Suricata errors in the logs - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]



  • Hi all,

    I just noticed these Suricata errors in my logs

    Any thoughts?

    Thanks

    Aug 23 06:32:23 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
    Aug 23 06:32:23 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".jar"; within:4; distance:24; pcre:"/filename=[a-z0-9]{24}.jar/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:2;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 3015
    Aug 23 06:32:23 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
    Aug 23 06:32:23 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".exe"; within:4; distance:24; pcre:"/filename=[a-z0-9]{24}.exe/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:2;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 3016
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|0A|User-Agent|3A 20|tiehttp"; fast_pattern; nocase; http_header; content:"Content-Disposition|3A 20|"; nocase; http_client_body; content:"form-data|3B| name=|22|filename|22|"; distance:0; nocase; http_client_body; content:"|0D 0A 0D 0A|"; within:4; http_client_body; pcre:"/^\d{0,10}passes\d{1,10}.xm/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/latest-report.html?resource=f9775d5fc61ec53a7cab4b432ec2d227; classtype:trojan-activity; sid:21760; rev:5;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 5848
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Koobface variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/cap/?a=get&i="; nocase; http_uri; pcre:"/\d+&/miR"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16484; rev:9;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 5991
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:2;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 6050
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chewbacca outbound connection"; flow:to_server,established; urilen:4; dsize:<200; content:"/ip/"; depth:4; fast_pattern; http_uri; content:"Keep-Alive|3A 20|300|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/chewbacca-latest-malware-to-take-a-liking-to-tor/103220; reference:url,www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware; classtype:trojan-activity; sid:29440; rev:5;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 6266
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or from_client with http.
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ANDR.Trojan.FakeApp outbound connection"; flow:established, to_server; content:"/cp/server.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B| boundary=Aab03x"; http_header; content:"User-Agent: Dalvik"; http_header; file_data; content:"AaB03x"; content:"name=|22|phone"; distance:0; content:"name=|22|type"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,securityaffairs.co/wordpress/22465/cyber-crime/banking-trojan-hit-islamic-mobile.html; reference:url,www.virustotal.com/file/66911EE32FC4777BB9272F9BE9EB8970B39440768B612FBAB4AC01D8E23F9AA1/analysis/; classtype:trojan-activity; sid:29978; rev:2;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 6323
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Critroni outbound connection"; flow:to_server,established; dsize:174; urilen:1; content:"/"; http_uri; content:"Host|3A| ip.telize.com|0D 0A|Accept|3A| /|0D 0A|User-Agent|3A| Mozilla/5.0 |28|Windows NT 6.1|3B| WOW64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/31.0.1650.63 Safari/537.36"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b3c92d7a9dead6011f3c99829c745c384dd776d88f57bbd60bc4f9d66641819b/analysis/; classtype:trojan-activity; sid:31718; rev:2;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 6501
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro outbound connection"; flow:to_server,established; dsize:<200; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/"; http_header; content:"ompatible|3B| MSIE 31|3B| "; within:20; distance:6; fast_pattern; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f5c716890a2a76785d53e8f9a5db2268501a30df807df4c4323967672efe452c/analysis/; classtype:trojan-activity; sid:31813; rev:2;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 6519
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Tavdig outbound connection"; flow:to_server,established; content:"Cookie|3A| catid="; fast_pattern:only; content:"|3B| task="; http_cookie; content:"|3B| forumid="; within:100; http_cookie; content:"|3B| Itemid="; within:50; http_cookie; content:"|3B| link="; within:50; http_cookie; content:"|3B| layout="; within:50; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122/analysis/; classtype:trojan-activity; sid:31944; rev:2;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 6536
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rehtesyk outbound connection"; flow:to_server,established; content:"User-Agent: Firefox|0D 0A|"; fast_pattern:only; content:"first="; depth:6; http_client_body; content:"&data="; within:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea/analysis/; classtype:trojan-activity; sid:32311; rev:2;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 6588
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)"; fast_pattern:only; http_header; content:"/"; depth:1; offset:9; http_uri; content:"/"; within:1; distance:8; http_uri; content:"Host:"; http_header; content:":8080"; within:30; http_header; content:"POST"; http_method; dsize:<480; pcre:"/^/[a-f0-9]{8}/[a-f0-9]{8}/$/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/27c298c77e16bbc3f056653034c2d918418f877bb0193a9ca533b5527d830a94/analysis/; classtype:trojan-activity; sid:32770; rev:2;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 6657
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Panskeg outbound connection"; flow:to_server,established; file_data; dsize:10; content:"|79 40 1F F2 03 3C 20 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/81c6fa11d46bf173932b067c32a852f048ba51873210c3e24ac367c95e799e42/analysis/; classtype:trojan-activity; sid:36610; rev:1;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 7032
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC Win.Trojan.Trochulis variant outbound connection"; flow:to_server,established; file_data; content:"|BF BF AF AF 7E 00 00 00|"; fast_pattern:only; dsize:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/da6905d96cc860b443deb5f27271a2cfb2ce17f067a59ca7f0fd12c1d70c4372/analysis/; classtype:trojan-activity; sid:37370; rev:1;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 7104
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    Aug 23 06:32:25 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Helminth variant outbound connection"; flow:to_server,established; content:"UIET9fWR"; fast_pattern:only; content:"User-Agent: Mozilla/5.0"; http_header; content:"|20|Trident/5.0|0D 0A|"; within:14; distance:39; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/632be0a3d8d298f2ded928a4ac27846904ed842ad08b355acab53132d31eaf24/analysis/; classtype:trojan-activity; sid:39176; rev:1;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 7168
    Aug 23 06:32:26 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    Aug 23 06:32:26 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"_mdm_session"; fast_pattern:only; content:"_mdm_session"; nocase; http_cookie; content:!"|0D 0A|"; within:550; http_cookie; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71424; reference:cve,2014-6140; reference:url,osvdb.org/show/osvdb/115222; classtype:attempted-user; sid:33169; rev:3;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 7628
    Aug 23 06:32:26 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    Aug 23 06:32:26 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt"; flow:to_server,established; urilen:<6; content:"/tsp"; nocase; http_uri; content:"_trusted-services-provider_session"; fast_pattern:only; content:"_trusted-services-provider_session"; nocase; http_cookie; content:!"|0D 0A|"; within:550; http_cookie; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71424; reference:cve,2014-6140; reference:url,osvdb.org/show/osvdb/115222; classtype:attempted-user; sid:33168; rev:3;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 7629
    Aug 23 06:32:26 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    Aug 23 06:32:26 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt"; flow:to_server,established; urilen:<6; content:"/ssp"; nocase; http_uri; content:"_self-service-portal_session"; fast_pattern:only; content:"_self-service-portal_session"; nocase; http_cookie; content:!"|0D 0A|"; within:550; http_cookie; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71424; reference:cve,2014-6140; reference:url,osvdb.org/show/osvdb/115222; classtype:attempted-user; sid:33167; rev:3;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 7630
    Aug 23 06:32:26 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
    Aug 23 06:32:26 suricata 94537 [100163] <error>– [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt"; flow:to_server,established; urilen:<5; content:"/ap"; nocase; http_uri; content:"_admin-portal_session"; fast_pattern:only; content:"_admin-portal_session"; nocase; http_cookie; content:!"|0D 0A|"; within:550; http_cookie; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,71424; reference:cve,2014-6140; reference:url,osvdb.org/show/osvdb/115222; classtype:attempted-user; sid:33166; rev:3;)" from file /usr/local/etc/suricata/suricata_54300_pppoe0/rules/suricata.rules at line 7631</error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error></error>


Log in to reply