Issue with variable in suricata.yaml port-groups

On suricata 6.0.9 linux-based platform I see many errors that are all related to the error message at the bottom of this post. All complain about missing APT_HTTP_PORTS variable.

Looking at the port-groups list in suricata.yaml, I see this, related to the error. I don’t see anything wrong with syntax. Is the range : option allowed in 6.0.9? Maybe list ports individually rather than a colon delimited range. Do you see anything else amiss? The indentation is the same for all variables listed under port-groups.

APT_HTTP_PORTS: “[80:88,8000:8090,3128,443,9050,9400]” <<<<< here
APT_MS_PORTS: “[139,445]”

Here is the error:

Apr 20 15:20:32 notice suricata: 20/4/2023 – 15:20:32 - - [ERRCODE: SC_ERR_INVALID_SIGNATUR
E(39)] - error parsing signature “alert http $HOME_NET any → $EXTERNAL_NET $APT_HTTP_PORTS (msg:“Changedthis
-CIRT (5030.1) Hidden Tear Open Source Ransomware C2 xyz”; content:“GET”; http_method; content:”/hid
den-tear/“; content:“info=”; http_uri; threshold:type limit, track by_dst, count 1, seconds 300; ref
classtype:gecirt-apt-nopage; priority:102; sid:6001999; rev:1;)” from file /etc/suricata/rules/suric
ata.rules at line 50521
Apr 20 15:20:32 notice suricata: 20/4/2023 – 15:20:32 - - [ERRCODE: SC_ERR_UNDEFINED_VAR(10
1)] - Variable “APT_HTTP_PORTS” is not defined in configuration file <<<<<< but it is defined!

Hi, can you post or DM

  • The suricata configuration file
  • A single rule that uses APT_HTTP_PORTS?

Have you ever noticed an issue with newer versions of suricata such as 6.0.9 where formatting in suricata.yaml was an issue? I am unable to find documentation on the range option – such as 80:88 – that i was asking about. Also, sometimes on suricata upgrades, variables like this move to other positions in the file, which happened when we upgraded from 3.0 to 6.0…

Because of security issues, i’ll have to check and see if i can provide the information you requested.

I wasn’t able to replicate the issue you’re seeing.

I used the rule (which is contained in the error message you posted) and added a setting for ATP_HTTP_PORTS to my suricata config file

    APT_HTTP_PORTS: "[80:88,8000:8090,3128,443,9050,9400]"

Is the indentation in the configuration file correct?