"suricata.log.wan" - Views: 19 · Hits: 19 - Type: Public

30/9/2021 -- 16:28:43 - <Notice> -- This is Suricata version 6.0.3 RELEASE running in SYSTEM mode
30/9/2021 -- 16:28:43 - <Info> -- CPUs/cores online: 4
30/9/2021 -- 16:28:43 - <Info> -- HTTP memcap: 67108864
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Creating automatic firewall interface IP address Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface ix0 IPv6 address fe80:0000:0000:0000:92e2:baff:fe4c:c1b4 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface ix0 IPv4 address 10.10.20.1 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface ix0 IPv4 address 10.10.20.254 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface ix0 IPv4 address 10.10.10.1 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface igb0 IPv6 address fe80:0000:0000:0000:0e9d:92ff:fe5b:cab6 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface igb0 IPv4 address 192.168.1.2 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface em0 IPv6 address fe80:0000:0000:0000:0e9d:92ff:fe5b:cab5 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface em0 IPv4 address 10.158.149.0 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface ix0.57 IPv6 address fe80:0000:0000:0000:92e2:baff:fe4c:c1b4 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface ix0.57 IPv4 address 192.168.57.1 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface ix0.69 IPv6 address fe80:0000:0000:0000:92e2:baff:fe4c:c1b4 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface ix0.69 IPv4 address 172.168.69.1 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface ix0.100 IPv6 address fe80:0000:0000:0000:92e2:baff:fe4c:c1b4 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface ix0.100 IPv4 address 192.168.100.1 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface igb0.11 IPv6 address fe80:0000:0000:0000:0e9d:92ff:fe5b:cab6 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface pppoe0 IPv4 address WANIP to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface pppoe0 IPv6 address WANIP to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface ovpns1 IPv6 address fe80:0000:0000:0000:92e2:baff:fe4c:c1b4 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> adding firewall interface ovpns1 IPv4 address 192.168.70.1 to automatic interface IP Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf output device (regular) initialized: block.log
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv4 address 10.10.10.1/32 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv4 address 10.10.20.0/24 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv4 address 10.10.20.254/32 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv4 address 10.158.148.0/23 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv4 address WANIP from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv4 address 127.0.0.1/32 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv4 address 172.168.69.0/24 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv4 address 192.168.1.0/24 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv4 address 192.168.57.0/24 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv4 address 192.168.70.0/24 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv4 address 192.168.100.0/24 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv4 address 195.43.166.11/32 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv6 address ::1/128 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv6 address fe80::92e2:baff:fe4c:c1b4/128 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv6 address fe80::e9d:92ff:fe5b:cab5/128 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Added IPv6 address fe80::e9d:92ff:fe5b:cab6/128 from assigned Pass List.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Pass List /usr/local/etc/suricata/suricata_2943_pppoe0/passlist parsed: 16 IP addresses loaded.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Created firewall interface IP change monitor thread for auto-whitelisting of firewall interface IP addresses.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf -> Firewall interface IP address change notification monitoring thread started.
30/9/2021 -- 16:28:43 - <Info> -- alert-pf output initialized, pf-table=snort2c  block-ip=both  kill-state=on  block-drops-only=on
30/9/2021 -- 16:28:43 - <Info> -- fast output device (regular) initialized: alerts.log
30/9/2021 -- 16:28:43 - <Info> -- http-log output device (regular) initialized: http.log
30/9/2021 -- 16:28:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - depth or urilen 11 smaller than content len 17
30/9/2021 -- 16:28:49 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/suricata_2943_pppoe0/rules/suricata.rules at line 28381
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /usr/local/etc/suricata/suricata_2943_pppoe0/rules/suricata.rules at line 29114
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_2943_pppoe0/rules/suricata.rules at line 29740
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_NO_FILES_FOR_PROTOCOL(285)] - protocol tls doesn't support file matching
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-OTHER Authedmine TLS client hello attempt"; flow:to_server,established; file_data; ssl_state:client_hello; content:"authedmine.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:45952; rev:2;)" from file /usr/local/etc/suricata/suricata_2943_pppoe0/rules/suricata.rules at line 30630
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 8500 (msg:"SERVER-OTHER Hashicorp Consul services API remote code execution attempt"; flow:to_server,established; content:"/v1/agent/service/register"; fast_pattern:only; http_uri; content:"PUT"; http_method; file_data; content:"check"; content:"script"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.rapid7.com/db/modules/exploit/multi/misc/consul_service_exec; classtype:attempted-admin; sid:49670; rev:2;)" from file /usr/local/etc/suricata/suricata_2943_pppoe0/rules/suricata.rules at line 30732
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:55839; rev:1;)" from file /usr/local/etc/suricata/suricata_2943_pppoe0/rules/suricata.rules at line 30953
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - depth or urilen 4 smaller than content len 10
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt"; flow:to_server,established; content:"user_name="; fast_pattern:only; http_uri; urilen:4; content:"/cgi"; nocase; http_uri; pcre:"/[?&]user_name=[^&]*?([\x27\x22\x3b\x23\x28]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2020-5722; classtype:web-application-attack; sid:53858; rev:2;)" from file /usr/local/etc/suricata/suricata_2943_pppoe0/rules/suricata.rules at line 30981
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'http_raw_cookie'.
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:2;)" from file /usr/local/etc/suricata/suricata_2943_pppoe0/rules/suricata.rules at line 31080
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http.
30/9/2021 -- 16:28:50 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $FILE_DATA_PORTS (msg:"SERVER-WEBAPP Pulse Connect Secure template injection attempt"; flow:to_server,established; content:"/dana-admin/auth/custompage.cgi"; fast_pattern:only; http_uri; file_data; content:"LoginPage.thtml"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2020-8243; reference:url,kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588; classtype:attempted-admin; sid:57452; rev:1;)" from file /usr/local/etc/suricata/suricata_2943_pppoe0/rules/suricata.rules at line 31340
30/9/2021 -- 16:28:50 - <Info> -- 2 rule files processed. 31810 rules successfully loaded, 9 rules failed
30/9/2021 -- 16:28:50 - <Info> -- Threshold config parsed: 0 rule(s) found
30/9/2021 -- 16:28:51 - <Info> -- 31810 signatures processed. 481 are IP-only rules, 3175 are inspecting packet payload, 22385 inspect application layer, 107 are decoder event only
30/9/2021 -- 16:28:51 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.zip&file.silverlight' is checked but not set. Checked in 28582 and 2 other sigs
30/9/2021 -- 16:28:51 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.pdf&file.ttf' is checked but not set. Checked in 28585 and 1 other sigs
30/9/2021 -- 16:28:51 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'file.xls&file.ole' is checked but not set. Checked in 30990 and 1 other sigs
30/9/2021 -- 16:28:51 - <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.http.PK' is checked but not set. Checked in 2019835 and 1 other sigs
30/9/2021 -- 16:29:12 - <Info> -- Using 1 live device(s).
30/9/2021 -- 16:29:12 - <Info> -- using interface pppoe0
30/9/2021 -- 16:29:12 - <Info> -- running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets
30/9/2021 -- 16:29:12 - <Info> -- Set snaplen to 1518 for 'pppoe0'
30/9/2021 -- 16:29:12 - <Info> -- RunModeIdsPcapAutoFp initialised
30/9/2021 -- 16:29:12 - <Notice> -- all 5 packet processing threads, 2 management threads initialized, engine started.
30/9/2021 -- 16:29:16 - <Info> -- No packets with invalid checksum, assuming checksum offloading is NOT used