2/9/2021 -- 14:31:03 - <Notice> - This is Suricata version 6.0.3 RELEASE running in SYSTEM mode
2/9/2021 -- 14:31:03 - <Info> - CPUs/cores online: 4
2/9/2021 -- 14:31:03 - <Info> - Found an MTU of 1500 for 'eno1'
2/9/2021 -- 14:31:03 - <Info> - Found an MTU of 1500 for 'eno1'
2/9/2021 -- 14:31:03 - <Info> - fast output device (regular) initialized: fast.log
2/9/2021 -- 14:31:03 - <Info> - eve-log output device (regular) initialized: eve.json
2/9/2021 -- 14:31:03 - <Info> - stats output device (regular) initialized: stats.log
2/9/2021 -- 14:31:03 - <Info> - Running in live mode, activating unix socket
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO CURRENT_EVENTS MalDoc Retrieving Payload 2017-12-12"; flow:established,to_server; content:"GET"; http_method; content:".php?utma="; http_uri; fast_pattern; pcre:"/^[a-z]{1,15}\x20HTTP/R"; content:"|20|MSIE|20|"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nAccept-Language\x3a\x20[^\r\n]+\r\nAccept-Encoding\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nConnection\x3a\x20[^\r\n]+\r\n\r\n$/Hmi"; content:!"Referer|3a|"; http_header; reference:md5,fdfff3bd262c85b447f693830ed2d9b6; classtype:trojan-activity; sid:2828866; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_12, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)" from file /etc/suricata/rules/current_events.rules at line 9332
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content.
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ETPRO CURRENT_EVENTS Inbound JS Downloader Using Wscript.Shell with Bitsadmin Transfer M1"; flow:established,from_server; content:"HTTP/1.1|20|200|20|OK"; depth:15; content:"|0d 0a 0d 0a|"; distance:0; content:"<script"; distance:0; depth:200; content:"Shell.run|28 22|bitsadmin|20|/transfer"; distance:0; fast_pattern:5,20; reference:md5,62f1a7840fcbd3eafc07889c2a40d13e; classtype:trojan-activity; sid:2833611; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2020_08_27;)" from file /etc/suricata/rules/current_events.rules at line 11872
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS XHR POST Request - Possible Form Grabber Activity"; flow:established,to_server; content:"POST"; http_method; content:"info="; http_client_body; depth:5; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; content:"&hostname="; http_client_body; distance:0; fast_pattern; content:"&key="; http_client_body; distance:0; content:"Content-Type|3a 20|application|2f|x-www-form-urlencoded|0d|"; http_header; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027818; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_31;)" from file /etc/suricata/rules/current_events.rules at line 15468
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 2836763 mixes keywords with conflicting directions
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO CURRENT_EVENTS Successful Generic Login Verification Phish 2019-06-10"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"/Verify.php?sessionid="; http_uri; fast_pattern; nocase; classtype:trojan-activity; sid:2836763; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_11_17;)" from file /etc/suricata/rules/current_events.rules at line 20538
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing 2018-01-18 M1"; flow:established,to_client; file_data; content:!"https://*.paypal.com"; http_header; content:"|73 63 72 69 70 74 3a 20 6e 6f 64 65 2c 20 74 65 6d 70 6c 61 74 65 3a 20 20 2c 20 64 61 74 65 3a 20 4a 75 6c 20 33|"; content:"<title>Log in to your PayPal account</title>"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2025214; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)" from file /etc/suricata/rules/current_events.rules at line 20642
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO DELETED Apple QuickTime Crafted HTTP Error Response Buffer Overflow 1"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a|"; nocase; http_header; content:"QuickTime"; http_header; pcre:"/^[^\x0D\x0A]*QuickTime/Ri"; flowbits:set,ETPRO.quick.time.ua; flowbits:noalert; reference:cve,CVE-2008-0234; reference:bugtraq,27225; reference:secunia,28423; classtype:attempted-user; sid:2800277; rev:7; metadata:created_at 2010_09_25, updated_at 2010_09_25;)" from file /etc/suricata/rules/deleted.rules at line 838
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_OFFSET_MISSING_CONTENT(107)] - distance needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent or file_data/dce_stub_data sticky buffer option
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetComputerName"; flow:established,to_client; content:"MZ"; file_data; isdataat:76,relative; distance:0; content:"This program cannot be run in DOS mode."; distance:0; content:"GetComputerName"; nocase; fast_pattern:only; reference:url, sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012766; rev:4; metadata:created_at 2011_05_03, updated_at 2011_05_03;)" from file /etc/suricata/rules/deleted.rules at line 1942
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Expression seen with a sticky buffer still set; either (1) reset sticky buffer with pkt_data or (2) use a sticky buffer providing "http headers".
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; file_data; content:"PK"; within:2; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:trojan-activity; sid:2014664; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)" from file /etc/suricata/rules/deleted.rules at line 2378
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO DELETED Mal/Cimuz-F Checkin"; flow:to_server,established; content:"MSIE 6.0|3b|W"; http_header; content:"GET"; http_method; pcre:"/\x2f\d{4}\x2f[0-9A-Za-z]{10}\x2f[0-9A-Za-z]{4}\x2f[0-9A-Za-z]{12}\x2f[0-9A-Za-z]{15}\x2f\x20HTTP\x2f\x31\x2e\d/Ri"; reference:url,www.threatexpert.com/report.aspx?md5=0dcd39473885ef9fddad24dca1e0ae00; classtype:trojan-activity; sid:2802588; rev:2; metadata:created_at 2011_05_23, updated_at 2011_05_23;)" from file /etc/suricata/rules/deleted.rules at line 2416
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; content:"%3D|3b 20|cc2="; http_raw_cookie; content:"%3D|3b 20|cc3="; http_raw_cookie; content:"%3D|3b 20|cc4="; http_raw_cookie; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013695; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2020_04_22;)" from file /etc/suricata/rules/deleted.rules at line 3610
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO DELETED DarkSeoul Campaign Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/view_in.php?no="; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&sn"; http_uri; content:"&sc="; http_uri; pcre:"/^[a-f0-9]{32}/R"; reference:url,nakedsecurity.sophos.com/2013/03/20/south-korea-cyber-attack/; reference:url,contagiodump.blogspot.com/2013/03/darkseoul-jokra-mbr-wiper-samples.html; reference:md5,50E03200C3A0BECBF33B3788DAC8CD46; reference:url,www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf; classtype:trojan-activity; sid:2806670; rev:5; metadata:created_at 2013_07_15, updated_at 2013_07_15;)" from file /etc/suricata/rules/deleted.rules at line 4236
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PWS-LDPinch posting data"; flow:established,to_server; dsize:>400; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/rules/deleted.rules at line 4598
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PWS-LDPinch posting data (2)"; flow:established,to_server; dsize:>400; content:"POST / HTTP/1.1"; depth:15; content:!"User-Agent|3a| BDNC"; http_header; content:"a="; http_client_body; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; reference:url,doc.emergingthreats.net/2007756; classtype:trojan-activity; sid:2007756; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)" from file /etc/suricata/rules/deleted.rules at line 4600
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin (9)"; flow:established,to_server; dsize:>1000; content:"POST"; nocase; http_method; content:"/gate.php"; http_uri; content:"a=&b=&d=&c="; http_client_body; reference:url,doc.emergingthreats.net/2008213; classtype:trojan-activity; sid:2008213; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/rules/deleted.rules at line 4608
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Beagle User Agent Detected"; flow: to_server,established; dsize:<150; content:"User-Agent|3a| beagle_beagle"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.i@mm.html; reference:url,doc.emergingthreats.net/2001269; classtype:trojan-activity; sid:2001269; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/rules/deleted.rules at line 5152
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO DELETED Win32/CoinMiner.SO .exe download 2"; flow:established,to_server; content:"GET"; http_method; content:"/tools/RegWriter.exe"; http_uri; fast_pattern; pcre:"/\x2e[a-z-A-Z]+\x5fencrypted HTTP\x2f1\x2e0/R"; content:"User-agent|3a| Mozilla/5.0 (compatible|3b| Konqueror"; http_header; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,798bb03eb261dceb45d470d3d0ef140a; classtype:trojan-activity; sid:2808706; rev:1; metadata:created_at 2014_08_29, former_category COINMINER, updated_at 2020_05_04;)" from file /etc/suricata/rules/deleted.rules at line 5354
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO DELETED AdWare.AirPush checkin"; flow:established,to_server; content:"/items/"; depth:7; http_uri; pcre:"/^[0-9][a-zA-Z0-9]{19}/R"; content:!"Referer|3A|"; http_header; reference:md5,01e28a441c1cd449527a0dc236189987; classtype:trojan-activity; sid:2809426; rev:1; metadata:created_at 2014_12_30, updated_at 2014_12_30;)" from file /etc/suricata/rules/deleted.rules at line 5846
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO DELETED Win32/Ranbyus Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:5; content:"/buh/"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:"Content-Type|3a 20|multipart/form-data"; http_header; depth:33; content:!"User-Agent|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; content:"|0d 0a 0d 0a|"; http_client_body; pcre:"/^[A-Za-z0-9+/=]+\r\n--[A-F0-9]{15}--\r\n$/R"; reference:md5,0fec698a880daa674e345050338cdbbc; classtype:trojan-activity; sid:2815305; rev:2; metadata:created_at 2015_12_10, updated_at 2015_12_10;)" from file /etc/suricata/rules/deleted.rules at line 7058
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ETPRO DELETED OptionsBleed (CVE-2017-9798)"; flow:established,to_server; content:"Allow|3a 20|"; http_header; pcre:"/^[A-Z,-]*(?:[^A-Z,-]|[,]{2,})/R"; flowbits:isset,2017-9798; reference:cve,CVE-2017-9798; classtype:misc-activity; sid:2828003; rev:1; metadata:created_at 2017_09_22, updated_at 2017_09_22;)" from file /etc/suricata/rules/deleted.rules at line 9200
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ETPRO DELETED Possible Unk JSP WebShell Access M5"; flow:established,to_server; content:"GET"; http_method; content:".jsp"; http_uri; content:"tableName="; http_uri; distance:0; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; classtype:trojan-activity; sid:2838716; rev:3; metadata:created_at 2019_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_17;)" from file /etc/suricata/rules/deleted.rules at line 9938
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ETPRO EXPLOIT Cogent DataHub Command Injection"; flow:established,to_server; content:"POST"; http_method; content:"/Silverlight/GetPermissions.asp"; http_uri; content:!"Referer|3a|"; http_header; content:"username="; http_client_body; content:"&password="; http_client_body; pcre:"/^.+?%22%29%28/Rs"; reference:url,www.rapid7.com/db/modules/exploit/windows/http/cogent_datahub_command; classtype:attempted-user; sid:2808279; rev:2; metadata:created_at 2014_07_03, updated_at 2020_04_30;)" from file /etc/suricata/rules/exploit.rules at line 1592
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ETPRO EXPLOIT Easy MailChimp Forms Plugin XSS Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/wp-admin/admin-ajax.php"; http_uri; content:"action=yks_mailchimp_form"; fast_pattern; depth:25; http_client_body; content:"double-optin-message"; http_client_body; distance:0; pcre:"/(?:script|object)/Ri"; reference:url,research.g0blin.co.uk/cve-2014-7152/; classtype:attempted-admin; sid:2808949; rev:1; metadata:created_at 2014_10_07, updated_at 2020_05_12;)" from file /etc/suricata/rules/exploit.rules at line 1658
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ETPRO EXPLOIT Symantec Encryption Gateway RCE Exploit Attempt"; flow:to_server,established; content:"POST"; http_method; urilen:23; content:"/omc/uploadBackup.event"; http_uri; content:"filename|22|"; http_client_body; content:"|7c|"; http_client_body; distance:0; pcre:"/^[^\7c]*[\x60\x24\x28\x29\x7b\x7d\x5b\x5d\x22][^\7c]*\x7c/R"; reference:url,www.exploit-db.com/exploits/35949; classtype:attempted-admin; sid:2811593; rev:1; metadata:created_at 2015_06_19, updated_at 2020_05_28;)" from file /etc/suricata/rules/exploit.rules at line 1980
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible Vacron NVR Remote Command Execution M2"; flow:to_server,established; content:"/board.cgi"; http_uri; fast_pattern; content:"cmd="; http_client_body; depth:4; pcre:"/[^&]*(?:\x60|\x24)/R"; reference:url,blogs.securiteam.com/index.php/archives/3445; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026103; rev:2; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_08_25;)" from file /etc/suricata/rules/exploit.rules at line 3292
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT NUUO OS Command Injection"; flow:to_server,established; content:"/handle_iscsi.php"; http_uri; content:"act=discover&address="; http_client_body; fast_pattern;  pcre:"/[^&]*(?:\x60|\x24)/R"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026107; rev:2; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_19;)" from file /etc/suricata/rules/exploit.rules at line 3300
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys Smart WiFi Information Disclosure Attempt Inbound"; flow:established,to_server; content:"POST"; http_method; content:"/JNAP/"; http_uri; depth:6; content:"X-JNAP-Action|3a 20|http|3a 2f 2f|"; http_header; fast_pattern; pcre:"/^(?:www\.)?(cisco|linksys)\.com\/jnap\//Rsi"; reference:url,raw.githubusercontent.com/zeropwn/Linksys-Smart-WiFi-Information-Disclosure/master/nss.py; classtype:attempted-recon; sid:2027357; rev:2; metadata:attack_target Networking_Equipment, created_at 2019_05_16, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)" from file /etc/suricata/rules/exploit.rules at line 3424
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT FortiOS SSL VPN - Pre-Auth Messages Payload Buffer Overflow (CVE-2018-13381)"; flow:established,to_server; content:"POST"; http_method; content:"/message"; http_uri; depth:8; content:"&msg=%26%23%3c"; http_client_body; fast_pattern; nocase; pcre:"/(?:\%3C){1000}/Ri"; reference:cve,CVE-2018-13381; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027884; rev:2; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)" from file /etc/suricata/rules/exploit.rules at line 3520
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> any $HTTP_PORTS (msg:"ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)"; flow:established,to_server; content:"|7b 22|jsonrpc|22 3a 22|"; http_client_body; depth:12; content:"/getEnterpriseUser|22|"; http_client_body; distance:0; fast_pattern; content:",|22|params|22 3a 7b 22|id|22 3a|"; http_client_body; distance:0; pcre:"/^(?P<num_value>\d+)\x7d,\x22id\x22\x3a(?P=num_value)/R"; content:"POST"; http_method; reference:cve,2019-5533; classtype:attempted-admin; sid:2028928; rev:2; metadata:created_at 2019_10_31, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_10_31;)" from file /etc/suricata/rules/exploit.rules at line 3650
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WRT54G Version 3.1 Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"Authorization|3a 20|Basic|20|"; http_header; content:"/apply.cgi"; http_uri; depth:10; content:"change_action=gozila_cgi"; http_client_body; fast_pattern; content:"submit_type=language"; http_client_body; content:"&ui_language="; http_client_body; pcre:"/^[(?:\x60|%60)(?:\x27|%27)]/R"; reference:url,nstarke.github.io/0034-linksys-wrt54g-v3.1-writeup.html; classtype:attempted-admin; sid:2029734; rev:2; metadata:created_at 2020_03_24, former_category EXPLOIT, updated_at 2020_03_24;)" from file /etc/suricata/rules/exploit.rules at line 3744
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT IBM Data Risk Manager Remote Code Execution via NMAP Scan"; flow:established,to_server; content:"POST"; http_method; content:"/albatross/restAPI/v2/nmap/run/scan/"; http_uri; depth:36; content:"form-data|3b 20|name=|22|ipAddress|22 0d 0a 0d 0a|--script="; http_client_body; fast_pattern; pcre:"/^\/(?:home\/a3user|root)\/agile3\/patches\//R"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029985; rev:3; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)" from file /etc/suricata/rules/exploit.rules at line 3766
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> [$HTTP_SERVERS,$HOME_NET] $HTTP_PORTS (msg:"ET EXPLOIT Apache2 Memory Corruption Inbound (CVE-2020-9490)"; flow:established,to_server; content:"GET"; http_method; content:"Cache-Digest|3a 20|EA"; http_header; fast_pattern; pcre:"/^(?:8=|9BQQ==)\r?\n?/R"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=2030&q=apache&can=1; reference:cve,2020-9490; classtype:attempted-admin; sid:2030830; rev:2; metadata:created_at 2020_09_03, cve CVE_2020_9490, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_03;)" from file /etc/suricata/rules/exploit.rules at line 3926
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> [$HTTP_SERVERS,$HOME_NET] $HTTP_PORTS (msg:"ET EXPLOIT Ruckus vRIoT Command Injection Attempt Inbound (CVE-2020-26878)"; flow:established,to_server; content:"POST"; http_method; content:"/service/v1/createUser"; http_uri; depth:22; fast_pattern; content:"|22|username|22|"; http_client_body; content:"|3a 20|"; http_client_body; distance:0; pcre:"/^\x22[^\x22]*\x3b[^\x22]*\x22/R"; content:"Content-Type|3a 20|application/json"; http_header; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26878; classtype:attempted-user; sid:2031114; rev:2; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26878, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)" from file /etc/suricata/rules/exploit.rules at line 3962
2/9/2021 -- 14:31:04 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/exploit_kit.rules
2/9/2021 -- 14:31:04 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/hunting.rules
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Expression seen with a sticky buffer still set; either (1) reset sticky buffer with pkt_data or (2) use a sticky buffer providing "http headers".
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAR Size Under 30K Size - Potentially Hostile"; flow:established,to_client; content:"Content-Type|3A| application/java-archive"; http_header; fast_pattern:26,12; content:"Content-Length|3A| "; http_header; content:"|0D 0A|"; http_header; distance:5; within:2; file_data; content:"PK"; within:2; pcre:"/^Content\x2DLength\x3A\x20[12]\d{1,4}\x0D\x0A/Hmi"; classtype:bad-unknown; sid:2017639; rev:2; metadata:created_at 2013_10_28, updated_at 2020_08_20;)" from file /etc/suricata/rules/info.rules at line 504
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO INFO Suspicious Outbound Dotted Quad .tmp POST Request"; flow:established,to_server; content:"POST"; http_method; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/Hmi"; content:"Content-Disposition|3a 20|form-data|3b|"; http_client_body; content:"filename=|22|"; http_client_body; distance:0; content:".tmp|22 0d 0a|"; http_client_body; distance:0; fast_pattern; content:"|0d 0a 0d 0a|"; http_client_body; distance:0; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Rsi"; content:"Content-Type|3a 20|multipart|2f|form-data|3b 20|boundary"; http_header; reference:md5,4f55f59b71dbc4e31e2a124ee81ee9a9; classtype:trojan-activity; sid:2837960; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)" from file /etc/suricata/rules/info.rules at line 1474
2/9/2021 -- 14:31:04 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/ja3.rules
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO MALWARE RogueSoftware.Win32.McAVG2011 Checkin"; flow:to_server,established; dsize:<257; content:"GET"; nocase; http_method; content:"/getvaliddays.php?smscode="; http_uri; nocase; content:"Accept|3A| text|2F|html|2C| |2A 2F 2A 0D 0A|Accept-Encoding|3A| identity|0D 0A|User-Agent|3A| "; nocase; http_header; content:!"|0A|Connection"; http_header; nocase; content:!"|0A|Content"; nocase; http_header; reference:url,www.blogs.paretologic.com/malwarediaries/index.php/2011/02/01/new-rogue-mcavg-copies-kaspersky-uniblue/; classtype:trojan-activity; sid:2801338; rev:3; metadata:created_at 2011_02_14, former_category ADWARE_PUP, updated_at 2011_02_14;)" from file /etc/suricata/rules/malware.rules at line 1110
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio Spyware/Adware Initial Registration"; flow:established,to_server; dsize:<200; content:"POST"; nocase; http_method; content:"REGISTER|7c|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d/P"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:trojan-activity; sid:2007820; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)" from file /etc/suricata/rules/malware.rules at line 1180
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Fake Adobe Update Download"; flow:established,to_client; content:"200"; http_stat_code; content:"filename=readerdc"; fast_pattern; http_header; nocase; pcre:"/(_[a-z]{2}){1,3}_[a-z]{3}_install\.exe/Ri"; content:!"Server|3a 20| Apache"; http_header; content:"Set-Cookie|3a 20|session="; http_header; classtype:trojan-activity; sid:2026734; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2020_08_31;)" from file /etc/suricata/rules/malware.rules at line 2484
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake Adobe Update Request"; flow:established,to_server; content:"GET"; http_method; content:"/en"; nocase; http_uri; content:"/reader/download/?installer=Reader_DC_20"; nocase; within:45; http_uri; pcre:"/\d{2}\.0\d{2}\.200\d{2}_English(?:_for)?_Windows/R"; content:!"get.adobe.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2026735; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2020_08_31;)" from file /etc/suricata/rules/malware.rules at line 2486
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO MALWARE MSIL/Linkury Toolbar Activity"; flow:established,to_server; content:"POST"; http_method; content:"/StatisticsService.svc/V1/JSON/L"; http_uri; fast_pattern; pcre:"/^(ee|ogEvent)/R"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Cookie"; reference:md5,1d873bbb22a23951c5e53801d2a242ff; classtype:trojan-activity; sid:2829710; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_16, deployment Perimeter, former_category ADWARE_PUP, malware_family Linkury_Toolbar, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_01;)" from file /etc/suricata/rules/malware.rules at line 4098
2/9/2021 -- 14:31:04 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/phishing.rules
2/9/2021 -- 14:31:04 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /etc/suricata/rules/pop3rules
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'modbus_func'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 502 (msg:"ETPRO SCADA_SPECIAL CONTROL MICROSYSTEMS (Event 24) View Device Status"; modbus_func:1; classtype:misc-activity; sid:2801018; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 44
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'modbus_func'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 502 (msg:"ETPRO SCADA_SPECIAL CONTROL MICROSYSTEMS (Event 47) Device Poll All"; modbus_func:1; modbus_unit:0; classtype:misc-activity; sid:2801019; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 46
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'modbus_func'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 502 (msg:"ETPRO SCADA_SPECIAL DIRECTLOGIC (Event 49) Request Controller ID"; flow:established; modbus_func:17; classtype:misc-activity; sid:2801055; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 48
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO SCADA_SPECIAL PROSOFT (Event 31) Reboot or Restart"; dnp3_cmd_fc:13; classtype:misc-activity; sid:2801096; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 50
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO SCADA_SPECIAL PROSOFT (Event 31) Reboot or Restart"; dnp3_cmd_fc:14; classtype:misc-activity; sid:2801097; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 52
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 20000 -> $HOME_NET any (msg:"ETPRO SCADA_SPECIAL PROSOFT (Event 33)Change Date Attempt"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; dnp3_resp_ot:32; classtype:misc-activity; sid:2801098; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 54
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 20000 -> $HOME_NET any (msg:"ETPRO SCADA_SPECIAL PROSOFT (Event 33)Change Time Attempt"; dnp3_cmd_fc:2; dnp3_cmd_ot:50; dnp3_resp_ot:32; classtype:misc-activity; sid:2801099; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 56
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'cip_response'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 44818 -> $HOME_NET any (msg:"ETPRO SCADA_SPECIAL PROSOFT (Event 29)Software Upload"; flow:established; cip_service:79; cip_response:06; classtype:misc-activity; sid:2801103; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 58
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'modbus_func'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 502 (msg:"ETPRO SCADA_SPECIAL PROSOFT (Event 49) Request Controller ID"; flow:established; modbus_func:17; classtype:misc-activity; sid:2801104; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 60
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'cip_response'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 44818 -> $HOME_NET any (msg:"ETPRO SCADA_SPECIAL ROCKWELL (Event 33)Change Date Attempt"; dsize:56; flow:established; cip_service:4; cip_response:00; content:"|010006|"; offset:50; depth:3; classtype:misc-activity; sid:2801112; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 72
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'cip_response'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 44818 -> $HOME_NET any (msg:"ETPRO SCADA_SPECIAL ROCKWELL (Event 32)Change Time Attempt"; dsize:56; flow:established; cip_service:4; cip_response:00; content:"|010006|"; offset:50; depth:3; classtype:misc-activity; sid:2801113; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 74
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 20000 (msg:"ETPRO SCADA_SPECIAL ROCKWELL (Event 24) View Device Status"; dnp3_cmd_fc:1; classtype:misc-activity; sid:2801122; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 92
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'modbus_func'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 502 (msg:"ETPRO SCADA_SPECIAL ROCKWELL (Event 24) View Device Status"; flow:established; modbus_func:1; classtype:misc-activity; sid:2801123; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 94
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'modbus_func'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 502 (msg:"ETPRO SCADA_SPECIAL ROCKWELL (Event 24) View Device Status"; flow:established; modbus_func:2; classtype:misc-activity; sid:2801124; rev:1; metadata:created_at 2010_12_22, updated_at 2010_12_22;)" from file /etc/suricata/rules/scada_special.rules at line 96
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (msg:"ETPRO SCADA_SPECIAL DNP3 Disable Unsolicited Responses"; dnp3_cmd_fc:21; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:attempted-dos; sid:2801694; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 100
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $DNP3_CLIENT any -> $DNP3_SERVER $DNP3_PORTS (msg:"ETPRO SCADA_SPECIAL DNP3 Cold Restart From Authorized Client"; dnp3_cmd_fc:13; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:attempted-dos; sid:2801697; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 102
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$DNP3_CLIENT any -> $DNP3_SERVER $DNP3_PORTS (msg:"ETPRO SCADA_SPECIAL DNP3 Unauthorized Read Request to a PLC"; dnp3_cmd_fc:1; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:bad-unknown; sid:2801699; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 104
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (msg:"ETPRO SCADA_SPECIAL DNP3 Stop Application"; dnp3_cmd_fc:18; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:denial-of-service; sid:2801702; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 110
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $DNP3_SERVER $DNP3_PORTS (msg:"ETPRO SCADA_SPECIAL DNP3 Warm Restart"; dnp3_cmd_fc:14; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:attempted-dos; sid:2801703; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 112
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Reboot or Restart from Unauthorized Client"; flags:PA; cip_service:6; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:attempted-dos; sid:2801752; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 122
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Reboot or Restart from Authorized Client"; flags:PA; cip_service:5; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:denial-of-service; sid:2801753; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 124
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Reboot or Restart from Authorized Client"; flags:PA; cip_service:6; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:denial-of-service; sid:2801754; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 126
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Unlock PLC Attempt from Unauthorized Client"; flags:PA; cip_service:76; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:2801755; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 128
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Unlock PLC Attempt from Authorized Client"; flags:PA; cip_service:76; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:2801756; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 130
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Lock PLC Attempt from Unauthorized Client"; flags:PA; cip_service:78; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:2801758; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 132
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Lock PLC Attempt from Authorized Client"; flags:PA; cip_service:77; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:2801759; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 134
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Lock PLC Attempt from Authorized Client"; flags:PA; cip_service:78; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:2801780; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 136
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Stop Detected from Unauthorized Client"; flowbits:isset,ktime; flags:PA; cip_service:7; flowbits:set,detstop; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:denial-of-service; sid:2801781; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 138
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Stop Detected from Authorized Client"; flowbits:isset,ktime; flags:PA; cip_service:7; flowbits:set,detstop; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:denial-of-service; sid:2801782; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 140
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Remote Mode Change Attempt from Unauthorized Client"; flowbits:isset,detstop; flags:PA; cip_service:76; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:2801783; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 142
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Remote Mode Change Attempt from Authorized Client"; flowbits:isset,detstop; flags:PA; cip_service:76; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:2801784; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 144
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Software Upload from Unauthorized Client"; flags:PA; cip_service:79; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:2801785; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 146
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Software Upload from Authorized Client"; flags:PA; cip_service:79; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:2801786; rev:1; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 148
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Reboot or Restart from Unauthorized Client"; flags:PA; cip_service:5; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:attempted-dos; sid:2801751; rev:5; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 150
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$ENIP_CLIENT 44818 -> $ENIP_SERVER any (msg:"ETPRO SCADA_SPECIAL ENIP/CIP Lock PLC Attempt from Unauthorized Client"; flags:PA; cip_service:77; reference:url,digitalbond.com/tools/quickdraw/ethernetip-rules; classtype:misc-attack; sid:2801757; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 152
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'dnp3_cmd_fc'.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$DNP3_CLIENT any -> $DNP3_SERVER $DNP3_PORTS (msg:"ETPRO SCADA_SPECIAL DNP3 Cold Restart From Unauthorized Client"; dnp3_cmd_fc:13; reference:url,digitalbond.com/tools/quickdraw/dnp3-rules; classtype:denial-of-service; sid:2801698; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)" from file /etc/suricata/rules/scada_special.rules at line 154
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 2011281 setup buffer file_data but didn't add matches to it
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT phoenix exploit kit - admin login page detected"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; file_data; classtype:bad-unknown; sid:2011281; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)" from file /etc/suricata/rules/web_client.rules at line 84
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - http_method pattern with trailing space
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO WEB_CLIENT Microsoft Office Powerpoint Insecure Library Loading WebDAV PROPFIND pp7x32.dll"; flow:to_server; content:"PROPFIND|20|"; http_method; content:"pp7x32.dll"; http_uri; reference:cve,2010-3337; reference:secunia,41063; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-087.mspx; reference:cve,2011-3396; classtype:attempted-user; sid:2800968; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, affected_product MS_Office, affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2010_12_14, deployment Perimeter, signature_severity Minor, tag Web_Client_Attacks, tag Insecure_Library_Load, updated_at 2016_07_01;)" from file /etc/suricata/rules/web_client.rules at line 182
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - can't use multiple distances for the same content.
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ETPRO WEB_CLIENT Malicious Cookie Monster Roulette JS Cookie Stealer Exfil"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"vbase="; depth:6; http_client_body; nocase; content:"&vhref=http"; http_client_body; nocase; distance:0; fast_pattern; content:"&vref="; http_client_body; nocase; distance:0; content:"&k="; http_client_body; nocase; distance:0; distance:0; content:"&t="; http_client_body; nocase; distance:0; content:"&tg="; http_client_body; nocase; distance:0; classtype:trojan-activity; sid:2838754; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_04, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Moderate, signature_severity Major, updated_at 2021_02_11;)" from file /etc/suricata/rules/web_client.rules at line 4265
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"xmlrpc.php"; http_uri; fast_pattern:only; content:"methodCall"; http_client_body; nocase; pcre:"/>.*?\'\s*?\)\s*?\)*?\s*?\;/R"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; reference:url,doc.emergingthreats.net/bin/view/Main/2002158; classtype:web-application-attack; sid:2002158; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/suricata/rules/web_server.rules at line 546
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
2/9/2021 -- 14:31:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt"; flow:to_server,established; content:"</script>"; fast_pattern:only; nocase; http_uri; flags:!R; reference:url,ha.ckers.org/xss.html; reference:url,doc.emergingthreats.net/2009714; classtype:web-application-attack; sid:2009714; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_20;)" from file /etc/suricata/rules/web_server.rules at line 1392
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ETPRO WEB_SPECIFIC_APPS vBulletin Verify Email SQL Injection"; flow:to_server,established; content:"?cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1"; http_uri; fast_pattern; pcre:"/(?:SELECT|WHERE|AND|OR|RLIKE)/Ri"; reference:url,www.exploit-db.com/exploits/35073/; classtype:attempted-admin; sid:2809076; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_10_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_13;)" from file /etc/suricata/rules/web_specific_apps.rules at line 7866
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ETPRO WEB_SPECIFIC_APPS Centreon 2.5.3 and Below RCE"; flow:to_server,established; content:"POST"; http_method; urilen:1; content:"password="; http_client_body; depth:9; content:"&useralias="; http_client_body; fast_pattern; pcre:"/^[^\x26]*%5c/Ri"; reference:url,www.openwall.com/lists/oss-security/2014/11/28/2; classtype:attempted-admin; sid:2809253; rev:1; metadata:created_at 2014_12_01, updated_at 2020_05_14;)" from file /etc/suricata/rules/web_specific_apps.rules at line 7880
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ETPRO WEB_SPECIFIC_APPS PBBoard CMS SQLi CVE-2014-9215 1"; flow:to_server,established; content:"POST"; http_method; content:"/index.php?page=register&checkemail=1"; http_uri; fast_pattern:only; content:"email="; http_client_body; depth:6; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)?[^&]*&ajax=1/Ri"; reference:url,www.exploit-db.com/exploits/35473/; reference:cve,CVE-2014-9215; classtype:attempted-admin; sid:2809290; rev:1; metadata:created_at 2014_12_08, updated_at 2020_09_28;)" from file /etc/suricata/rules/web_specific_apps.rules at line 7886
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ETPRO WEB_SPECIFIC_APPS PBBoard CMS SQLi CVE-2014-9215 2"; flow:to_server,established; content:"POST"; http_method; content:"/index.php?page=forget&start=1"; http_uri; fast_pattern:only; content:"code="; http_client_body; depth:5; content:"email="; http_client_body; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)?[^&]*&submit_forget=Save/Ri"; reference:url,www.exploit-db.com/exploits/35473/; reference:cve,CVE-2014-9215; classtype:attempted-admin; sid:2809291; rev:1; metadata:created_at 2014_12_08, updated_at 2020_09_28;)" from file /etc/suricata/rules/web_specific_apps.rules at line 7888
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ETPRO WEB_SPECIFIC_APPS PBBoard CMS SQLi CVE-2014-9215 3"; flow:to_server,established; content:"POST"; http_method; content:"/index.php?page=forget&send_active_code=1"; http_uri; fast_pattern:only; content:"code="; http_client_body; depth:5; content:"email="; http_client_body; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)?[^&]*&submit_active_code=Save/Ri"; reference:url,www.exploit-db.com/exploits/35473/; reference:cve,CVE-2014-9215; classtype:attempted-admin; sid:2809292; rev:1; metadata:created_at 2014_12_08, updated_at 2020_09_28;)" from file /etc/suricata/rules/web_specific_apps.rules at line 7890
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ETPRO WEB_SPECIFIC_APPS SP Client Document Manager WP Plugin SQLi"; flow:to_server,established; content:"POST"; http_method; content:"/sp-client-document-manager/ajax.php?function=email-vendor"; http_uri; fast_pattern:38,20; content:"vendor_email[]="; http_client_body; pcre:"/^.+(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)?/Ri"; reference:url,packetstormsecurity.com/files/129183/wpcmdownloadmanager-exec.txt; classtype:attempted-admin; sid:2809248; rev:2; metadata:created_at 2014_11_26, updated_at 2020_05_14;)" from file /etc/suricata/rules/web_specific_apps.rules at line 7892
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pandora FMS SQLi"; flow:to_server,established; content:"POST"; http_method; content:"/pandora_console/mobile/index.php"; http_uri; content:"action=login"; http_client_body; fast_pattern; content:"user="; http_client_body; distance:0; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,www.rapid7.com/db/modules/exploit/linux/http/pandora_fms_sqli; classtype:attempted-admin; sid:2019903; rev:1; metadata:created_at 2014_12_09, updated_at 2020_05_14;)" from file /etc/suricata/rules/web_specific_apps.rules at line 7896
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ETPRO WEB_SPECIFIC_APPS Codiad LFI Attempt"; flow:to_server,established; content:"GET"; http_method; content:"filemanager/download.php?path="; http_uri; fast_pattern; pcre:"/[^\r\n&]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Rmi"; content:"&type="; http_uri; reference:url,packetstormsecurity.com/files/129667/codiad-xsslfi.txt; classtype:attempted-admin; sid:2809381; rev:1; metadata:created_at 2014_12_23, updated_at 2020_05_14;)" from file /etc/suricata/rules/web_specific_apps.rules at line 7906
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ETPRO WEB_SPECIFIC_APPS WP Theme LFI Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/wp-content/themes/"; http_uri; fast_pattern:only; content:"download.php?file="; http_uri; pcre:"/[^&]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Ri"; reference:url,packetstormsecurity.net/1412-exploits/wptheme-download.txt; classtype:attempted-admin; sid:2809398; rev:1; metadata:created_at 2014_12_30, updated_at 2020_09_29;)" from file /etc/suricata/rules/web_specific_apps.rules at line 7912
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ETPRO WEB_SPECIFIC_APPS Possible WP Comments XSS (DOM Event Name in Comment)"; flow:established,to_server; content:"POST"; http_method; content:"wp-comments-post.php"; http_uri; fast_pattern:only; content:"author="; http_client_body; content:"comment="; http_client_body; pcre:"/^[^&]*on(?:d(?:r(?:ag(?:en(?:ter|d)|leave|start|over)?|op)|blclick)|mouse(?:o(?:ver|ut)|down|move|up)|s(?:(?:elec|ubmi)t|croll)|key(?:press|down|up)|c(?:hange|lick)|(?:erro|blu)r|res(?:ize|et)|(?:un)?load|abort|focus)\s*=/Ri"; reference:url,packetstormsecurity.com/files/129205/WordPress-3.9.2-Cross-Site-Scripting.html; classtype:bad-unknown; sid:2810808; rev:2; metadata:created_at 2015_04_27, updated_at 2020_09_30;)" from file /etc/suricata/rules/web_specific_apps.rules at line 8034
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ETPRO WEB_SPECIFIC_APPS Joomla 3.6.4 Add User Exploit With PrivEsc"; flow:established,to_server; content:".php?"; http_uri; content:"option=com_users"; http_uri; content:"task=user.register"; http_uri; fast_pattern:only; content:"com_users"; http_client_body; content:"user.register"; http_client_body; content:"user["; http_client_body; pcre:"/\s*groups\s*\x5d/Ri"; reference:url,medium.com/@showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2; classtype:web-application-attack; sid:2822952; rev:1; metadata:affected_product Joomla, attack_target Web_Server, created_at 2016_10_27, deployment Datacenter, signature_severity Major, updated_at 2020_10_07;)" from file /etc/suricata/rules/web_specific_apps.rules at line 8144
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kibana Attempted LFI Exploitation (CVE-2018-17246)"; flow:established,to_server; content:"GET"; http_method; content:"/api/console/api_server?sense_version="; http_uri; depth:38; fast_pattern; content:"SENSE_VERSION&apis="; http_uri; pcre:"/^(?:\.\.\/){2,}/Rs"; reference:url,www.bleepingcomputer.com/news/security/file-inclusion-bug-in-kibana-console-for-elasticsearch-gets-exploit-code/; classtype:attempted-user; sid:2026739; rev:3; metadata:attack_target Web_Server, created_at 2018_12_19, cve 2018_17246, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)" from file /etc/suricata/rules/web_specific_apps.rules at line 8380
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Slideshow Gallery 1.4.6 - Shell Upload"; flow:established,to_server; content:"POST"; http_method; content:"application/x-httpd-php"; http_client_body; fast_pattern:only; content:"Content-Disposition|3a 20|form-data|3b 20|"; http_client_body; pcre:"/^[^\r]*?name=[\x22\x27]image_file"\x3b[^(?>\r\n|\n|\r)]*?(?>\r\n|\n|\r)(?>\r\n|\n|\r)?Content-Type: application\/x-httpd-php/Rsi"; reference:url,www.exploit-db.com/exploits/34681/; reference:cve,2014-5460; classtype:trojan-activity; sid:2019728; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_11_17, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_19;)" from file /etc/suricata/rules/web_specific_apps.rules at line 8396
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceding match in the same buffer
2/9/2021 -- 14:31:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> [$HTTP_SERVERS,$HOME_NET] $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M3 (CVE-2020-14882)"; flow:established,to_server; content:"POST"; http_method; content:"console.portal"; http_uri; content:".sh.ShellSession"; http_client_body; fast_pattern; pcre:"/^(?:\x28|%28)/R"; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031185; rev:3; metadata:created_at 2020_11_05, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_12_04;)" from file /etc/suricata/rules/web_specific_apps.rules at line 11648
2/9/2021 -- 14:31:05 - <Info> - 50 rule files processed. 44031 rules successfully loaded, 94 rules failed
2/9/2021 -- 14:31:05 - <Info> - Threshold config parsed: 0 rule(s) found
2/9/2021 -- 14:31:06 - <Info> - 44068 signatures processed. 308 are IP-only rules, 12500 are inspecting packet payload, 26715 inspect application layer, 0 are decoder event only
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.GenericPhish_Adobe' is checked but not set. Checked in 2023048 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.request.js' is checked but not set. Checked in 2835832 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'etpro.clsid.detected' is checked but not set. Checked in 2011252 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.quick.time.ua' is checked but not set. Checked in 2800278 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.IESHIMS.insecure.dll' is checked but not set. Checked in 2801447 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.mso.insecure.dll' is checked but not set. Checked in 2801461 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'WAB32RES.insecure.dll' is checked but not set. Checked in 2801485 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'WINTAB32.insecure.dll' is checked but not set. Checked in 2801509 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'AIRES.insecure.dll' is checked but not set. Checked in 2801521 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'PP7X32.insecure.dll' is checked but not set. Checked in 2801527 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'PP4X322.insecure.dll' is checked but not set. Checked in 2801533 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'MSAPSSPC.insecure.dll' is checked but not set. Checked in 2801539 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'SCHANNEL.insecure.dll' is checked but not set. Checked in 2801545 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'MEASURE.insecure.dll' is checked but not set. Checked in 2801569 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'NLSXBE.insecure.dll' is checked but not set. Checked in 2801581 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'IBFS32.insecure.dll' is checked but not set. Checked in 2801587 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'COREGRAPHICS.insecure.dll' is checked but not set. Checked in 2801593 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RDC.insecure.dll' is checked but not set. Checked in 2801469 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.Banker_bjxx_flag' is checked but not set. Checked in 2802062 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.ehtrace.insecure.dll' is checked but not set. Checked in 2801455 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'MFC71LOC.insecure.dll' is checked but not set. Checked in 2803138 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.hotspot_compiler' is checked but not set. Checked in 2803292 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'realplayer.playlist' is checked but not set. Checked in 2102438 and 2 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BIDLAB.insecure.dll' is checked but not set. Checked in 2803413 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'PP4X32.insecure.dll' is checked but not set. Checked in 2804134 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'peerdist.insecure.dll' is checked but not set. Checked in 2804140 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'SMMSCRPT.insecure.dll' is checked but not set. Checked in 2801497 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'MSOERES.insecure.dll' is checked but not set. Checked in 2801479 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'FVEAPI.insecure.dll' is checked but not set. Checked in 2801491 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'MSXML.insecure.dll' is checked but not set. Checked in 2801503 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'IACENC.insecure.dll' is checked but not set. Checked in 2801605 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'MSNSSPC.insecure.dll' is checked but not set. Checked in 2801557 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'DIGEST.insecure.dll' is checked but not set. Checked in 2801551 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'DWMAPI.insecure.dll' is checked but not set. Checked in 2801515 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'NNOTESWC.insecure.dll' is checked but not set. Checked in 2801575 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.NetServEnum3' is checked but not set. Checked in 2805319 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.W32Autorun.worm.aa' is checked but not set. Checked in 2804545 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.Agent.afag' is checked but not set. Checked in 2807720 and 1 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.Worm.AutoIt_Renocide' is checked but not set. Checked in 2806884 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.GenericPhish_Excel' is checked but not set. Checked in 2023046 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.Parallax-9' is checked but not set. Checked in 2842221 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'http.download.midi' is checked but not set. Checked in 2800702 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.Trojan.HackerTool' is checked but not set. Checked in 2801403 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'BE.Radmin.Challenge' is checked but not set. Checked in 2003480 and 0 other sigs
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2001689: SYN-only to port(s) 3306:3306 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2002729: SYN-only to port(s) 12975:12975 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2806561: SYN-only to port(s) 443:443 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2001219: SYN-only to port(s) 22:22 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2001553: SYN-only to port(s) 443:443 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2002910: SYN-only to port(s) 5800:5820 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2002911: SYN-only to port(s) 5900:5920 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2003068: SYN-only to port(s) 22:22 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2019404: SYN-only to port(s) 0:1023 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2100503: SYN-only to port(s) 0:1023 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2100504: SYN-only to port(s) 0:1023 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2100615: SYN-only to port(s) 1080:1080 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2001569: SYN-only to port(s) 445:445 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2001579: SYN-only to port(s) 139:139 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2001580: SYN-only to port(s) 137:137 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2001581: SYN-only to port(s) 135:135 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2001582: SYN-only to port(s) 1434:1434 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2001583: SYN-only to port(s) 1433:1433 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2001904: SYN-only to port(s) 23:23 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2001972: SYN-only to port(s) 3389:3389 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2002973: SYN-only to port(s) 3127:3127 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2002992: SYN-only to port(s) 110:110 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2002993: SYN-only to port(s) 995:995 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2002994: SYN-only to port(s) 143:143 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2002995: SYN-only to port(s) 993:993 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2008230: SYN-only to port(s) 23:23 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2013479: SYN-only to port(s) 3389:3389 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:06 - <Warning> - [ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2016763: SYN-only to port(s) 22:22 w/o direction specified, disabling for toclient direction
2/9/2021 -- 14:31:09 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Unable to find the sm in any of the sm lists
2/9/2021 -- 14:31:09 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Unable to find the sm in any of the sm lists
2/9/2021 -- 14:31:09 - <Info> - Running in live mode, activating unix socket
2/9/2021 -- 14:31:09 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
2/9/2021 -- 14:31:09 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
2/9/2021 -- 14:31:09 - <Info> - All AFP capture threads are running.