Got my new PC done for IPFire and wanted to move the old installation to the new PC. I thought it will be the easiest solution to create a backup ISO and install it onto the new machine. Did that and the setup worked fine, but afterwards I still have and encountered several troubles:
I did several restarts of the PC with no effect.
1. DHCP + Proxy Server
After I’ve reassigned the interfaces to their networks there were no error messages anymore but the services didn’t work - this has been done to get it working again:
- uncheck the checkboxes / deactivate the services in webui + save+restart service
- check the checkboxes / activate the services in webui again + save+restart service
2. cachemanager
checkbox was unchecked (earlier it was checked)
3. "Uhrzeit dem lokalen Netzwerk zur Verfügung stellen"
was unchecked (earlier it was checked)
4. geoip list
is empty but was configured before
5. system protokoll option
“latest” is missing (there is just “older” and “newer” but not lastest to get to the last page)
6. Unbound
I’m getting lots of info log entries I haven’t got before. Here is an extract after the last restart:
|10:37:34|unbound: [12891:0]|info: service stopped (unbound 1.9.5).|
|---|---|---|
|10:37:34|unbound: [12891:0]|info: server stats for thread 0: 61 queries, 24 answers from cache, 37 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 0: requestlist max 1 avg 0.0810811 exceeded 0 jos tled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.051813 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=0.009216 median[50%]=0.0418702 [75%]=0.0835584|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 9|
|10:37:34|unbound: [12891:0]|info: 0.008192 0.016384 2|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 5|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 9|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 10|
|10:37:34|unbound: [12891:0]|info: 0.131072 0.262144 1|
|10:37:34|unbound: [12891:0]|info: 0.262144 0.524288 1|
|10:37:34|unbound: [12891:0]|info: server stats for thread 1: 46 queries, 13 answers from cache, 33 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 1: requestlist max 1 avg 0.0909091 exceeded 0 jos tled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 1.206269 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=0.0239909 median[50%]=0.049152 [75%]=0.106496|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 4|
|10:37:34|unbound: [12891:0]|info: 0.008192 0.016384 1|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 7|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 9|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 6|
|10:37:34|unbound: [12891:0]|info: 0.131072 0.262144 2|
|10:37:34|unbound: [12891:0]|info: 0.262144 0.524288 1|
|10:37:34|unbound: [12891:0]|info: 4.000000 8.000000 1|
|10:37:34|unbound: [12891:0]|info: 8.000000 16.000000 1|
|10:37:34|unbound: [12891:0]|info: 16.000000 32.000000 1|
|10:37:34|unbound: [12891:0]|info: server stats for thread 2: 36 queries, 20 answers from cache, 16 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 2: requestlist max 2 avg 0.6875 exceeded 0 jostle d 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 6.676204 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=1e-06 median[50%]=4 [75%]=16|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 4|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 3|
|10:37:34|unbound: [12891:0]|info: 2.000000 4.000000 1|
|10:37:34|unbound: [12891:0]|info: 4.000000 8.000000 3|
|10:37:34|unbound: [12891:0]|info: 8.000000 16.000000 1|
|10:37:34|unbound: [12891:0]|info: 16.000000 32.000000 4|
|10:37:34|unbound: [12891:0]|info: server stats for thread 3: 26 queries, 15 answers from cache, 11 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 3: requestlist max 2 avg 0.454545 exceeded 0 jost led 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 3.665904 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=9.16667e-07 median[50%]=0.0600747 [75%]=0.16384|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 3|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 3|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 2|
|10:37:34|unbound: [12891:0]|info: 0.131072 0.262144 1|
|10:37:34|unbound: [12891:0]|info: 16.000000 32.000000 2|
|10:37:34|unbound: [12891:0]|info: server stats for thread 4: 25 queries, 16 answers from cache, 9 recursion s, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 4: requestlist max 1 avg 0.111111 exceeded 0 jost led 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.039016 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=4.5e-07 median[50%]=9e-07 [75%]=0.057344|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 5|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 1|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 1|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 1|
|10:37:34|unbound: [12891:0]|info: 0.131072 0.262144 1|
|10:37:34|unbound: [12891:0]|info: server stats for thread 5: 26 queries, 16 answers from cache, 10 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 5: requestlist max 1 avg 0.1 exceeded 0 jostled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.012444 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=3.57143e-07 median[50%]=7.14286e-07 [75%]=0.024576|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 7|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 1|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 2|
|10:37:34|unbound: [12891:0]|info: server stats for thread 6: 23 queries, 20 answers from cache, 3 recursion s, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 6: requestlist max 0 avg 0 exceeded 0 jostled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.000000 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=0 median[50%]=0 [75%]=0|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 3|
|10:37:34|unbound: [12891:0]|info: server stats for thread 7: 21 queries, 14 answers from cache, 7 recursion s, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 7: requestlist max 1 avg 0.142857 exceeded 0 jost led 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.048243 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=5.83333e-07 median[50%]=0.012288 [75%]=0.147456|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 3|
|10:37:34|unbound: [12891:0]|info: 0.008192 0.016384 1|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 1|
|10:37:34|unbound: [12891:0]|info: 0.131072 0.262144 2|
|10:37:34|unbound: [12891:0]|info: server stats for thread 8: 40 queries, 26 answers from cache, 14 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 8: requestlist max 0 avg 0 exceeded 0 jostled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.019508 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=5e-07 median[50%]=1e-06 [75%]=0.03072|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 7|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 4|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 2|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 1|
|10:37:34|unbound: [12891:0]|info: server stats for thread 9: 24 queries, 14 answers from cache, 10 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 9: requestlist max 1 avg 0.6 exceeded 0 jostled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 8.511465 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=0.012288 median[50%]=0.131072 [75%]=22|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 2|
|10:37:34|unbound: [12891:0]|info: 0.008192 0.016384 1|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 2|
|10:37:34|unbound: [12891:0]|info: 8.000000 16.000000 1|
|10:37:34|unbound: [12891:0]|info: 16.000000 32.000000 4|
|10:37:34|unbound: [12891:0]|info: server stats for thread 10: 30 queries, 15 answers from cache, 15 recursi ons, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 10: requestlist max 1 avg 0.266667 exceeded 0 jos tled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 5.682560 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=7.5e-07 median[50%]=0.057344 [75%]=17|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 5|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 1|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 2|
|10:37:34|unbound: [12891:0]|info: 0.065536 0.131072 2|
|10:37:34|unbound: [12891:0]|info: 8.000000 16.000000 1|
|10:37:34|unbound: [12891:0]|info: 16.000000 32.000000 4|
|10:37:34|unbound: [12891:0]|info: server stats for thread 11: 33 queries, 18 answers from cache, 15 recursi ons, 0 prefetch, 0 rejected by ip ratelimiting|
|10:37:34|unbound: [12891:0]|info: server stats for thread 11: requestlist max 1 avg 0.2 exceeded 0 jostled 0|
|10:37:34|unbound: [12891:0]|info: average recursion processing time 0.562806 sec|
|10:37:34|unbound: [12891:0]|info: histogram of recursion processing times|
|10:37:34|unbound: [12891:0]|info: [25%]=7.5e-07 median[50%]=0.0300373 [75%]=0.147456|
|10:37:34|unbound: [12891:0]|info: lower(secs) upper(secs) recursions|
|10:37:34|unbound: [12891:0]|info: 0.000000 0.000001 5|
|10:37:34|unbound: [12891:0]|info: 0.016384 0.032768 3|
|10:37:34|unbound: [12891:0]|info: 0.032768 0.065536 3|
|10:37:34|unbound: [12891:0]|info: 0.131072 0.262144 2|
|10:37:34|unbound: [12891:0]|info: 1.000000 2.000000 1|
|10:37:34|unbound: [12891:0]|info: 4.000000 8.000000 1|
|10:38:54|unbound: [2007:0]|notice: init module 0: validator|
|10:38:54|unbound: [2007:0]|notice: init module 1: iterator|
|10:38:54|unbound: [2007:0]|info: start of service (unbound 1.9.5).|
|10:42:51|unbound: [2007:5]|info: generate keytag query _ta-4a5c-4f66. NULL IN|
7. IPS
Haven’t had that error log entries before. Here is an extract after the last restart:
|10:42:52|suricata: |This is Suricata version 4.1.5 RELEASE|
|---|---|---|
|10:42:52|suricata: |[ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active|
|10:42:52|suricata: |all 12 packet processing threads, 2 management threads initialized, engine start ed.|
|10:42:52|suricata: |rule reload starting|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock v ariant outbound connection"; flow:to_server,established; dsize:267<>276; content :"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{ 158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c4 9f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classt ype:trojan-activity; sid:25675; rev:7;)" from file /var/lib/suricata/community.r ules at line 2544|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EX TERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client, established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0 D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data ; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ 2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; clas stype:trojan-activity; sid:26470; rev:2;)" from file /var/lib/suricata/community .rules at line 2594|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encryp ted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg" ; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a -z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, serv ice http; classtype:trojan-activity; sid:26722; rev:1;)" from file /var/lib/suri cata/community.rules at line 2631|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN varia nt outbound connection"; flow:to_server,established; dsize:142; urilen:8; conten t:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; meta data:impact_flag red, policy balanced-ips drop, policy security-ips drop, rulese t community, service http; reference:url,www.microsoft.com/security/portal/threa t/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.viru stotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0 f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /var/lib /suricata/community.rules at line 2684|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant ou tbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GE T / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-c ache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced -ips drop, policy security-ips drop, ruleset community, service http; reference: url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:tro jan-activity; sid:28542; rev:1;)" from file /var/lib/suricata/community.rules at line 2819|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant ou tbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GE T / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips dr op, policy security-ips drop, ruleset community, service http; reference:url,www .sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-act ivity; sid:28543; rev:1;)" from file /var/lib/suricata/community.rules at line 2 820|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector va riant outbound connection"; flow:to_server,established; urilen:9; content:"/load .exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MS IE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content :!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, pol icy security-ips drop, ruleset community, service http; reference:url,urlquery.n et/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22 &max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899 dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28 807; rev:2;)" from file /var/lib/suricata/community.rules at line 2835|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:" GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0 A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop , policy security-ips drop, ruleset community, service http; reference:url,www.v irustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1 be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /var/ lib/suricata/community.rules at line 2911|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos vari ant outbound connection"; flow:to_server,established; content:"Content-Length: 1 66"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x- www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7. 0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth: 2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$ /P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips dro p, ruleset community, service http; reference:url,www.virustotal.com/en/file/515 40d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtyp e:trojan-activity; sid:29895; rev:2;)" from file /var/lib/suricata/community.rul es at line 2915|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a stic ky buffer still set. Reset sticky buffer with pkt_data before using the modifie r.|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EX TERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HT TP Response attempt"; flow:to_client,established; file_data; dsize:<194; content :"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Tra nsfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced -ips drop, policy security-ips drop, ruleset community, service http; reference: url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e 32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from f ile /var/lib/suricata/community.rules at line 3109|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a stic ky buffer still set. Reset sticky buffer with pkt_data before using the modifie r.|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EX TERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HT TP Response attempt"; flow:to_client,established; file_data; dsize:<194; content :"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-En coding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips dro p, policy security-ips drop, ruleset community, service http; reference:url,www. virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536 b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)" from file /var /lib/suricata/community.rules at line 3110|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content: "GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windo ws NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_fla g red, policy balanced-ips drop, policy security-ips drop, ruleset community, se rvice http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd40 6cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-act ivity; sid:33227; rev:2;)" from file /var/lib/suricata/community.rules at line 3 180|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific mat ches (like dsize, flags, ttl) with stream / state matching by matching on app la yer proto (like using http_* keywords).|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen: 1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6. 0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B | .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Ca che-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red , policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e6 0e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449 ; rev:1;)" from file /var/lib/suricata/community.rules at line 3185|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogg er initial exfiltration attempt"; flow:to_server,established; content:"/gate.php "; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin=" ; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http _client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&a rc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_he ader; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red , policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mit re.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa 8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classty pe:trojan-activity; sid:38562;|
|10:42:52|suricata: |[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 2,=,0,1,relative,l ittle,bitmask 0x8000|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module lo ad code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree. connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,= ,0,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; cont ent:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced -ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset communi ty, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/sa mba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:5;)" f rom file /var/lib/suricata/community.rules at line 3522|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HO ME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db? "; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_ur i; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-re search/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash -update; classtype:trojan-activity; sid:45400; rev:1;)" from file /var/lib/suric ata/community.rules at line 3584|
|10:42:52|suricata: |[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 2,=,1,1,relative,l ittle,bitmask 0x8000|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module lo ad code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree. connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,= ,1,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; cont ent:"/"; within:2; content:"/"; within:len; distance:2; metadata:policy balanced -ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset communi ty, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/sa mba/security/CVE-2017-7494.html; classtype:attempted-user; sid:49090; rev:1;)" f rom file /var/lib/suricata/community.rules at line 3861|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|10:42:52|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EX TERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gatew ay arbitrary code execution attempt"; flow:to_server,established; content:"/vpns /"; fast_pattern:only; content:"NSC_USER:"; http_raw_header; content:"../"; with in:10; http_raw_header; metadata:policy balanced-ips drop, policy connectivity-i ps drop, policy max-detect-ips drop, policy security-ips drop, ruleset community , service http; reference:cve,2019-19781; reference:url,support.citrix.com/artic le/CTX267027; classtype:web-application-attack; sid:52620; rev:1;)" from file /v ar/lib/suricata/community.rules at line 3927|
|10:42:54|suricata: |rule reload complete|
|10:42:54|suricata: |Signature(s) loaded, Detect thread(s) activated.|
8. IPTables
Also I’m getting iptabel errors on startup for all my custom rules. Can’t find any log for that in the webui!
9. DNSSEC
“DNSSEC wurde deaktiviert” wasn’t before.
10. Setup menu missing strings
All in all much worse than expected and it looks like it’s not an good idea to do what just I did.