content:"launch_meeting"; within:50; nocase; content:"GpcComponentName"; fast_pattern; content:!"YXRtY2NsaS5ETEw="; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:attempted-admin; sid:41408; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 34872 [101572 - Suricata-Main] 2026-05-13 11:30:21 Error: detect: previous sticky buffer has no matches [101572 - Suricata-Main] 2026-05-13 11:30:21 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit out-of-bounds write attempt"; flow:to_client,established; file_data; file_data; content:"try { (function () { let a = { get val() { [...{a = 1.45}] = []|3B| a.val.x|3B| }, }|3B| a.val|3B| })()|3B| } catch (e) { } "; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2505; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=1137; classtype:attempted-user; sid:51391; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 35288 [101572 - Suricata-Main] 2026-05-13 11:30:22 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [101572 - Suricata-Main] 2026-05-13 11:30:22 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|127.0.0.1"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|127.0.0.1"; distance:0; http_raw_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39543; rev:4;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 36240 [101572 - Suricata-Main] 2026-05-13 11:30:22 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [101572 - Suricata-Main] 2026-05-13 11:30:22 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|localhost"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|localhost"; distance:0; nocase; http_raw_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39540; rev:4;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 36243 [101572 - Suricata-Main] 2026-05-13 11:30:25 Error: detect: previous sticky buffer has no matches [101572 - Suricata-Main] 2026-05-13 11:30:25 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt"; flow:to_server,established; file_data; file_data; content:"|6A FB 8F 05 F0 06 DA F7 8F 05 0E 60 F9 6A 77 01 99 F7 25 03 F7 AD 4D 15 3A F5 62 F7 30 F7 18 1A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-9161; reference:url,www.cvedetails.com/cve/CVE-2014-9161; classtype:attempted-user; sid:33455; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 39047 [101572 - Suricata-Main] 2026-05-13 11:30:25 Error: detect: previous sticky buffer has no matches [101572 - Suricata-Main] 2026-05-13 11:30:25 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt"; flow:to_client,established; file_data; file_data; content:"|6A FB 8F 05 F0 06 DA F7 8F 05 0E 60 F9 6A 77 01 99 F7 25 03 F7 AD 4D 15 3A F5 62 F7 30 F7 18 1A|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2014-9161; reference:url,www.cvedetails.com/cve/CVE-2014-9161; classtype:attempted-user; sid:33454; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 39048 [101572 - Suricata-Main] 2026-05-13 11:30:27 Error: detect-parse: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:27 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 40441 [101572 - Suricata-Main] 2026-05-13 11:30:27 Error: detect-parse: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:27 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 40442 [101572 - Suricata-Main] 2026-05-13 11:30:27 Error: detect-parse: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:27 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 40443 [101572 - Suricata-Main] 2026-05-13 11:30:27 Error: detect-parse: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:27 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 40444 [101572 - Suricata-Main] 2026-05-13 11:30:27 Error: detect-parse: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:27 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 40445 [101572 - Suricata-Main] 2026-05-13 11:30:27 Error: detect: previous sticky buffer has no matches [101572 - Suricata-Main] 2026-05-13 11:30:27 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt"; flow:to_server,established; file_data; flowbits:isset,file.docx; file_data; content:"|35 D4 85 5E 37 BB 23 7B E9 7E B1 33 76 E2 7F DF 91 E4 88 50 1C CB A9 AD 8B 40 9A 79 1F FB 84 9E|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-0199; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0199; reference:url,virustotal.com/gui/file/04e0d94b1a24d12d690c41a5142b8652cfb517454b0c52eee912179dceb52a9a/detection; classtype:attempted-user; sid:57066; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 40456 [101572 - Suricata-Main] 2026-05-13 11:30:28 Error: detect-urilen: depth or urilen 11 smaller than content len 17 [101572 - Suricata-Main] 2026-05-13 11:30:28 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 41135 [101572 - Suricata-Main] 2026-05-13 11:30:29 Error: detect-parse: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:29 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 41935 [101572 - Suricata-Main] 2026-05-13 11:30:29 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [101572 - Suricata-Main] 2026-05-13 11:30:29 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 42183 [101572 - Suricata-Main] 2026-05-13 11:30:29 Error: detect-pcre: unknown regex modifier 'K' [101572 - Suricata-Main] 2026-05-13 11:30:29 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.TreeTrunk outbound connection"; flow:to_server,established; urilen:10; content:"/index.jsp"; fast_pattern:only; http_uri; pcre:"/^([0-9A-F]{2}-){5}[0-9A-F]{2}$/K"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/sha256/8d9444ac349502314f97d25f000dbabb33e3b9737ac8e77e5e8452b719211edd; classtype:trojan-activity; sid:60270; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 42256 [101572 - Suricata-Main] 2026-05-13 11:30:29 Error: detect-parse: "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:29 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HannabiGrabber info stealer outbound communication"; flow:to_server,established; file_data; content:"Hannabi Grabber"; fast_pattern:only; http_client_body; content:"```fix|5C|nPCName:"; http_client_body; content:"GB|5C|nAntivirus:"; within:1000; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/082e50f61aa3e649889defae5bccb1249fc1c1281b2b9f02e10cb1ede8a1d16f; classtype:trojan-activity; sid:60728; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 42323 [101572 - Suricata-Main] 2026-05-13 11:30:29 Error: detect-within: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [101572 - Suricata-Main] 2026-05-13 11:30:29 Error: detect: error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.LODEINFO outbound connection"; flow:to_server,established; urilen:1; content:"POST / HTTP/1.1|0D 0A|"; fast_pattern:only; content:"-"; depth:1; offset:8; http_client_body; content:"="; within:1; distance:4; http_client_body; content:"-"; within:1; distance:6; http_client_body; content:"."; within:80; distance:220; http_client_body; pcre:"/^[0-9a-z]{8}-[0-9a-z]{4}=[0-9a-z]{6}-[0-9a-z_\x2d]{220,300}\x2e$/Pi"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/632975a3642b0f2a6084880e59ffa19dfa8b08d13ac15b639e1e0ad3bdbf45bd; classtype:trojan-activity; sid:63188; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 42508 [101572 - Suricata-Main] 2026-05-13 11:30:30 Error: detect-isdataat: pcre2_substring_get_bynumber failed [101572 - Suricata-Main] 2026-05-13 11:30:30 Error: detect: error parsing signature "alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Unix.Backdoor.PygmyGoat inbound connection attempt"; flow:to_client,established; content:"SSH-2.0-D8pjE|0D 0A|"; depth:15; isdataat:!15,rawbytes; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssh; reference:url,ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf; classtype:trojan-activity; sid:64295; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 42608 [101572 - Suricata-Main] 2026-05-13 11:30:30 Error: detect-isdataat: pcre2_substring_get_bynumber failed [101572 - Suricata-Main] 2026-05-13 11:30:30 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BPFDoor variant inbound connection attempt"; flow:to_server,established,only_stream; isdataat:23,rawbytes; isdataat:!28,rawbytes; content:"|52 93 00 00|"; depth:4; fast_pattern; rawbytes; content:!"|00 00 00 00 00 00|"; within:6; rawbytes; content:"|00|"; within:13; distance:7; rawbytes; pcre:"/^\x52\x93\x00\x00.{6}[^\x00]{1,13}?\x00{1,13}?((\x00|\xff){4})?$/Bs"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/gui/file/95fd8a70c4b18a9a669fec6eb82dac0ba6a9236ac42a5ecde270330b66f51595; classtype:trojan-activity; sid:64994; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 42675 [101572 - Suricata-Main] 2026-05-13 11:30:33 Error: detect-within: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [101572 - Suricata-Main] 2026-05-13 11:30:33 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 44116 [101572 - Suricata-Main] 2026-05-13 11:30:35 Error: detect-parse: unknown rule keyword 'sip_header'. [101572 - Suricata-Main] 2026-05-13 11:30:35 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 45878 [101572 - Suricata-Main] 2026-05-13 11:30:35 Error: detect-parse: unknown rule keyword 'sip_header'. [101572 - Suricata-Main] 2026-05-13 11:30:35 Error: detect: error parsing signature "alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 45879 [101572 - Suricata-Main] 2026-05-13 11:30:36 Error: detect: previous sticky buffer has no matches [101572 - Suricata-Main] 2026-05-13 11:30:36 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; file_data; content:"|50 45 00 00 4C 01 03 00 D8 81 CF 53 00 00 00 00 00 00 00 00 E0 00|"; depth:22; offset:240; content:"|74 00 00 00 00 00 00 00 4F AF 08 00 48 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:32; distance:170; fast_pattern:0,25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-1345; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1345; classtype:attempted-admin; sid:51874; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 46105 [101572 - Suricata-Main] 2026-05-13 11:30:36 Error: detect: previous sticky buffer has no matches [101572 - Suricata-Main] 2026-05-13 11:30:36 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; file_data; content:"dsclient.dll"; fast_pattern:only; content:"CreateHardlink"; content:"DSCreateSharedFileToken"; content:"NtApiDotNet"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0572; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0572; classtype:attempted-admin; sid:48776; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 46311 [101572 - Suricata-Main] 2026-05-13 11:30:36 Error: detect: previous sticky buffer has no matches [101572 - Suricata-Main] 2026-05-13 11:30:36 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Windows Desktop Bridge privilege escalation attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; file_data; content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|O|00|f|00|f|00|i|00|c|00|e|00|H|00|u|00|b|00|_|00|8|00|w|00|e|00|k|00|y|00|b|00|3|00|d|00|8|00|b|00|b|00|w|00|e|00|"; fast_pattern:only; content:"NtApiDotNet"; content:"NtSymbolicLink"; content:".|00|d|00|a|00|t|00|"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-8214; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8214; classtype:attempted-admin; sid:46962; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 46353 [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect-isdataat: pcre2_substring_get_bynumber failed [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt"; flow:to_client,established; isdataat:1000,rawbytes; content:"Authenticate:"; http_header; content:"NtLM"; within:10; nocase; http_header; pcre:"/Authenticate:\s+([A-Za-z0-9\x2D\x2F]+\x2C\s+){0,3}NtLM\s+[A-Za-z0-9=+\/]{900}/Him"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-3822; classtype:attempted-user; sid:59528; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 47635 [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect-parse: unknown rule keyword 'sip_header'. [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 47760 [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect-parse: unknown rule keyword 'sip_header'. [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect: error parsing signature "alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 47761 [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect-parse: unknown rule keyword 'sip_method'. [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server,established,only_stream; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20395; rev:5;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 47762 [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect-parse: unknown rule keyword 'sip_method'. [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect: error parsing signature "alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 1; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19389; rev:9;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 47763 [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect-parse: no matches in sticky buffer file_data [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-OTHER Authedmine TLS client hello attempt"; flow:to_server,established; file_data; ssl_state:client_hello; content:"authedmine.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:45952; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 47835 [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect-parse: "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat partial PUT remote code execution attempt"; flow:to_server,established; content:"Content-Range"; fast_pattern:only; http_header; file_data; content:"|0D 0A 0D 0A AC ED|"; content:"PUT"; nocase; http_method; content:"session"; nocase; http_uri; pcre:"/^\x2f[^\x3f]*?[\x2e\x2f]session/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2025-24813; reference:url,lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq; classtype:attempted-user; sid:64686; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 47917 [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect: error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt"; flow:to_server,established; content:"Microsoft.Exchange"; nocase; http_client_body; content:"LaunchCmd"; nocase; http_client_body; content:"|22|SerializationData|22|>"; nocase; http_client_body; base64_decode:bytes 256,relative; base64_data; content:"System.Windows.Markup.XamlReader[][]"; nocase; content:"/PowerShell"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-28310; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-28310; classtype:attempted-admin; sid:61933; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 47953 [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:37 Error: detect: error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-MAIL Microsoft Exchange remote code execution attempt"; flow:to_server,established; content:"Microsoft.Exchange"; nocase; http_client_body; content:""; nocase; http_client_body; base64_decode:relative; base64_data; content:""; nocase; content:"|5C 5C|"; within:100; pcre:"/\s*?\x5C\x5C/i"; content:"/powershell"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-36745; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36745; classtype:attempted-admin; sid:62622; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 47955 [101572 - Suricata-Main] 2026-05-13 11:30:38 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:38 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:""; distance:0; http_client_body; base64_decode:relative; base64_data; content:"System.Diagnostic"; nocase; content:"Process"; nocase; content:"Start"; nocase; content:"/ews/exchange.asmx"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2021-42321; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-42321; classtype:attempted-user; sid:58638; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 48725 [101572 - Suricata-Main] 2026-05-13 11:30:38 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:38 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:""; distance:0; http_client_body; base64_decode:relative; base64_data; content:"ObjectDataProvider"; nocase; content:"Method"; nocase; content:"/ews/exchange.asmx"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2021-42321; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-42321; classtype:attempted-user; sid:58637; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 48726 [101572 - Suricata-Main] 2026-05-13 11:30:38 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:38 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER VMWare vSphere log4shell exploit attempt"; flow:to_server,established; content:"Content-Disposition"; nocase; http_client_body; content:"RelyingPartyEntityId"; distance:0; nocase; http_client_body; content:"|0D 0A 0D 0A|"; distance:0; http_client_body; base64_decode:bytes 64,relative; base64_data; pcre:"/\x24\x7b(jndi|[^\x7d]*?\x24\x7b[^\x7d]*?\x3a[^\x7d]*?\x7d)/i"; content:"/websso/SAML2/SSOSSL/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58812; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 48760 [101572 - Suricata-Main] 2026-05-13 11:30:39 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:39 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Atlassian Crowd pdkinstall plugin remote code execution attempt"; flow:to_server,established; file_data; content:"/crowd/admin/uploadplugin.action"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-11580; reference:url,jira.atlassian.com/browse/CWD-5388; classtype:web-application-attack; sid:56436; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 48918 [101572 - Suricata-Main] 2026-05-13 11:30:39 Error: detect-parse: unknown rule keyword 'http_raw_cookie'. [101572 - Suricata-Main] 2026-05-13 11:30:39 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 48959 [101572 - Suricata-Main] 2026-05-13 11:30:39 Error: detect-urilen: depth or urilen 4 smaller than content len 10 [101572 - Suricata-Main] 2026-05-13 11:30:39 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt"; flow:to_server,established; content:"user_name="; fast_pattern:only; http_uri; urilen:4; content:"/cgi"; nocase; http_uri; pcre:"/[?&]user_name=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2020-5722; classtype:web-application-attack; sid:53858; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 49044 [101572 - Suricata-Main] 2026-05-13 11:30:40 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [101572 - Suricata-Main] 2026-05-13 11:30:40 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt"; flow:to_server,established; content:"query=--open-files-in-pager"; fast_pattern:only; content:"/tree/"; http_uri; content:"/search"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1000533; classtype:attempted-user; sid:47599; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 49553 [101572 - Suricata-Main] 2026-05-13 11:30:40 Error: detect-parse: unknown rule keyword 'http_raw_cookie'. [101572 - Suricata-Main] 2026-05-13 11:30:40 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 49641 [101572 - Suricata-Main] 2026-05-13 11:30:41 Error: detect-within: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [101572 - Suricata-Main] 2026-05-13 11:30:41 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_pattern:only; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 49816 [101572 - Suricata-Main] 2026-05-13 11:30:42 Error: detect-within: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [101572 - Suricata-Main] 2026-05-13 11:30:42 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera multipart boundary stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; nocase; http_uri; content:"usrBeatHeart"; fast_pattern:only; content:"Boundary="; nocase; http_raw_header; isdataat:256,relative; content:!"|0A|"; within:256; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2830; reference:url,www.talosintelligence.com/reports/TALOS-2017-0331/; classtype:web-application-attack; sid:42437; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 50104 [101572 - Suricata-Main] 2026-05-13 11:30:42 Error: detect-parse: unknown rule keyword 'http_raw_cookie'. [101572 - Suricata-Main] 2026-05-13 11:30:42 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt"; flow:to_server,established; content:"/borderpost/imp/compose.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_raw_cookie; content:"%3B"; distance:0; nocase; http_raw_cookie; pcre:"/sid=[^\x3b]*?%3B/Ki"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:attempted-admin; sid:35573; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 50521 [101572 - Suricata-Main] 2026-05-13 11:30:43 Error: detect-parse: unknown rule keyword 'http_raw_cookie'. [101572 - Suricata-Main] 2026-05-13 11:30:43 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX Framework Asterisk recording interface PHP unserialize code execution attempt"; flow:to_server,established; content:"/recordings/index.php"; fast_pattern:only; http_uri; content:"ari_auth"; nocase; http_raw_cookie; content:"%3BO%3A6%3A%22Backup%22"; nocase; http_raw_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,70188; reference:cve,2014-7235; classtype:attempted-admin; sid:32753; rev:6;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 50648 [101572 - Suricata-Main] 2026-05-13 11:30:43 Error: detect-within: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [101572 - Suricata-Main] 2026-05-13 11:30:43 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMemcachedAdmin path traversal attempt"; flow:to_server,established; content:"live_stats_id"; fast_pattern:only; content:"live_stats_id"; http_cookie; content:"="; within:1; distance:32; http_cookie; content:"../"; distance:0; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-8731; reference:url,securityfocus.com/archive/1/533968; classtype:web-application-attack; sid:32611; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 50650 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Movable Type CMS command injection attempt"; flow:to_server,established; content:"mt.handler_to_coderef"; nocase; http_client_body; content:""; distance:0; nocase; http_client_body; content:""; distance:0; nocase; http_client_body; content:""; distance:0; nocase; http_client_body; content:""; distance:0; nocase; http_client_body; base64_decode:bytes 100, offset 0, relative; base64_data; pcre:"/[\x60\x3b\x7c\x26\x23\x28]/"; content:"/cgi-bin/mt/mt-xmlrpc.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2021-20837; classtype:web-application-attack; sid:58687; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51323 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HPE Intelligent Management Center ByteMessageResource insecure deserialization attempt"; flow:to_server,established; content:""; nocase; http_client_body; base64_decode:bytes 2000,offset 0,relative; base64_data; content:"ysoserial"; nocase; content:"/imcrs/plat/byteMessage"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-11956; classtype:attempted-admin; sid:59711; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51501 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HPE Intelligent Management Center ByteMessageResource insecure deserialization attempt"; flow:to_server,established; content:""; nocase; http_client_body; base64_decode:bytes 500,offset 0,relative; base64_data; content:"org.apache.commons.fileupload.disk.DiskFileItem"; nocase; content:"/imcrs/plat/byteMessage"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-11956; classtype:attempted-admin; sid:59710; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51502 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:""; http_client_body; base64_decode:relative; base64_data; content:"TargetTypeForDeserialization"; content:""; distance:0; content:"U3lzdGVtLlVuaXR5U2VyaWFsaXphdGlvbkhvbGRlc"; distance:0; content:"U3lzdGVtLldpbmRvd3MuTWFya3VwLlhhbWxSZWFkZX"; distance:0; content:""; distance:0; content:"/Powershell"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2022-41040; reference:cve,2022-41080; reference:cve,2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41080; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; classtype:attempted-admin; sid:60678; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51686 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:""; http_client_body; base64_decode:relative; base64_data; content:"TargetTypeForDeserialization"; content:"U3lzdGVtLlVuaXR5U2VyaWFsaXphdGlvbkhvbGRlc"; distance:0; content:"N5c3RlbS5XaW5kb3dzLk1hcmt1cC5YYW1sUmVhZGVy"; distance:0; content:""; distance:0; content:"/Powershell"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2022-41040; reference:cve,2022-41080; reference:cve,2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41080; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; classtype:attempted-admin; sid:60677; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51687 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:""; http_client_body; base64_decode:relative; base64_data; content:"TargetTypeForDeserialization"; content:""; distance:0; content:"U3lzdGVtLlVuaXR5U2VyaWFsaXphdGlvbkhvbGRlc"; distance:0; content:"TeXN0ZW0uV2luZG93cy5NYXJrdXAuWGFtbFJlYWRlc"; distance:0; content:""; distance:0; content:"/Powershell"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2022-41040; reference:cve,2022-41080; reference:cve,2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41080; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; classtype:attempted-admin; sid:60676; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51688 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:""; http_client_body; base64_decode:relative; base64_data; content:"TargetTypeForDeserialization"; content:""; distance:0; content:"N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZX"; distance:0; content:"U3lzdGVtLldpbmRvd3MuTWFya3VwLlhhbWxSZWFkZX"; distance:0; content:""; distance:0; content:"/Powershell"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2022-41040; reference:cve,2022-41080; reference:cve,2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41080; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; classtype:attempted-admin; sid:60675; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51689 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:""; http_client_body; base64_decode:relative; base64_data; content:"TargetTypeForDeserialization"; content:""; distance:0; content:"N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZX"; distance:0; content:"N5c3RlbS5XaW5kb3dzLk1hcmt1cC5YYW1sUmVhZGVy"; distance:0; content:""; distance:0; content:"/Powershell"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2022-41040; reference:cve,2022-41080; reference:cve,2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41080; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; classtype:attempted-admin; sid:60674; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51690 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:""; http_client_body; base64_decode:relative; base64_data; content:"TargetTypeForDeserialization"; content:""; distance:0; content:"N5c3RlbS5Vbml0eVNlcmlhbGl6YXRpb25Ib2xkZX"; distance:0; content:"TeXN0ZW0uV2luZG93cy5NYXJrdXAuWGFtbFJlYWRlc"; distance:0; content:""; distance:0; content:"/Powershell"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2022-41040; reference:cve,2022-41080; reference:cve,2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41080; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; classtype:attempted-admin; sid:60673; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51691 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:""; http_client_body; base64_decode:relative; base64_data; content:"TargetTypeForDeserialization"; content:""; distance:0; content:"TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVy"; distance:0; content:"N5c3RlbS5XaW5kb3dzLk1hcmt1cC5YYW1sUmVhZGVy"; distance:0; content:""; distance:0; content:"/Powershell"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2022-41040; reference:cve,2022-41080; reference:cve,2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41080; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; classtype:attempted-admin; sid:60672; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51692 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:""; http_client_body; base64_decode:relative; base64_data; content:"TargetTypeForDeserialization"; content:""; distance:0; content:"TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVy"; distance:0; content:"U3lzdGVtLldpbmRvd3MuTWFya3VwLlhhbWxSZWFkZX"; distance:0; content:""; distance:0; content:"/Powershell"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2022-41040; reference:cve,2022-41080; reference:cve,2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41080; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; classtype:attempted-admin; sid:60671; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51693 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:""; http_client_body; base64_decode:relative; base64_data; content:"TargetTypeForDeserialization"; content:""; distance:0; content:"TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVy"; distance:0; content:"TeXN0ZW0uV2luZG93cy5NYXJrdXAuWGFtbFJlYWRlc"; distance:0; content:""; distance:0; content:"/Powershell"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2022-41040; reference:cve,2022-41080; reference:cve,2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41080; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; classtype:attempted-admin; sid:60670; rev:3;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51694 [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:44 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sophos XG Firewall SQL injection attempt"; flow:to_server,established; content:"release="; nocase; http_client_body; base64_decode:bytes 500,offset 0,relative; base64_data; pcre:"/(^|&)hdnFilePath=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/im"; content:"/webconsole/Controller"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2020-15504; reference:url,community.sophos.com/b/security-blog/posts/advisory-resolved-rce-via-sqli-cve-2020-15504; classtype:web-application-attack; sid:60908; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51719 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:"System.Diagnostics"; fast_pattern; nocase; http_client_body; content:"Process"; distance:0; nocase; http_client_body; content:""; nocase; http_client_body; base64_decode:bytes 1000,relative; base64_data; content:"UnitySerializationHolder"; nocase; content:"/Powershell"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-21706; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-21706; classtype:attempted-user; sid:61359; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51755 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:"System.Diagnostics"; fast_pattern; nocase; http_client_body; content:"Process"; distance:0; nocase; http_client_body; content:""; nocase; http_client_body; base64_decode:bytes 1000,relative; base64_data; content:"MultiValuedProperty"; nocase; content:"/Powershell"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-21529; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-21529; classtype:attempted-user; sid:61360; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51762 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint WebControls AdRotator NTLM relay attempt"; flow:to_server,established; content:""; http_client_body; content:""; http_client_body; base64_decode:relative; base64_data; content:" $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Bearer"; within:500; http_header; base64_decode:bytes 100,offset 1,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_vti_bin/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:61939; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51869 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Bearer"; within:500; http_header; base64_decode:bytes 100,offset 1,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_layouts/15/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:61938; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51870 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Bearer"; within:500; http_header; base64_decode:bytes 100,offset 1,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_api/"; fast_pattern:only; http_uri; pcre:"/\x2f_api\x2f(web\x2f|lists\x2f|Microsoft|SP\x2e|_vti_bin|_layouts|apps\x2f|search\x2f)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:61937; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51871 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Progress MOVEit Transfer SILCertToUser SQL injection attempt"; flow:to_server,established; content:"X-IPSGW-ClientCert|3A|"; fast_pattern; nocase; http_header; base64_decode:bytes 1000,offset 0,relative; base64_data; content:"|06 03 55 04 03 0C|"; pcre:"/^.[^\x30\x31]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Rs"; content:".aspx"; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-35036; reference:cve,2023-35708; classtype:web-application-attack; sid:62104; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51920 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"access_token="; nocase; http_client_body; base64_decode:bytes 100,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_vti_bin/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:62469; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51971 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-pcre: Expression seen with a sticky buffer still set; either (1) reset sticky buffer with pkt_data or (2) use a sticky buffer providing "http request uri". [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"/_api/"; nocase; http_uri; content:"access_token="; fast_pattern; nocase; http_uri; base64_decode:bytes 100,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; pcre:"/\x2f_api\x2f(web\x2f|lists\x2f|Microsoft|SP\x2e|_vti_bin|_layouts|apps\x2f|search\x2f)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:62468; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51972 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"access_token="; fast_pattern; nocase; http_client_body; base64_decode:bytes 100,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_api/"; nocase; http_uri; pcre:"/\x2f_api\x2f(web\x2f|lists\x2f|Microsoft|SP\x2e|_vti_bin|_layouts|apps\x2f|search\x2f)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:62467; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51973 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"access_token="; nocase; http_client_body; base64_decode:bytes 100,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_layouts/15/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:62465; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51975 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP VMware Aria Operations unsafe deserialization attempt"; flow:to_server,established; content:"|22|endOffset|22|"; nocase; http_client_body; base64_decode:bytes 1000,relative; base64_data; content:"java.net.URL"; content:"/api/events/push-notifications"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-20888; reference:url,github.com/projectdiscovery/nuclei-templates/blob/9d0fa3af3285e909fbd7b03f6112f320b4dc3a90/http/cves/2023/CVE-2023-20888.yaml; classtype:web-application-attack; sid:62484; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51976 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP VMware Aria Operations unsafe deserialization attempt"; flow:to_server,established; content:"|22|endOffset|22|"; nocase; http_client_body; base64_decode:bytes 1000,relative; base64_data; content:"java.lang.Runtime"; content:"/api/events/push-notifications"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-20888; reference:url,github.com/projectdiscovery/nuclei-templates/blob/9d0fa3af3285e909fbd7b03f6112f320b4dc3a90/http/cves/2023/CVE-2023-20888.yaml; classtype:web-application-attack; sid:62483; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 51977 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Qlik Sense Enterprise HTTP tunneling attempt"; flow:to_server,established; content:"/resources/qmc/fonts/"; fast_pattern:only; content:"/resources/qmc/fonts/"; nocase; http_raw_uri; content:"ttf"; distance:0; nocase; http_raw_uri; content:"Content-Length|3A|"; nocase; http_header; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; distance:0; nocase; http_header; pcre:"/^Transfer-Encoding\x3a[^\r\n]*?chunked/Him"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-41265; reference:cve,2023-48365; reference:url,community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801; classtype:attempted-user; sid:62761; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52017 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ConnectWise ScreenConnect path traversal attempt"; flow:to_server,established; content:"|22|"; http_client_body; base64_decode:bytes 1000,offset 0,relative; base64_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"|2E 2E|"; within:filename_len; distance:2; content:"/Services/ExtensionService.ashx/InstallExtension"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-1708; reference:url,www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass; classtype:attempted-admin; sid:63087; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52075 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ivanti multiple products server side request forgery attempt"; flow:to_server,established; content:"SAMLResponse="; nocase; http_client_body; base64_decode:bytes 1000,relative; base64_data; content:"RetrievalMethod"; nocase; content:"URI"; nocase; pcre:"/RetrievalMethod[^>]*?\sURI\s*=/i"; content:"/dana-ws/saml"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-21893; reference:url,forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways; classtype:web-application-attack; sid:63102; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52077 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ivanti multiple products server side request forgery attempt"; flow:to_server,established; content:"SAMLResponse="; nocase; http_uri; base64_decode:bytes 1000,relative; base64_data; content:"RetrievalMethod"; nocase; content:"URI"; nocase; pcre:"/RetrievalMethod[^>]*?\sURI\s*=/i"; content:"/dana-ws/saml"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-21893; reference:url,forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways; classtype:web-application-attack; sid:63101; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52078 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ivanti multiple products server side request forgery attempt"; flow:to_server,established; content:"SAMLResponse="; nocase; http_client_body; base64_decode:bytes 1000,relative; base64_data; content:"RetrievalMethod"; nocase; content:"URI"; nocase; pcre:"/RetrievalMethod[^>]*?\sURI\s*=/i"; content:"/dana-na/auth/saml"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-21893; reference:url,forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways; classtype:web-application-attack; sid:63100; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52079 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ivanti multiple products server side request forgery attempt"; flow:to_server,established; content:"SAMLResponse="; nocase; http_uri; base64_decode:bytes 1000,relative; base64_data; content:"RetrievalMethod"; nocase; content:"URI"; nocase; pcre:"/RetrievalMethod[^>]*?\sURI\s*=/i"; content:"/dana-na/auth/saml"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-21893; reference:url,forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways; classtype:web-application-attack; sid:63099; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52080 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Operational Decision Manager insecure deserialization attempt"; flow:to_server,established; content:"javax.faces.ViewState="; nocase; http_client_body; base64_decode:bytes 500, relative; base64_data; pcre:"/(ysoserial|java\x2e(lang\x2eProcess|net\x2eURL))/"; content:"/res/protected/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-22320; reference:url,ibm.com/support/pages/node/7112382; reference:url,labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/; classtype:attempted-user; sid:63245; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52100 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint authenticated remote code execution attempt"; flow:to_server,established; content:"BusinessDataMetadataCatalog"; nocase; http_client_body; content:"|22|Base64Binary|22|"; nocase; http_client_body; content:">"; distance:0; http_client_body; base64_decode:bytes 1000,relative; base64_data; content:"BusinessDataCatalog"; nocase; content:" $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NextGen Healthcare Mirth Connect arbitrary Java object deserialization attempt"; flow:to_server,established; file_data; content:"org.apache.commons.lang3.event.EventUtils|24|EventBindingInvocationHandler"; fast_pattern:41,30; nocase; content:"/users"; depth:10; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-43208; reference:url,www.horizon3.ai/attack-research/attack-blogs/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/; classtype:web-application-attack; sid:63604; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52183 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Progress Telerik Report Server insecure deserialization attempt"; flow:to_server,established; content:"|22|reportContent|22|"; nocase; http_client_body; base64_decode:bytes 2000,relative; base64_data; content:"ResourceDictionary"; nocase; content:"ObjectDataProvider"; nocase; content:"MethodName"; nocase; content:"/api/reportserver/report"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-1800; reference:url,docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-1800; classtype:attempted-user; sid:63625; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52186 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NextGen Healthcare Mirth Connect arbitrary Java object deserialization attempt"; flow:to_server,established; file_data; content:"org.apache.commons.lang3.event.EventUtils|24|EventBindingInvocationHandler"; fast_pattern:41,30; nocase; content:"/api/server/configuration"; depth:25; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-43208; reference:url,www.horizon3.ai/attack-research/attack-blogs/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/; classtype:web-application-attack; sid:63855; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52233 [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect-fast-pattern: fast_pattern cannot be used with base64_data [101572 - Suricata-Main] 2026-05-13 11:30:45 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Progress Kemp LoadMaster command injection attempt"; flow:to_server,established; content:"Authorization|3A 20|Basic|20|"; nocase; http_header; base64_decode:bytes 1501,offset 0,relative; base64_data; content:"|27|"; content:"|27|"; distance:0; content:"/access/set"; depth:11; fast_pattern; nocase; http_uri; content:"param=enableapi"; nocase; http_uri; content:"value=1"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-1212; classtype:web-application-attack; sid:64286; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52298 [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect: error parsing signature "alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SonicWall SonicOS SSL VPN authentication bypass attempt"; flow:to_server,established; content:"swap="; nocase; http_raw_header; isdataat:44,relative; content:!"|0A|"; within:44; http_raw_header; base64_decode:bytes 44,relative; base64_data; content:"|00|"; within:44; content:"/cgi-bin/sslvpnclient"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-53704; reference:url,psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003; classtype:web-application-attack; sid:64648; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52355 [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sitecore Experience Platform CSRF token remote code execution attempt"; flow:to_server,established; content:"__CSRFTOKEN="; nocase; http_client_body; base64_decode:bytes 3000,relative; base64_data; content:"System.Diagnostics"; content:"Process"; content:"Start"; content:"/sitecore/shell/Applications/Security/CreateNewUser/CreateNewUser.aspx"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-9874; reference:cve,2019-9875; reference:url,support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0334035; reference:url,synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf; classtype:attempted-user; sid:64792; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52391 [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sitecore Experience Platform CSRF token remote code execution attempt"; flow:to_server,established; content:"Content-Disposition"; nocase; http_client_body; content:"name"; within:50; nocase; http_client_body; content:"__CSRFTOKEN"; within:25; nocase; http_client_body; content:"|0D 0A 0D 0A|"; within:50; http_client_body; base64_decode:bytes 3000,relative; base64_data; content:"System.Diagnostics"; content:"Process"; content:"Start"; content:"/sitecore/shell/Applications/Security/CreateNewUser/CreateNewUser.aspx"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2019-9874; reference:cve,2019-9875; reference:url,support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB0334035; reference:url,synacktiv.com/ressources/advisories/Sitecore_CSRF_deserialize_RCE.pdf; classtype:attempted-user; sid:64791; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52392 [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Sharepoint malicious deserialization attempt"; flow:to_server,established; isdataat:2000; content:"DotNetAssembly"; nocase; http_client_body; content:" any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Sharepoint malicious deserialization attempt"; flow:to_server,established; isdataat:2000; content:"4da630b6-36c5-4f55-8e01-5cd40e96104d"; fast_pattern:only; nocase; http_client_body; content:""; within:20; http_client_body; isdataat:499,relative; content:!" $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Commvault Command Center argument injection attempt"; flow:to_server,established; content:"|22|password|22|"; nocase; http_client_body; base64_decode:bytes 200,offset 2,relative; base64_data; content:"-localadmin"; nocase; content:"/commandcenter/api/Login"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2025-57791; reference:url,documentation.commvault.com/securityadvisories/CV_2025_08_1.html; classtype:web-application-attack; sid:65384; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52503 [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Sharepoint malicious deserialization attempt"; flow:to_server,established; isdataat:2000; content:"AAEAAAD/////"; nocase; http_client_body; base64_decode:bytes 3000,relative; base64_data; content:"System.Diagnostics"; content:"Process"; distance:0; content:"Start"; distance:0; content:"/_vti_bin/client.svc/ProcessQuery"; fast_pattern:only; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-38023; reference:cve,2024-38024; reference:cve,2024-38094; reference:url,github.com/testanull/MS-SharePoint-July-Patch-RCE-PoC; classtype:attempted-user; sid:65570; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52553 [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Fortinet FortiWeb SSO authentication bypass attempt"; flow:to_server,established; content:"SAMLResponse="; nocase; http_client_body; base64_decode:bytes 256,relative; base64_data; content:"|22|_bypass1337|22|"; distance:0; content:"/remote/saml/login"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2025-59718; reference:cve,2025-59719; reference:url,fortiguard.com/psirt/FG-IR-25-647; classtype:attempted-admin; sid:65619; rev:2;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52555 [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect: error parsing signature "alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ivanti Connect Secure XML external entity injection attempt"; flow:to_server,established; content:"SAMLRequest="; nocase; http_client_body; base64_decode:bytes 512,relative; base64_data; content:"ENTITY"; nocase; pcre:"/(\x21|%(25)?21)ENTITY((?!\x3e|%(25)?3e).)*?(SYSTEM|PUBLIC)/i"; content:"/dana-na/auth/saml-"; fast_pattern:only; http_uri; pcre:"/saml-(logout|sso|consumer|inter|endpoint)\.cgi/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2024-22024; reference:url,hub.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure; classtype:web-application-attack; sid:65912; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52603 [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [101572 - Suricata-Main] 2026-05-13 11:30:46 Error: detect: error parsing signature "alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix NetScaler RelayState cross site scripting attempt"; flow:to_server,established; content:"RelayState="; nocase; http_client_body; base64_decode:bytes 1000, offset 0, relative; base64_data; pcre:"/([\x22\x27\x3c\x3e\x28\x29]|%(25)?(22|27|3c|3e|28|29)|script|onload|src)/i"; content:"/cgi/logout"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2025-12101; reference:url,support.citrix.com/support-home/kbsearch/article?articleNumber=CTX695486&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_12101; classtype:web-application-attack; sid:66204; rev:1;)" from file /usr/local/etc/suricata/suricata_22112_ix0/rules/suricata.rules at line 52663 [101572 - Suricata-Main] 2026-05-13 11:30:47 Info: detect: 2 rule files processed. 53324 rules successfully loaded, 104 rules failed, 0 rules skipped [101572 - Suricata-Main] 2026-05-13 11:30:47 Info: threshold-config: Threshold config parsed: 0 rule(s) found [101572 - Suricata-Main] 2026-05-13 11:30:47 Info: detect: 53326 signatures processed. 32 are IP-only rules, 4982 are inspecting packet payload, 36186 inspect application layer, 110 are decoder event only [101572 - Suricata-Main] 2026-05-13 11:30:47 Warning: detect-flowbits: flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28579 and 6 other sigs [101572 - Suricata-Main] 2026-05-13 11:30:47 Warning: detect-flowbits: flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs [101572 - Suricata-Main] 2026-05-13 11:30:47 Warning: detect-flowbits: flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs [101572 - Suricata-Main] 2026-05-13 11:30:47 Warning: detect-flowbits: flowbit 'file.ppsx&file.zip' is checked but not set. Checked in 26068 and 1 other sigs [101572 - Suricata-Main] 2026-05-13 11:30:47 Warning: detect-flowbits: flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 1 other sigs [101572 - Suricata-Main] 2026-05-13 11:32:35 Info: unix-manager: unix socket '/var/run/suricata-ctrl-socket-22112' [101572 - Suricata-Main] 2026-05-13 11:32:35 Info: runmodes: Using 1 live device(s). [180902 - RX#01-ix0] 2026-05-13 11:32:35 Info: pcap: ix0: running in 'auto' checksum mode. Detection of interface state will require 1000 packets [180902 - RX#01-ix0] 2026-05-13 11:32:35 Info: pcap: ix0: snaplen set to 1518 [101572 - Suricata-Main] 2026-05-13 11:32:35 Notice: threads: Threads created -> RX: 1 W: 4 FM: 1 FR: 1 Engine started. [101572 - Suricata-Main] 2026-05-13 15:18:33 Notice: suricata: Signal Received. Stopping engine. [101572 - Suricata-Main] 2026-05-13 15:18:34 Info: suricata: time elapsed 13559.734s [180902 - RX#01-ix0] 2026-05-13 15:18:35 Info: pcap: ix0: packets 0, bytes 0 [180902 - RX#01-ix0] 2026-05-13 15:18:35 Info: pcap: ix0: pcap total:0 recv:0 drop:0 (0.0%) [101572 - Suricata-Main] 2026-05-13 15:18:36 Notice: device: ix0: packets: 0, drops: 0 (0.00%), invalid chksum: 0