Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3016011 load error #3

Closed
lrvy opened this issue Aug 1, 2019 · 2 comments
Closed

3016011 load error #3

lrvy opened this issue Aug 1, 2019 · 2 comments

Comments

@lrvy
Copy link
Contributor

lrvy commented Aug 1, 2019

1/8/2019 -- 11:15:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 3016011 setup buffer http_response_line but didn't add matches to it
1/8/2019 -- 11:15:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"CobatlStrikt team servers 200 OK Space"; flow:from_server,established; content:"200"; http_stat_code; content:"HTTP/1.1 200 OK|20|"; http_response_line; threshold: type both, track by_src, count 3, seconds 60; reference:url,blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/; sid:3016011; rev:1; metadata:created_at 2019_02_27,by al0ne;)" from file /var/lib/suricata/rules/suricata.rules at line 9951

Version:suricata V4.14
大概看了下好像是多了个 http_response_line,去掉之后就不报错了,不过由于学艺不精,不是很熟悉 Snort 语法,还望大佬再确认下
@lrvy
Copy link
Contributor Author

lrvy commented Aug 1, 2019

另发现 3016011 一个误报,url 为 ylog.hiido.com
建议增加以下nocase
nocase; http_raw_header; content:!"ylog.hiido.com"; http_host;
image

@al0ne
Copy link
Owner

al0ne commented Aug 1, 2019

收到 我有空看看

@al0ne al0ne closed this as completed Aug 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@al0ne @lrvy