On suricata 6.0.9 linux-based platform I see many errors that are all related to the error message at the bottom of this post. All complain about missing APT_HTTP_PORTS variable.
Looking at the port-groups list in suricata.yaml, I see this, related to the error. I don’t see anything wrong with syntax. Is the range : option allowed in 6.0.9? Maybe list ports individually rather than a colon delimited range. Do you see anything else amiss? The indentation is the same for all variables listed under port-groups.
port-groups:
.
.
.
TEREDO_PORTS: “3544”
APT_HTTP_PORTS: “[80:88,8000:8090,3128,443,9050,9400]” <<<<< here
APT_MS_PORTS: “[139,445]”
Here is the error:
Apr 20 15:20:32 notice suricata: 20/4/2023 – 15:20:32 - - [ERRCODE: SC_ERR_INVALID_SIGNATUR
E(39)] - error parsing signature “alert http $HOME_NET any → $EXTERNAL_NET $APT_HTTP_PORTS (msg:“Changedthis
-CIRT (5030.1) Hidden Tear Open Source Ransomware C2 xyz”; content:“GET”; http_method; content:”/hid
den-tear/“; content:“info=”; http_uri; threshold:type limit, track by_dst, count 1, seconds 300; ref
erence:url,https://crits.corporate.ge.com/crits/samples/details/4somenumbers437e5159fbd54cb7bb0c526e/#;
classtype:gecirt-apt-nopage; priority:102; sid:6001999; rev:1;)” from file /etc/suricata/rules/suric
ata.rules at line 50521
Apr 20 15:20:32 notice suricata: 20/4/2023 – 15:20:32 - - [ERRCODE: SC_ERR_UNDEFINED_VAR(10
1)] - Variable “APT_HTTP_PORTS” is not defined in configuration file <<<<<< but it is defined!