@pmueller
The broken DNS problem was caused by an incorrect modification by my ISP.
But now that it has been resolved, remains the problem of unreachable domains if IDS is active.
The ipfire.org domain is one of the domains blocked by IDS.
This is the log from when IPFire was powered on to when IDS was disabled in order to write this message.
|09:27:29|suricata:|This is Suricata version 5.0.2 RELEASE running in SYSTEM mode|
|---|---|---|
|09:27:30|suricata:|[ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active|
|09:27:30|suricata:|all 2 packet processing threads, 2 management threads initialized, engine starte d.|
|09:27:30|suricata:|rule reload starting|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXT ERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,e stablished; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips d rop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2 eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; class type:trojan-activity; sid:26470; rev:2;)" from file /var/lib/suricata/community. rules at line 2594|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOM E_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypt ed config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a- z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag r ed, policy balanced-ips drop, policy security-ips drop, ruleset community, servi ce http; classtype:trojan-activity; sid:26722; rev:1;)" from file /var/lib/suric ata/community.rules at line 2631|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOM E_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector var iant outbound connection"; flow:to_server,established; urilen:9; content:"/load. exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSI E|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content: !"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, poli cy security-ips drop, ruleset community, service http; reference:url,urlquery.ne t/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22& max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899d c0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:288 07; rev:2;)" from file /var/lib/suricata/community.rules at line 2835|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOM E_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos varia nt outbound connection"; flow:to_server,established; content:"Content-Length: 16 6"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-w ww-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0 |3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2 ; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/ P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop , ruleset community, service http; reference:url,www.virustotal.com/en/file/5154 0d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype :trojan-activity; sid:29895; rev:2;)" from file /var/lib/suricata/community.rule s at line 2915|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a stic ky buffer still set. Reset sticky buffer with pkt_data before using the modifie r.|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXT ERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTT P Response attempt"; flow:to_client,established; file_data; isdataat:!193; conte nt:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"T ransfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanc ed-ips drop, policy security-ips drop, ruleset community, service http; referenc e:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc6059 1e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:2;)" from file /var/lib/suricata/community.rules at line 3109|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a stic ky buffer still set. Reset sticky buffer with pkt_data before using the modifie r.|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXT ERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTT P Response attempt"; flow:to_client,established; file_data; isdataat:!193; conte nt:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer- Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips d rop, policy security-ips drop, ruleset community, service http; reference:url,ww w.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b815 36b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:2;)" from file /v ar/lib/suricata/community.rules at line 3110|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOM E_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogge r initial exfiltration attempt"; flow:to_server,established; content:"/gate.php" ; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_ client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&ar c="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_hea der; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitr e.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8 dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtyp e:trojan-activity; sid:38562; r|
|09:27:30|suricata:|[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 2,=,0,1,relative,l ittle,bitmask 0x8000|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module loa d code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.c onnect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=, 0,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; conte nt:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced- ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset communit y, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/sam ba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:5;)" fr om file /var/lib/suricata/community.rules at line 3522|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:30|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $HOM E_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus o utbound connection attempt"; flow:to_server,established; content:"/sigstore.db?" ; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri ; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-res earch/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash- update; classtype:trojan-activity; sid:45400; rev:1;)" from file /var/lib/surica ta/community.rules at line 3584|
|09:27:31|suricata:|[ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 2,=,1,1,relative,l ittle,bitmask 0x8000|
|09:27:31|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module loa d code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.c onnect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=, 1,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; conte nt:"/"; within:2; content:"/"; within:len; distance:2; metadata:policy balanced- ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset communit y, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/sam ba/security/CVE-2017-7494.html; classtype:attempted-user; sid:49090; rev:1;)" fr om file /var/lib/suricata/community.rules at line 3861|
|09:27:31|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:on ly; set. Can't have relative keywords around a fast_pattern only content|
|09:27:31|suricata:|[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tcp $EXT ERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gatewa y arbitrary code execution attempt"; flow:to_server,established; content:"/vpns/ "; fast_pattern:only; content:"NSC_USER:"; http_raw_header; content:"../"; withi n:10; http_raw_header; metadata:policy balanced-ips drop, policy connectivity-ip s drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2019-19781; reference:url,support.citrix.com/articl e/CTX267027; classtype:web-application-attack; sid:52620; rev:1;)" from file /va r/lib/suricata/community.rules at line 3927|
|09:27:31|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.jar' is checked but not set. Che cked in 27085 and 0 other sigs|
|09:27:31|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip' is checked but not set. Che cked in 30567 and 0 other sigs|
|09:27:31|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'qlogic_default_ftp' is checked but no t set. Checked in 31830 and 0 other sigs|
|09:27:31|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'hawk.lgr' is checked but not set. Che cked in 33222 and 1 other sigs|
|09:27:31|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.rtf' is checked but not set. Che cked in 38580 and 5 other sigs|
|09:27:31|suricata:|[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.ole' is checked but not set. Che cked in 46436 and 3 other sigs|
|09:27:36|suricata:|rule reload complete|
|09:27:36|suricata:|Signature(s) loaded, Detect thread(s) activated.|
|10:19:08|suricata:|Signal Received. Stopping engine.|
|10:19:09|suricata:|(W-NFQ#0) Treated: Pkts 78287, Bytes 19897780, Errors 0|
|10:19:09|suricata:|(W-NFQ#0) Verdict: Accepted 75117, Dropped 3170, Replaced 0|
|10:19:09|suricata:|(W-NFQ#1) Treated: Pkts 36794, Bytes 2550250, Errors 0|
|10:19:09|suricata:|(W-NFQ#1) Verdict: Accepted 36684, Dropped 110, Replaced 0|