Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?
-
The question in the title of this thread comes up every now and then. And there are also quite a number of IDS/IPS users who are not even aware that quite a few of the rules in the various rules categories available from the Snort Vulnerability Research Team (VRT) and the Emerging Threats folks are "commented out".
What "commented out" means is the line of rule text is prefixed by the "#" character. That identifies the entire line up to the next newline character as a comment. The rule is not loaded by the IDS/IPS engine when the category file is processed, thus the rule is not used to inspect traffic and can never fire an alert. I call such rules "default disabled" in the Snort and Suricata packages. Since they are, by default from the rule creators, commented out, they are functionally the same as disabled -- they will not get loaded and used to inspect traffic.
But why are some rules commented out by default? In the past I've given a few reasons, but today I ran across this very informative post over on the Suricata forums: https://forum.suricata.io/t/commented-rules/2283/3. It was authored by a member of the Proofpoint/Emerging Threats rule writing team.
To summarize the post, there are three main reasons for commenting out a given rule: (1) excessive false positives; (2) the rule is no longer relevant; or (3) the rule performs poorly, i.e., slows down traffic processing too much by being CPU intensive.
Of course the IDS/IPS admin always has the option of choosing to enable such rules on a case-by-case basis. To do that in either package, go to the RULES tab, select the category in the Category drop-down selector, then find the rule and click the icon in the left-hand column to "force enable" the rule.
-
@bmeeks hello, I haven't touched my rules I just upgraded to the latest suricata package and it doesn't seem to work anymore.
I look at suricata.log and there are a lot of errors loading the rules, so many that I cannot paste the log here it is too long :(
Here is my post https://forum.netgate.com/topic/170769/suricata-not-alerting-dns-or-any-rules
Suricata says it is running and I can restart it etc, but it is like it is ignoring all the rules.
-
@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:
@bmeeks hello, I haven't touched my rules I just upgraded to the latest suricata package and it doesn't seem to work anymore.
I look at suricata.log and there are a lot of errors loading the rules, so many that I cannot paste the log here it is too long :(
Here is my post https://forum.netgate.com/topic/170769/suricata-not-alerting-dns-or-any-rules
Suricata says it is running and I can restart it etc, but it is like it is ignoring all the rules.
I've mentioned many, many times in my replies here on the forum that Suricata does not digest a lot of the Snort VRT rules. That's because Suricata is a different engine internally and does not recognize all of the same keywords and actions that Snort uses. The Emerging Threats rules have a version that is created specifically for Suricata. The Suricata package on pfSense downloads that version of ET rules.
When you use the Snort rules, you just have to accept that a number of them will fail to load. Suricata notes the syntax errors in the log, ignores loading the rule, and just rolls on.
This is especially going to be true if you are trying to use the Snort3 rules in Suricata. It is not going to like many of those rules.
-
@bmeeks thanks for reply, yes I'm using snort v2 registered rules as well as ET Open rules. I don't mind that it skips some rules but it seems rules that used to work don't anymore :(
The DNS rules not working are ET rules, like the simple detect .to DNS query it just doesn't work anymore and it isn't a Snort rule.
-
@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:
@bmeeks thanks for reply, yes I'm using snort v2 registered rules as well as ET Open rules. I don't mind that it skips some rules but it seems rules that used to work don't anymore :(
The DNS rules not working are ET rules, like the simple detect .to DNS query it just doesn't work anymore and it isn't a Snort rule.
Are you using DoT or DoH? Remember Suricata cannot see encrypted traffic.
Also double-check and make sure that your HOME_NET and EXTERNAL_NET settings are correct.
-
@bmeeks I just noticed all the snort rules are unticked anyway.
I use DoT on the upstream from unbound on pfSense to upstream DNS however on the local network all devices are using normal DNS (tcp/udp 53) and I used to get alerts when I would visit .to website but not anymore. I even force dns resolution using nslookup to DNS server on the interface being monitored by Suricata, it definitely should fire alert.
Where can I find $HOME_NET to edit it?
-
@bmeeks I found my home_net it is set as default and when I click on view list it has:
9.9.9.9/32
10.1.0.0/17
10.128.0.0/20
10.255.255.254/32
127.0.0.1/32
149.112.112.112/32
192.168.1.1/32
192.168.1.4/32
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.69.0/24
::1/128
fe80::2e0:67ff:fe26:3f6a/128
fe80::2e0:67ff:fe26:3f6b/128
fe80::2e0:67ff:fe26:3f68/128
fe80::2e0:67ff:fe26:3f69/128
fe80::5a9c:fcff:fe10:ff9a/128external_net is just that list with a '!' in front of each value
@bmeeks would I be right in thinking that if the DNS server is on 192.168.2.1 and it's declared as home_net, the rule probably won't fire as it is home_net to home_net not home_net to external_net?
So if client 192.168.2.20 sends DNS query to 192.168.2.1 it's going to be a home_net to home_net and thus not trigger alert right?
Actually I checked and the rule is to any so it should fire:
alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .to TLD"; dns.query; content:".to"; endswith; fast_pattern; classtype:bad-unknown; sid:2027757; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2020_09_17;) -
@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:
@bmeeks I just noticed all the snort rules are unticked anyway.
I use DoT on the upstream from unbound on pfSense to upstream DNS however on the local network all devices are using normal DNS (tcp/udp 53) and I used to get alerts when I would visit .to website but not anymore. I even force dns resolution using nslookup to DNS server on the interface being monitored by Suricata, it definitely should fire alert.
Where can I find $HOME_NET to edit it?
HOME_NET is automatically populated with default values that should be correct in almost every instance. You can see the actual content by visiting the INTERFACES tab, choosing the Edit icon beside the interface in question, then scrolling down to the HOME_NET drop-down selector. Click the View button just to the right of the drop-down to see the variables content.
To customize HOME_NET you would need to create a custom Pass List and then assign that list by choosing it in the drop-down selector for HOME_NET. But rarely, if ever, is there a need to change from the defaults.
First, make sure Suricata is actually running on the interface by using this command from a shell prompt on the firewall console to see the process:
ps -ax | grep suricataYou should see one or more running Suricata processes. Make sure there are no duplicates (meaning two Suricata instances running on the exact same interface).
Look carefully at the entire
suricata.logfile for the interface on the LOGS VIEW tab. Make sure there are no other errors in that log besides the Snort rule syntax errors.Edit: your posted values for HOME_NET look fine assuming those IP subnets are correct for your firewall.
You can also visit the RULES tab when editing a Suricata interface and choose the "Active Rules" category in the Category drop-down selector. That will load and display only the actual active rules that Suricata is enforcing. Be sure your DNS rules are listed in there.
-
Yea the subnets in home_net are what I am using, interesting that it puts my upstream DNS in home_net though.
ps -ax | grep suricata shows me 1 suricata process on each interface I expect it on (2 interfaces total)
4035 - Ss 5:00.80 /usr/local/bin/suricata -i igb2 -D -c /usr/local/etc/suricata/suricata_137_igb2/suricata.yaml --pidfil 99424 - Ss 5:00.32 /usr/local/bin/suricata -i igb1 -D -c /usr/local/etc/suricata/suricata_49846_igb1/suricata.yaml --pidf 7752 0 S+ 0:00.00 grep suricataDefinitely the rule is enabled when I select Active rules
-
@bmeeks and this is the end of my suricata.log after all the filter errors:
15/3/2022 -- 02:23:31 - <Info> -- 2 rule files processed. 44300 rules successfully loaded, 43 rules failed
15/3/2022 -- 02:23:31 - <Info> -- Threshold config parsed: 0 rule(s) found
15/3/2022 -- 02:23:34 - <Info> -- 44300 signatures processed. 1840 are IP-only rules, 5796 are inspecting packet payload, 26492 inspect application layer, 108 are decoder event only
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28579 and 6 other sigs
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ppsx&file.zip' is checked but not set. Checked in 26068 and 1 other sigs
15/3/2022 -- 02:26:01 - <Info> -- Using 1 live device(s).
15/3/2022 -- 02:26:01 - <Info> -- using interface igb1
15/3/2022 -- 02:26:01 - <Info> -- running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
15/3/2022 -- 02:26:01 - <Info> -- Set snaplen to 1518 for 'igb1'
15/3/2022 -- 02:26:02 - <Info> -- RunModeIdsPcapAutoFp initialised
15/3/2022 -- 02:26:02 - <Notice> -- all 5 packet processing threads, 2 management threads initialized, engine started. -
@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:
@bmeeks and this is the end of my suricata.log after all the filter errors:
15/3/2022 -- 02:23:31 - <Info> -- 2 rule files processed. 44300 rules successfully loaded, 43 rules failed
15/3/2022 -- 02:23:31 - <Info> -- Threshold config parsed: 0 rule(s) found
15/3/2022 -- 02:23:34 - <Info> -- 44300 signatures processed. 1840 are IP-only rules, 5796 are inspecting packet payload, 26492 inspect application layer, 108 are decoder event only
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28579 and 6 other sigs
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
15/3/2022 -- 02:23:34 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ppsx&file.zip' is checked but not set. Checked in 26068 and 1 other sigs
15/3/2022 -- 02:26:01 - <Info> -- Using 1 live device(s).
15/3/2022 -- 02:26:01 - <Info> -- using interface igb1
15/3/2022 -- 02:26:01 - <Info> -- running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
15/3/2022 -- 02:26:01 - <Info> -- Set snaplen to 1518 for 'igb1'
15/3/2022 -- 02:26:02 - <Info> -- RunModeIdsPcapAutoFp initialised
15/3/2022 -- 02:26:02 - <Notice> -- all 5 packet processing threads, 2 management threads initialized, engine started.The above all looks fine. Those flowbit errors are not a problem. Many times they are simply a result of errors or typos from the rule creators.
You should be seeing alerts based on what I see in your screenshots. The next step would be to run a packet capture on the firewall interface and verify exactly what is traversing the wire with regards to lookups. Verify in the captured packets whether the "data" the rule is looking for is actually in cleartext.
-
@bmeeks dunno if it matters but there is a lot of errors like this as well, so many that I can't copy paste them all:
15/3/2022 -- 02:23:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 35604
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 36412
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 36660
15/3/2022 -- 02:23:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
15/3/2022 -- 02:23:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 37990
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 38661
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 38662
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 40031
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 40032 -
@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:
@bmeeks dunno if it matters but there is a lot of errors like this as well, so many that I can't copy paste them all:
15/3/2022 -- 02:23:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 35604
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 36412
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
15/3/2022 -- 02:23:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"Cookie: __gads"; fast_pattern:only; content:"__gads="; http_cookie; content:"|3B| _gat="; distance:0; http_cookie; content:"|3B| _ga="; distance:0; http_cookie; content:"|3B| _u="; distance:0; http_cookie; content:"|3B| __io="; distance:0; http_cookie; content:"|3B| _gid="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/baeb13eea3a71cfaba9d20ef373dcea69cf31f2ec21f45b83f29f699330cb3e3/detection; classtype:trojan-activity; sid:58835; rev:1;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 36660
15/3/2022 -- 02:23:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
15/3/2022 -- 02:23:26 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 37990
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 38661
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 38662
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 40031
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sip_header'.
15/3/2022 -- 02:23:27 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)" from file /usr/local/etc/suricata/suricata_49846_igb1/rules/suricata.rules at line 40032These are those Snort rules we discussed earlier whose syntax is not understood by Suricata. Errors like this are expected when using Snort rules in Suricata. Suricata logs the error and ignore those rules, not loading them at all. But none of these rules are your DNS rules. Suricata was not created to use Snort rules. Snort was created to use Snort rules. Suricata was created by a team sponsored by the folks behind Emerging Threats rules, so Suricata was optimized for those rules. While Suricata can import a lot of Snort rules, there are still many that won't work because they use features and syntax supported by Snort that Suricata does not support.
-
@bmeeks Weird thing is all those snort rule categories are disabled so how can it be trying to load them???
-
@bmeeks packet capture is not showing any packets at all on that interface but that is impossible because how can it receive and respond to DNS queries without packets, and it is definitely the correct IP address for the correct interface (192.168.2.1, igb1 (GREEN))
-
@bmeeks got me totally beat because I reset the rules and I have all the snort categories disabled so I don't know why I am getting all those errors for snort rules I don't have enabled?
-
@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:
@bmeeks Weird thing is all those snort rule categories are disabled so how can it be trying to load them???
Why do you think these are the categories for those rules? Have you cross-referenced the SID values to actually find the subject rules in these categories? I see at least one of the offending rules as being tagged with the "community ruleset" flag. It's also possible these rules are being imported because of an IPS Policy you may have enabled. Do you have an IPS Policy configured?
-
@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:
@bmeeks packet capture is not showing any packets at all on that interface but that is impossible because how can it receive and respond to DNS queries without packets, and it is definitely the correct IP address for the correct interface (192.168.2.1, igb1 (GREEN))
If packet capture on that interface is not showing matching traffic, then how can you expect Suricata to detect it? There may be an alternate route for traffic that it bypassing that firewall interface. Or you may not have properly configured the packet capture settings on pfSense.
-
@bmeeks Ah yes indeed I have the "Security" policy set
-
@propercactus said in Why are some rules "commented out" in the Snort VRT and Emerging Threats Bundles?:
@bmeeks Ah yes indeed I have the "Security" policy set
You may want to review in your mind how rules are loaded. It's not simply a matter of categories you check on the CATEGORIES tab. There is IPS Policy (which overrides anything you do on the CATEGORY tab), and there is the SID MGMT tab which can also override CATEGORY tab decisions.
