Some error ET Trojan rules

noob_17 · April 11, 2023, 9:43am

Did anyone noticed that there is some errors in ET TROJAN rules? Never had this errors before the rules were updated

11/4/2023 -- 10:36:31 - <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Phorpiex Template 7 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|READ|20|OR|20|GO|20|TO|20|JAIL!"; fast_pattern; content:"I|20|sent|20|it|20|from|20|your|20|email"; content:"removed|20|my|20|trojan"; content:"YOUR|20|ILLEGAL|20|ACTIVITIES!"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2044125; rev:1; metadata:created_at 2023_02_04, updated_at 2023_02_06;)"
11/4/2023 -- 10:36:31 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Phorpiex Template 7 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|READ|20|OR|20|GO|20|TO|20|JAIL!"; fast_pattern; content:"I|20|sent|20|it|20|from|20|your|20|email"; content:"removed|20|my|20|trojan"; content:"YOUR|20|ILLEGAL|20|ACTIVITIES!"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2044125; rev:1; metadata:created_at 2023_02_04, updated_at 2023_02_06;)" from file /var/lib/suricata/rules/emerging-trojan.rules at line 41
11/4/2023 -- 10:36:31 - <Error> -- [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Phorpiex Template 8 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|I|20|RECORDED|20|YOU!"; fast_pattern; content:"there|20|are|20|some|20|bad|20|news"; content:"My|20|trojan|20|allows|20|me"; content:"All|20|you|20|need|20|is|20|$"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2044126; rev:1; metadata:created_at 2023_02_04, updated_at 2023_02_06;)"
11/4/2023 -- 10:36:31 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Phorpiex Template 8 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|I|20|RECORDED|20|YOU!"; fast_pattern; content:"there|20|are|20|some|20|bad|20|news"; content:"My|20|trojan|20|allows|20|me"; content:"All|20|you|20|need|20|is|20|$"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2044126; rev:1; metadata:created_at 2023_02_04, updated_at 2023_02_06;)" from file /var/lib/suricata/rules/emerging-trojan.rules at line 43
11/4/2023 -- 10:36:49 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.

bmurphy · April 11, 2023, 12:31pm

Hello there @noob_17!

The two rules in question 2044125 and 2044126 where recently switched from the TROJAN category to the MALWARE category for the Suricata 5.0 ruleset. I have been able to confirm that the ruleset as published at https://rules.emergingthreats.net/open/suricata-5.0/emerging-all.rules does not contain the duplicate rule.

What ruleset manager do yo use?

This is what I think happened:

Background

As part of the Suricata 5.0 ruleset, the TROJAN category was moved to the MALWARE category. The “TROJAN” category was deprecated for the Suricata 5.0 ruleset. Due to a system error, these tw rules were allowed into this ruleset when they were created on 2023-02-03. This allowed for the creation of the emerging-trojan.rules file.

On 2023-04-07, the placement of the rules in the TROJAN category was brought to our attention and then we moved the rules back to the MALWARE category placing the rules into the emerging-malware.rules and would have removed the emerging-trojan.rules file from the ruleset.

Possible Issue

If the ruleset manager did not correctly handle the removal of the emerging-trojan.rules file and left that file with the two rules in it and that file is enabled within your suricata configuration, you might experience a duplicate rule error that you are seeing.

Possible Solution

Disable the emerging-trojan.rules within your configuration and/or ruleset manager.

noob_17 · April 11, 2023, 1:11pm

Thanks for the clarification! I am using suricata-update to manage rules, but i still had the trojan rules set on the config file @bmurphy

Topic		Replies	Views
False Positive?: sig 2032926 "Abnormally Large SMTP EHLO Inbound" Rules	1	760	October 28, 2021
<Warning> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] Rules	3	3675	October 8, 2020
Content:!"" appear to not be working inside of rule "ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement""	5	108	October 1, 2024
SMB rule, but exclusion needed Rules suricata	2	682	November 7, 2023
Duplicate signature and error parsing signature errors Help rules	3	196	July 29, 2024

Some error ET Trojan rules

Background

Possible Issue

Possible Solution

Related topics