[102021 - Suricata-Main] 2023-12-24 23:49:01 Notice: suricata: This is Suricata version 7.0.2 RELEASE running in SYSTEM mode [102021 - Suricata-Main] 2023-12-24 23:49:01 Info: cpu: CPUs/cores online: 4 [102021 - Suricata-Main] 2023-12-24 23:49:01 Info: suricata: Setting engine mode to IDS mode by default [102021 - Suricata-Main] 2023-12-24 23:49:01 Info: app-layer-htp-mem: HTTP memcap: 67108864 [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Creating automatic firewall interface IP address Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix0 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix0 IPv4 address to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1.5 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1.5 IPv4 address 10.10.5.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1.15 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1.15 IPv4 address 10.10.15.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1.25 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1.25 IPv4 address 10.10.25.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1.45 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1.45 IPv4 address 10.10.45.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.31 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.31 IPv4 address 10.10.31.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.32 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.32 IPv4 address 10.10.32.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.33 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.33 IPv4 address 10.10.33.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.34 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.34 IPv4 address 10.10.34.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.35 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.35 IPv4 address 10.10.35.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.36 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.36 IPv4 address 10.10.36.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.37 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.37 IPv4 address 10.10.37.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface lagg0.38 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6da to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1.55 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1.55 IPv4 address 10.10.55.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1.60 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d9 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ix1.60 IPv4 address 10.10.60.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns1 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns1 IPv4 address 10.10.6.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns1 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns2 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns2 IPv4 address 10.10.7.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns2 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns3 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns3 IPv4 address 10.10.8.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns3 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns4 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns4 IPv4 address 10.10.9.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns4 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns5 IPv6 address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns5 IPv4 address 10.10.10.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface ovpns5 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Adding firewall interface tun_wg0 IPv4 address 10.10.11.1 to automatic interface IP Pass List. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: logopenfile: alert-pf output device (regular) initialized: block.log [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Loading and parsing Pass List from: /usr/local/etc/suricata/suricata_57861_ix0/passlist. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Pass List /usr/local/etc/suricata/suricata_57861_ix0/passlist processed: Total entries parsed: 26, IP addresses/netblocks/aliases added to No Block list: 26, IP addresses/netblocks ignored because they were covered by existing entries: 0. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: pfSense Suricata Custom Blocking Module initialized: pf-table=snort2c block-ip=both kill-state=yes block-drops-only=yes passlist-debugging=no [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: alert-pf: Created Interface IP Address change monitoring thread for auto-whitelisting of firewall interface IP addresses. [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: logopenfile: fast output device (regular) initialized: alerts.log [102278 - Suricata-Main] 2023-12-24 23:49:02 Info: logopenfile: http-log output device (regular) initialized: http.log [102368 - Suricata-IM#01] 2023-12-24 23:49:02 Info: alert-pf: Firewall Interface IP Address Change Monitor Thread IM#01 has successfully started. [102278 - Suricata-Main] 2023-12-24 23:49:16 Error: detect-tls-ja3-hash: ja3 support is not enabled [102278 - Suricata-Main] 2023-12-24 23:49:16 Error: detect: error parsing signature "alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbits:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid:2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, confidence Low, signature_severity Major, updated_at 2019_10_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 7933 [102278 - Suricata-Main] 2023-12-24 23:49:16 Error: detect-tls-ja3s-hash: ja3(s) support is not enabled [102278 - Suricata-Main] 2023-12-24 23:49:16 Error: detect: error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)"; flow:established,to_client; flowbits:isset,ETPRO.asyncrat.flowbit; ja3s.hash; content:"b74704234e6128f33bff9865696e31b3"; fast_pattern; reference:url,github.com/NYAN-x-CAT/AsyncRAT-C-Sharp; classtype:command-and-control; sid:2842478; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category JA3, performance_impact Low, confidence Low, signature_severity Major, updated_at 2020_05_08;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 8028 [102278 - Suricata-Main] 2023-12-24 23:51:19 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-24 23:51:19 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_server,established; file_data; file_data; content:"for (let i = 0|3B| i < n|3B| i++) {|0D 0A 20 20 20 20 20 20 20 20|new cls()|3B|"; content:"0x00010000"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0590; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0590; classtype:attempted-user; sid:49129; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 59602 [102278 - Suricata-Main] 2023-12-24 23:51:20 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-24 23:51:20 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement object use-after-free attempt"; flow:to_client,established; file_data; file_data; content:"createTextRange"; content:".execCommand"; within:20; content:"InsertIFrame"; within:20; fast_pattern; nocase; content:"innerHTML"; within:500; content:"onpropertychange"; within:50; nocase; content:"removeAttribute"; within:150; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2491; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35975; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 60239 [102278 - Suricata-Main] 2023-12-24 23:51:22 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-24 23:51:22 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_server,established; file_data; file_data; content:".getSelection"; content:".anchorNode.splitText("; fast_pattern; content:".focusNode"; within:60; content:"CollectGarbage"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26637; rev:6;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 60817 [102278 - Suricata-Main] 2023-12-24 23:51:22 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-24 23:51:22 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_client,established; file_data; file_data; content:".getSelection"; content:".anchorNode.splitText("; content:".focusNode"; within:60; content:"CollectGarbage"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26636; rev:6;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 60818 [102278 - Suricata-Main] 2023-12-24 23:51:22 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-24 23:51:22 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Cisco WebEx extension command execution attempt"; flow:to_server,established; file_data; file_data; content:"CustomEvent"; nocase; content:"connect"; within:50; nocase; content:"CustomEvent"; nocase; content:"message"; within:50; nocase; content:"message_type"; nocase; content:"launch_meeting"; within:50; nocase; content:"GpcComponentName"; fast_pattern; content:!"YXRtY2NsaS5ETEw="; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:attempted-admin; sid:41408; rev:3;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 60899 [102278 - Suricata-Main] 2023-12-24 23:51:22 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-24 23:51:22 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit out-of-bounds write attempt"; flow:to_client,established; file_data; file_data; content:"try { (function () { let a = { get val() { [...{a = 1.45}] = []|3B| a.val.x|3B| }, }|3B| a.val|3B| })()|3B| } catch (e) { } "; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2505; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=1137; classtype:attempted-user; sid:51391; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 60930 [102278 - Suricata-Main] 2023-12-24 23:51:26 Error: detect-parse: "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-24 23:51:26 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_server,established; file_data; content:"POST"; http_method; content:"|00 09 00 00|"; depth:5; offset:1; fast_pattern; content:!"|00|"; depth:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadata:policy max-detect-ips alert, service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:43364; rev:5;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 62546 [102278 - Suricata-Main] 2023-12-24 23:51:29 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-24 23:51:29 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt"; flow:to_server,established; file_data; file_data; content:"|6A FB 8F 05 F0 06 DA F7 8F 05 0E 60 F9 6A 77 01 99 F7 25 03 F7 AD 4D 15 3A F5 62 F7 30 F7 18 1A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-9161; reference:url,www.cvedetails.com/cve/CVE-2014-9161; classtype:attempted-user; sid:33455; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 64683 [102278 - Suricata-Main] 2023-12-24 23:51:31 Error: detect-urilen: depth or urilen 11 smaller than content len 17 [102278 - Suricata-Main] 2023-12-24 23:51:31 Error: detect: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 65988 [102278 - Suricata-Main] 2023-12-24 23:51:31 Error: detect-parse: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-24 23:51:31 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 66750 [102278 - Suricata-Main] 2023-12-24 23:51:32 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [102278 - Suricata-Main] 2023-12-24 23:51:32 Error: detect: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 66982 [102278 - Suricata-Main] 2023-12-24 23:51:32 Error: detect-pcre: unknown regex modifier 'K' [102278 - Suricata-Main] 2023-12-24 23:51:32 Error: detect: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.TreeTrunk outbound connection"; flow:to_server,established; urilen:10; content:"/index.jsp"; fast_pattern:only; http_uri; pcre:"/^([0-9A-F]{2}-){5}[0-9A-F]{2}$/K"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/sha256/8d9444ac349502314f97d25f000dbabb33e3b9737ac8e77e5e8452b719211edd; classtype:trojan-activity; sid:60270; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 67048 [102278 - Suricata-Main] 2023-12-24 23:51:32 Error: detect-parse: "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-24 23:51:32 Error: detect: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HannabiGrabber info stealer outbound communication"; flow:to_server,established; file_data; content:"Hannabi Grabber"; fast_pattern:only; http_client_body; content:"```fix|5C|nPCName:"; http_client_body; content:"GB|5C|nAntivirus:"; within:1000; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/082e50f61aa3e649889defae5bccb1249fc1c1281b2b9f02e10cb1ede8a1d16f; classtype:trojan-activity; sid:60728; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 67112 [102278 - Suricata-Main] 2023-12-24 23:51:33 Error: detect-within: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [102278 - Suricata-Main] 2023-12-24 23:51:33 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 67655 [102278 - Suricata-Main] 2023-12-24 23:51:34 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-24 23:51:34 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; file_data; content:"|50 45 00 00 4C 01 03 00 D8 81 CF 53 00 00 00 00 00 00 00 00 E0 00|"; depth:22; offset:240; content:"|74 00 00 00 00 00 00 00 4F AF 08 00 48 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:32; distance:170; fast_pattern:0,25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-1345; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1345; classtype:attempted-admin; sid:51874; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 68265 [102278 - Suricata-Main] 2023-12-24 23:51:35 Error: detect-parse: no matches in sticky buffer file_data [102278 - Suricata-Main] 2023-12-24 23:51:35 Error: detect: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-OTHER Authedmine TLS client hello attempt"; flow:to_server,established; file_data; ssl_state:client_hello; content:"authedmine.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:45952; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 68869 [102278 - Suricata-Main] 2023-12-24 23:51:35 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-24 23:51:35 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER VMWare vSphere log4shell exploit attempt"; flow:to_server,established; content:"Content-Disposition"; nocase; http_client_body; content:"RelyingPartyEntityId"; distance:0; nocase; http_client_body; content:"|0D 0A 0D 0A|"; distance:0; http_client_body; base64_decode:bytes 64,relative; base64_data; pcre:"/\x24\x7b(jndi|[^\x7d]*?\x24\x7b[^\x7d]*?\x3a[^\x7d]*?\x7d)/i"; content:"/websso/SAML2/SSOSSL/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58812; rev:3;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69249 [102278 - Suricata-Main] 2023-12-24 23:51:35 Error: detect-parse: unknown rule keyword 'http_raw_cookie'. [102278 - Suricata-Main] 2023-12-24 23:51:35 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69295 [102278 - Suricata-Main] 2023-12-24 23:51:35 Error: detect-urilen: depth or urilen 4 smaller than content len 10 [102278 - Suricata-Main] 2023-12-24 23:51:35 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt"; flow:to_server,established; content:"user_name="; fast_pattern:only; http_uri; urilen:4; content:"/cgi"; nocase; http_uri; pcre:"/[?&]user_name=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2020-5722; classtype:web-application-attack; sid:53858; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69323 [102278 - Suricata-Main] 2023-12-24 23:51:35 Error: detect-parse: unknown rule keyword 'http_raw_cookie'. [102278 - Suricata-Main] 2023-12-24 23:51:35 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69421 [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect-pcre: pcre with /R (relative) needs preceding match in the same buffer [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:policy max-detect-ips drop, service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:9;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69654 [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect: error parsing signature "drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:"System.Diagnostics"; fast_pattern; nocase; http_client_body; content:"Process"; distance:0; nocase; http_client_body; content:""; nocase; http_client_body; base64_decode:bytes 1000,relative; base64_data; content:"UnitySerializationHolder"; nocase; content:"/Powershell"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-21706; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-21706; classtype:attempted-user; sid:61359; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69779 [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect: error parsing signature "drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:"System.Diagnostics"; fast_pattern; nocase; http_client_body; content:"Process"; distance:0; nocase; http_client_body; content:""; nocase; http_client_body; base64_decode:bytes 1000,relative; base64_data; content:"MultiValuedProperty"; nocase; content:"/Powershell"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-21529; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-21529; classtype:attempted-user; sid:61360; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69780 [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Bearer"; within:500; http_header; base64_decode:bytes 100,offset 1,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_vti_bin/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:61939; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69801 [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Bearer"; within:500; http_header; base64_decode:bytes 100,offset 1,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_layouts/15/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:61938; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69802 [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Bearer"; within:500; http_header; base64_decode:bytes 100,offset 1,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_api/"; fast_pattern:only; http_uri; pcre:"/\x2f_api\x2f(web\x2f|lists\x2f|Microsoft|SP\x2e|_vti_bin|_layouts|apps\x2f|search\x2f)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:61937; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69803 [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect: error parsing signature "drop tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"access_token="; nocase; http_client_body; base64_decode:bytes 100,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_vti_bin/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:62469; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69831 [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect-pcre: Expression seen with a sticky buffer still set; either (1) reset sticky buffer with pkt_data or (2) use a sticky buffer providing "http request uri". [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect: error parsing signature "drop tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"/_api/"; nocase; http_uri; content:"access_token="; fast_pattern; nocase; http_uri; base64_decode:bytes 100,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; pcre:"/\x2f_api\x2f(web\x2f|lists\x2f|Microsoft|SP\x2e|_vti_bin|_layouts|apps\x2f|search\x2f)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:62468; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69832 [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect: error parsing signature "drop tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"access_token="; fast_pattern; nocase; http_client_body; base64_decode:bytes 100,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_api/"; nocase; http_uri; pcre:"/\x2f_api\x2f(web\x2f|lists\x2f|Microsoft|SP\x2e|_vti_bin|_layouts|apps\x2f|search\x2f)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:62467; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69833 [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect: error parsing signature "drop tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"access_token="; nocase; http_client_body; base64_decode:bytes 100,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_layouts/15/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:62465; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69835 [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [102278 - Suricata-Main] 2023-12-24 23:51:36 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Qlik Sense Enterprise HTTP tunneling attempt"; flow:to_server,established; content:"/resources/qmc/fonts/"; fast_pattern:only; content:"/resources/qmc/fonts/"; nocase; http_raw_uri; content:"ttf"; distance:0; nocase; http_raw_uri; content:"Content-Length|3A|"; nocase; http_header; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; distance:0; nocase; http_header; pcre:"/^Transfer-Encoding\x3a[^\r\n]*?chunked/Him"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-41265; reference:url,community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801; classtype:attempted-user; sid:62761; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69853 [102278 - Suricata-Main] 2023-12-24 23:51:37 Info: detect: 2 rule files processed. 69909 rules successfully loaded, 147 rules failed [102278 - Suricata-Main] 2023-12-24 23:51:37 Info: threshold-config: Threshold config parsed: 0 rule(s) found [102278 - Suricata-Main] 2023-12-24 23:51:37 Info: detect: 69913 signatures processed. 213 are IP-only rules, 11758 are inspecting packet payload, 51295 inspect application layer, 106 are decoder event only [102278 - Suricata-Main] 2023-12-24 23:51:37 Warning: detect-flowbits: flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs [102278 - Suricata-Main] 2023-12-24 23:51:37 Warning: detect-flowbits: flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs [102278 - Suricata-Main] 2023-12-24 23:51:37 Warning: detect-flowbits: flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs [102278 - Suricata-Main] 2023-12-24 23:51:37 Warning: detect-flowbits: flowbit 'ET.gadu.loginsent' is checked but not set. Checked in 2008299 and 0 other sigs [102278 - Suricata-Main] 2023-12-24 23:51:37 Warning: detect-flowbits: flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs [102278 - Suricata-Main] 2023-12-24 23:56:58 Info: runmodes: Using 1 live device(s). [103463 - RX#01-ix0] 2023-12-24 23:56:59 Info: pcap: ix0: running in 'auto' checksum mode. Detection of interface state will require 1000 packets [103463 - RX#01-ix0] 2023-12-24 23:56:59 Info: pcap: ix0: snaplen set to 1518 [102278 - Suricata-Main] 2023-12-24 23:56:59 Notice: threads: Threads created -> RX: 1 W: 4 FM: 1 FR: 1 Engine started. [102368 - Suricata-IM#01] 2023-12-24 23:57:00 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [102368 - Suricata-IM#01] 2023-12-24 23:57:00 Info: alert-pf: Deleted address from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:00 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [102368 - Suricata-IM#01] 2023-12-24 23:57:00 Info: alert-pf: Added address to automatic firewall interface IP Pass List. [103463 - RX#01-ix0] 2023-12-24 23:57:01 Info: checksum: No packets with invalid checksum, assuming checksum offloading is NOT used [102368 - Suricata-IM#01] 2023-12-24 23:57:01 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [102368 - Suricata-IM#01] 2023-12-24 23:57:01 Info: alert-pf: Deleted address from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:03 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [102368 - Suricata-IM#01] 2023-12-24 23:57:03 Info: alert-pf: Added address to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:04 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [102368 - Suricata-IM#01] 2023-12-24 23:57:04 Info: alert-pf: Deleted address from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:06 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [102368 - Suricata-IM#01] 2023-12-24 23:57:06 Info: alert-pf: Added address to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:06 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [102368 - Suricata-IM#01] 2023-12-24 23:57:06 Info: alert-pf: Deleted address from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:07 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ix0. [102368 - Suricata-IM#01] 2023-12-24 23:57:07 Info: alert-pf: Added address to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Deleted address 10.10.6.1 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Added address 10.10.6.1 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Deleted address 10.10.7.1 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [102368 - Suricata-IM#01] 2023-12-24 23:57:36 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Added address 10.10.7.1 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Added address 10.10.9.1 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [102368 - Suricata-IM#01] 2023-12-24 23:57:37 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Added address 10.10.10.1 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Added address 10.10.6.1 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns1. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Deleted address 10.10.7.1 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Added address 10.10.7.1 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns2. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Deleted address 10.10.9.1 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [102368 - Suricata-IM#01] 2023-12-24 23:57:38 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Added address 10.10.9.1 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns4. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Deleted address 10.10.10.1 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Deleted address fe80:0000:0000:0000:0000:0000:0000:0001 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Deleted address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 from automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Added address fe80:0000:0000:0000:0208:a2ff:fe0e:f6d8 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Added address 10.10.10.1 to automatic firewall interface IP Pass List. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Monitor Thread IM#01 received notification of IP address change on interface ovpns5. [102368 - Suricata-IM#01] 2023-12-24 23:57:39 Info: alert-pf: Added address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic firewall interface IP Pass List. [102278 - Suricata-Main] 2023-12-26 18:30:47 Notice: detect: rule reload starting [102278 - Suricata-Main] 2023-12-26 18:30:47 Info: conf-yaml-loader: Configuration node 'filetype' redefined. [102278 - Suricata-Main] 2023-12-26 18:30:56 Error: detect-tls-ja3-hash: ja3 support is not enabled [102278 - Suricata-Main] 2023-12-26 18:30:56 Error: detect: error parsing signature "alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbits:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid:2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, confidence Low, signature_severity Major, updated_at 2019_10_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 7940 [102278 - Suricata-Main] 2023-12-26 18:30:56 Error: detect-tls-ja3s-hash: ja3(s) support is not enabled [102278 - Suricata-Main] 2023-12-26 18:30:56 Error: detect: error parsing signature "drop tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)"; flow:established,to_client; flowbits:isset,ETPRO.asyncrat.flowbit; ja3s.hash; content:"b74704234e6128f33bff9865696e31b3"; fast_pattern; reference:url,github.com/NYAN-x-CAT/AsyncRAT-C-Sharp; classtype:command-and-control; sid:2842478; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category JA3, performance_impact Low, confidence Low, signature_severity Major, updated_at 2020_05_08;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 8035 [102278 - Suricata-Main] 2023-12-26 18:32:15 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-26 18:32:15 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Edge type confusion attempt"; flow:to_server,established; file_data; file_data; content:"for (let i = 0|3B| i < n|3B| i++) {|0D 0A 20 20 20 20 20 20 20 20|new cls()|3B|"; content:"0x00010000"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-0590; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0590; classtype:attempted-user; sid:49129; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 59606 [102278 - Suricata-Main] 2023-12-26 18:32:17 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-26 18:32:17 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer CElement object use-after-free attempt"; flow:to_client,established; file_data; file_data; content:"createTextRange"; content:".execCommand"; within:20; content:"InsertIFrame"; within:20; fast_pattern; nocase; content:"innerHTML"; within:500; content:"onpropertychange"; within:50; nocase; content:"removeAttribute"; within:150; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-2491; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-094; classtype:attempted-user; sid:35975; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 60243 [102278 - Suricata-Main] 2023-12-26 18:32:18 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-26 18:32:18 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_server,established; file_data; file_data; content:".getSelection"; content:".anchorNode.splitText("; fast_pattern; content:".focusNode"; within:60; content:"CollectGarbage"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26637; rev:6;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 60821 [102278 - Suricata-Main] 2023-12-26 18:32:18 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-26 18:32:18 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer DCOMTextNode object use after free attempt"; flow:to_client,established; file_data; file_data; content:".getSelection"; content:".anchorNode.splitText("; content:".focusNode"; within:60; content:"CollectGarbage"; within:150; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-1312; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-037; classtype:attempted-user; sid:26636; rev:6;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 60822 [102278 - Suricata-Main] 2023-12-26 18:32:19 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-26 18:32:19 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-OTHER Cisco WebEx extension command execution attempt"; flow:to_server,established; file_data; file_data; content:"CustomEvent"; nocase; content:"connect"; within:50; nocase; content:"CustomEvent"; nocase; content:"message"; within:50; nocase; content:"message_type"; nocase; content:"launch_meeting"; within:50; nocase; content:"GpcComponentName"; fast_pattern; content:!"YXRtY2NsaS5ETEw="; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:attempted-admin; sid:41408; rev:3;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 60903 [102278 - Suricata-Main] 2023-12-26 18:32:19 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-26 18:32:19 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT Apple Safari WebKit out-of-bounds write attempt"; flow:to_client,established; file_data; file_data; content:"try { (function () { let a = { get val() { [...{a = 1.45}] = []|3B| a.val.x|3B| }, }|3B| a.val|3B| })()|3B| } catch (e) { } "; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-2505; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=1137; classtype:attempted-user; sid:51391; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 60934 [102278 - Suricata-Main] 2023-12-26 18:32:21 Error: detect-parse: "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-26 18:32:21 Error: detect: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_server,established; file_data; content:"POST"; http_method; content:"|00 09 00 00|"; depth:5; offset:1; fast_pattern; content:!"|00|"; depth:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadata:policy max-detect-ips alert, service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:43364; rev:5;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 62550 [102278 - Suricata-Main] 2023-12-26 18:32:23 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-26 18:32:23 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Reader CoolType.DLL out-of-bounds memory access attempt"; flow:to_server,established; file_data; file_data; content:"|6A FB 8F 05 F0 06 DA F7 8F 05 0E 60 F9 6A 77 01 99 F7 25 03 F7 AD 4D 15 3A F5 62 F7 30 F7 18 1A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2014-9161; reference:url,www.cvedetails.com/cve/CVE-2014-9161; classtype:attempted-user; sid:33455; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 64687 [102278 - Suricata-Main] 2023-12-26 18:32:24 Error: detect-urilen: depth or urilen 11 smaller than content len 17 [102278 - Suricata-Main] 2023-12-26 18:32:24 Error: detect: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 65992 [102278 - Suricata-Main] 2023-12-26 18:32:25 Error: detect-parse: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-26 18:32:25 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 66754 [102278 - Suricata-Main] 2023-12-26 18:32:25 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [102278 - Suricata-Main] 2023-12-26 18:32:25 Error: detect: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 66986 [102278 - Suricata-Main] 2023-12-26 18:32:26 Error: detect-pcre: unknown regex modifier 'K' [102278 - Suricata-Main] 2023-12-26 18:32:26 Error: detect: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.TreeTrunk outbound connection"; flow:to_server,established; urilen:10; content:"/index.jsp"; fast_pattern:only; http_uri; pcre:"/^([0-9A-F]{2}-){5}[0-9A-F]{2}$/K"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/sha256/8d9444ac349502314f97d25f000dbabb33e3b9737ac8e77e5e8452b719211edd; classtype:trojan-activity; sid:60270; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 67052 [102278 - Suricata-Main] 2023-12-26 18:32:26 Error: detect-parse: "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-26 18:32:26 Error: detect: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HannabiGrabber info stealer outbound communication"; flow:to_server,established; file_data; content:"Hannabi Grabber"; fast_pattern:only; http_client_body; content:"```fix|5C|nPCName:"; http_client_body; content:"GB|5C|nAntivirus:"; within:1000; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/082e50f61aa3e649889defae5bccb1249fc1c1281b2b9f02e10cb1ede8a1d16f; classtype:trojan-activity; sid:60728; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 67116 [102278 - Suricata-Main] 2023-12-26 18:32:27 Error: detect-within: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [102278 - Suricata-Main] 2023-12-26 18:32:27 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 67659 [102278 - Suricata-Main] 2023-12-26 18:32:27 Error: detect: previous sticky buffer has no matches [102278 - Suricata-Main] 2023-12-26 18:32:27 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; file_data; content:"|50 45 00 00 4C 01 03 00 D8 81 CF 53 00 00 00 00 00 00 00 00 E0 00|"; depth:22; offset:240; content:"|74 00 00 00 00 00 00 00 4F AF 08 00 48 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:32; distance:170; fast_pattern:0,25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2019-1345; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1345; classtype:attempted-admin; sid:51874; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 68269 [102278 - Suricata-Main] 2023-12-26 18:32:28 Error: detect-parse: no matches in sticky buffer file_data [102278 - Suricata-Main] 2023-12-26 18:32:28 Error: detect: error parsing signature "drop tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-OTHER Authedmine TLS client hello attempt"; flow:to_server,established; file_data; ssl_state:client_hello; content:"authedmine.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:45952; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 68873 [102278 - Suricata-Main] 2023-12-26 18:32:28 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-26 18:32:28 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER VMWare vSphere log4shell exploit attempt"; flow:to_server,established; content:"Content-Disposition"; nocase; http_client_body; content:"RelyingPartyEntityId"; distance:0; nocase; http_client_body; content:"|0D 0A 0D 0A|"; distance:0; http_client_body; base64_decode:bytes 64,relative; base64_data; pcre:"/\x24\x7b(jndi|[^\x7d]*?\x24\x7b[^\x7d]*?\x3a[^\x7d]*?\x7d)/i"; content:"/websso/SAML2/SSOSSL/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58812; rev:3;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69253 [102278 - Suricata-Main] 2023-12-26 18:32:28 Error: detect-parse: unknown rule keyword 'http_raw_cookie'. [102278 - Suricata-Main] 2023-12-26 18:32:28 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69299 [102278 - Suricata-Main] 2023-12-26 18:32:28 Error: detect-urilen: depth or urilen 4 smaller than content len 10 [102278 - Suricata-Main] 2023-12-26 18:32:28 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt"; flow:to_server,established; content:"user_name="; fast_pattern:only; http_uri; urilen:4; content:"/cgi"; nocase; http_uri; pcre:"/[?&]user_name=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2020-5722; classtype:web-application-attack; sid:53858; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69327 [102278 - Suricata-Main] 2023-12-26 18:32:28 Error: detect-parse: unknown rule keyword 'http_raw_cookie'. [102278 - Suricata-Main] 2023-12-26 18:32:28 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:2;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69425 [102278 - Suricata-Main] 2023-12-26 18:32:28 Error: detect-pcre: pcre with /R (relative) needs preceding match in the same buffer [102278 - Suricata-Main] 2023-12-26 18:32:28 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:policy max-detect-ips drop, service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:9;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69658 [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect: error parsing signature "drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:"System.Diagnostics"; fast_pattern; nocase; http_client_body; content:"Process"; distance:0; nocase; http_client_body; content:""; nocase; http_client_body; base64_decode:bytes 1000,relative; base64_data; content:"UnitySerializationHolder"; nocase; content:"/Powershell"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-21706; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-21706; classtype:attempted-user; sid:61359; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69783 [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect: error parsing signature "drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; content:"System.Diagnostics"; fast_pattern; nocase; http_client_body; content:"Process"; distance:0; nocase; http_client_body; content:""; nocase; http_client_body; base64_decode:bytes 1000,relative; base64_data; content:"MultiValuedProperty"; nocase; content:"/Powershell"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-21529; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-21529; classtype:attempted-user; sid:61360; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69784 [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Bearer"; within:500; http_header; base64_decode:bytes 100,offset 1,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_vti_bin/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:61939; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69805 [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Bearer"; within:500; http_header; base64_decode:bytes 100,offset 1,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_layouts/15/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:61938; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69806 [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Bearer"; within:500; http_header; base64_decode:bytes 100,offset 1,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_api/"; fast_pattern:only; http_uri; pcre:"/\x2f_api\x2f(web\x2f|lists\x2f|Microsoft|SP\x2e|_vti_bin|_layouts|apps\x2f|search\x2f)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:61937; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69807 [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect: error parsing signature "drop tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"access_token="; nocase; http_client_body; base64_decode:bytes 100,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_vti_bin/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:62469; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69835 [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect-pcre: Expression seen with a sticky buffer still set; either (1) reset sticky buffer with pkt_data or (2) use a sticky buffer providing "http request uri". [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect: error parsing signature "drop tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"/_api/"; nocase; http_uri; content:"access_token="; fast_pattern; nocase; http_uri; base64_decode:bytes 100,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; pcre:"/\x2f_api\x2f(web\x2f|lists\x2f|Microsoft|SP\x2e|_vti_bin|_layouts|apps\x2f|search\x2f)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:62468; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69836 [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect: error parsing signature "drop tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"access_token="; fast_pattern; nocase; http_client_body; base64_decode:bytes 100,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_api/"; nocase; http_uri; pcre:"/\x2f_api\x2f(web\x2f|lists\x2f|Microsoft|SP\x2e|_vti_bin|_layouts|apps\x2f|search\x2f)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:62467; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69837 [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect-parse: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect: error parsing signature "drop tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt"; flow:to_server,established; content:"access_token="; nocase; http_client_body; base64_decode:bytes 100,relative; base64_data; content:"|22|alg|22|"; nocase; content:"|22|none|22|"; within:50; nocase; content:"/_layouts/15/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-29357; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-29357; classtype:attempted-admin; sid:62465; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69839 [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [102278 - Suricata-Main] 2023-12-26 18:32:29 Error: detect: error parsing signature "drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Qlik Sense Enterprise HTTP tunneling attempt"; flow:to_server,established; content:"/resources/qmc/fonts/"; fast_pattern:only; content:"/resources/qmc/fonts/"; nocase; http_raw_uri; content:"ttf"; distance:0; nocase; http_raw_uri; content:"Content-Length|3A|"; nocase; http_header; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; distance:0; nocase; http_header; pcre:"/^Transfer-Encoding\x3a[^\r\n]*?chunked/Him"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2023-41265; reference:url,community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801; classtype:attempted-user; sid:62761; rev:1;)" from file /usr/local/etc/suricata/suricata_57861_ix0/rules/suricata.rules at line 69857 [102278 - Suricata-Main] 2023-12-26 18:32:29 Info: detect: 2 rule files processed. 69913 rules successfully loaded, 147 rules failed [102278 - Suricata-Main] 2023-12-26 18:32:29 Info: threshold-config: Threshold config parsed: 0 rule(s) found [102278 - Suricata-Main] 2023-12-26 18:32:29 Info: detect: 69917 signatures processed. 211 are IP-only rules, 11753 are inspecting packet payload, 51306 inspect application layer, 106 are decoder event only [102278 - Suricata-Main] 2023-12-26 18:32:29 Warning: detect-flowbits: flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs [102278 - Suricata-Main] 2023-12-26 18:32:29 Warning: detect-flowbits: flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs [102278 - Suricata-Main] 2023-12-26 18:32:29 Warning: detect-flowbits: flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs [102278 - Suricata-Main] 2023-12-26 18:32:29 Warning: detect-flowbits: flowbit 'ET.gadu.loginsent' is checked but not set. Checked in 2008299 and 0 other sigs [102278 - Suricata-Main] 2023-12-26 18:32:29 Warning: detect-flowbits: flowbit 'file.onenote' is checked but not set. Checked in 61666 and 1 other sigs [102278 - Suricata-Main] 2023-12-26 18:37:44 Notice: detect: rule reload complete