Some error ET Trojan rules

noob_17 · April 11, 2023, 9:43am

Did anyone noticed that there is some errors in ET TROJAN rules? Never had this errors before the rules were updated

11/4/2023 -- 10:36:31 - <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Phorpiex Template 7 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|READ|20|OR|20|GO|20|TO|20|JAIL!"; fast_pattern; content:"I|20|sent|20|it|20|from|20|your|20|email"; content:"removed|20|my|20|trojan"; content:"YOUR|20|ILLEGAL|20|ACTIVITIES!"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2044125; rev:1; metadata:created_at 2023_02_04, updated_at 2023_02_06;)"
11/4/2023 -- 10:36:31 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Phorpiex Template 7 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|READ|20|OR|20|GO|20|TO|20|JAIL!"; fast_pattern; content:"I|20|sent|20|it|20|from|20|your|20|email"; content:"removed|20|my|20|trojan"; content:"YOUR|20|ILLEGAL|20|ACTIVITIES!"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2044125; rev:1; metadata:created_at 2023_02_04, updated_at 2023_02_06;)" from file /var/lib/suricata/rules/emerging-trojan.rules at line 41
11/4/2023 -- 10:36:31 - <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Phorpiex Template 8 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|I|20|RECORDED|20|YOU!"; fast_pattern; content:"there|20|are|20|some|20|bad|20|news"; content:"My|20|trojan|20|allows|20|me"; content:"All|20|you|20|need|20|is|20|$"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2044126; rev:1; metadata:created_at 2023_02_04, updated_at 2023_02_06;)"
11/4/2023 -- 10:36:31 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Phorpiex Template 8 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|I|20|RECORDED|20|YOU!"; fast_pattern; content:"there|20|are|20|some|20|bad|20|news"; content:"My|20|trojan|20|allows|20|me"; content:"All|20|you|20|need|20|is|20|$"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2044126; rev:1; metadata:created_at 2023_02_04, updated_at 2023_02_06;)" from file /var/lib/suricata/rules/emerging-trojan.rules at line 43
11/4/2023 -- 10:36:49 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.

bmurphy · April 11, 2023, 12:31pm

Hello there @noob_17!

The two rules in question 2044125 and 2044126 where recently switched from the TROJAN category to the MALWARE category for the Suricata 5.0 ruleset. I have been able to confirm that the ruleset as published at https://rules.emergingthreats.net/open/suricata-5.0/emerging-all.rules does not contain the duplicate rule.

What ruleset manager do yo use?

This is what I think happened:

Background

As part of the Suricata 5.0 ruleset, the TROJAN category was moved to the MALWARE category. The “TROJAN” category was deprecated for the Suricata 5.0 ruleset. Due to a system error, these tw rules were allowed into this ruleset when they were created on 2023-02-03. This allowed for the creation of the emerging-trojan.rules file.

On 2023-04-07, the placement of the rules in the TROJAN category was brought to our attention and then we moved the rules back to the MALWARE category placing the rules into the emerging-malware.rules and would have removed the emerging-trojan.rules file from the ruleset.

Possible Issue

If the ruleset manager did not correctly handle the removal of the emerging-trojan.rules file and left that file with the two rules in it and that file is enabled within your suricata configuration, you might experience a duplicate rule error that you are seeing.

Possible Solution

Disable the emerging-trojan.rules within your configuration and/or ruleset manager.

noob_17 · April 11, 2023, 1:11pm

Thanks for the clarification! I am using suricata-update to manage rules, but i still had the trojan rules set on the config file @bmurphy

Topic		Replies	Views
False Positive?: sig 2032926 "Abnormally Large SMTP EHLO Inbound" Rules	1	648	October 28, 2021
Rule "ET VOIP INVITE Message Flood UDP" triggered Rules rules , suricata	9	690	June 2, 2022
Keyword: flowbits:isset,http.dottedquadhost Rules	3	358	January 31, 2023
Question about SSH SCAN rule Help suricata	1	830	November 16, 2022
SIGRed (CVE-2020-1350) Rule Rules	4	1342	July 17, 2020

Some error ET Trojan rules

Background

Possible Issue

Possible Solution

Related Topics