suricata-update list-enabled-sources 26/7/2018 -- 21:00:28 - -- Loading /etc/suricata/update.yaml 26/7/2018 -- 21:00:28 - -- Using data-directory /var/lib/suricata. 26/7/2018 -- 21:00:28 - -- Using Suricata configuration /etc/suricata/suricata.yaml 26/7/2018 -- 21:00:28 - -- Using /etc/suricata/rules for Suricata provided rules. 26/7/2018 -- 21:00:28 - -- Found Suricata version 4.0.4 at /usr/bin/suricata. From /etc/suricata/update.yaml: - https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz - https://sslbl.abuse.ch/blacklist/sslblacklist.rules - https://www.snort.org/rules/snortrules-snapshot-29111.tar.gz?oinkcode=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Enabled sources: - oisf/trafficid - ptresearch/attackdetection - et/open ********************************************************** suricata-update 26/7/2018 -- 20:58:35 - -- Loading /etc/suricata/update.yaml 26/7/2018 -- 20:58:35 - -- Using data-directory /var/lib/suricata. 26/7/2018 -- 20:58:35 - -- Using Suricata configuration /etc/suricata/suricata.yaml 26/7/2018 -- 20:58:35 - -- Using /etc/suricata/rules for Suricata provided rules. 26/7/2018 -- 20:58:35 - -- Found Suricata version 4.0.4 at /usr/bin/suricata. 26/7/2018 -- 20:58:35 - -- Loading /etc/suricata/disable.conf. 26/7/2018 -- 20:58:35 - -- Loading /etc/suricata/enable.conf. 26/7/2018 -- 20:58:35 - -- Loading /etc/suricata/modify.conf. 26/7/2018 -- 20:58:35 - -- Loading /etc/suricata/drop.conf. 26/7/2018 -- 20:58:35 - -- Loading /etc/suricata/suricata.yaml 26/7/2018 -- 20:58:35 - -- Disabling rules with proto ntp 26/7/2018 -- 20:58:35 - -- Disabling rules with proto modbus 26/7/2018 -- 20:58:35 - -- Disabling rules with proto enip 26/7/2018 -- 20:58:35 - -- Disabling rules with proto dnp3 26/7/2018 -- 20:58:35 - -- Disabling rules with proto nfs 26/7/2018 -- 20:58:35 - -- Last download less than 15 minutes ago. Not downloading https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules. 26/7/2018 -- 20:58:35 - -- Last download less than 15 minutes ago. Not downloading https://rules.emergingthreats.net/open/suricata-4.0.4/emerging.rules.tar.gz. 26/7/2018 -- 20:58:35 - -- Last download less than 15 minutes ago. Not downloading https://sslbl.abuse.ch/blacklist/sslblacklist.rules. 26/7/2018 -- 20:58:35 - -- Last download less than 15 minutes ago. Not downloading https://www.snort.org/rules/snortrules-snapshot-29111.tar.gz?oinkcode=5202df15d4c9f81f35a33abc914687bcd933266f. 26/7/2018 -- 20:58:37 - -- Last download less than 15 minutes ago. Not downloading https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz. 26/7/2018 -- 20:58:37 - -- Ignoring file rules/emerging-deleted.rules 26/7/2018 -- 20:58:37 - -- Ignoring file rules/deleted.rules 26/7/2018 -- 20:58:42 - -- Loaded 60656 rules. 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20314] PROTOCOL-VOIP Via header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20314] PROTOCOL-VOIP Via header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11980] PROTOCOL-VOIP Attribute header buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11980] PROTOCOL-VOIP Attribute header buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20349] PROTOCOL-VOIP Subject header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20349] PROTOCOL-VOIP Subject header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19334] PROTOCOL-VOIP Content-Type header invalid format too many slashes 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19334] PROTOCOL-VOIP Content-Type header invalid format too many slashes 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:12007] PROTOCOL-VOIP outbound 401 Unauthorized message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:12007] PROTOCOL-VOIP outbound 401 Unauthorized message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20379] PROTOCOL-VOIP Date header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20379] PROTOCOL-VOIP Date header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19385] PROTOCOL-VOIP Media header description field overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19385] PROTOCOL-VOIP Media header description field overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20414] PROTOCOL-VOIP outbound 408 Request Timeout message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20414] PROTOCOL-VOIP outbound 408 Request Timeout message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:21150] PROTOCOL-VOIP Grandstream networks denial of service 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:21150] PROTOCOL-VOIP Grandstream networks denial of service 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:28993] PROTOCOL-VOIP Sipvicious User-Agent detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:28993] PROTOCOL-VOIP Sipvicious User-Agent detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12112] PROTOCOL-VOIP Sivus scanner detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12112] PROTOCOL-VOIP Sivus scanner detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:27899] PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:27899] PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20417] PROTOCOL-VOIP outbound 415 Unsupported Media Type message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20417] PROTOCOL-VOIP outbound 415 Unsupported Media Type message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11968] PROTOCOL-VOIP inbound INVITE message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11968] PROTOCOL-VOIP inbound INVITE message 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:12177] PROTOCOL-VOIP outbound 415 Unsupported Media Type message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:12177] PROTOCOL-VOIP outbound 415 Unsupported Media Type message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20337] PROTOCOL-VOIP To header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20337] PROTOCOL-VOIP To header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20383] PROTOCOL-VOIP Time header contains negative value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20383] PROTOCOL-VOIP Time header contains negative value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19389] PROTOCOL-VOIP REGISTER flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19389] PROTOCOL-VOIP REGISTER flood 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20402] PROTOCOL-VOIP Response code 405 Method Not Allowed response flood 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20402] PROTOCOL-VOIP Response code 405 Method Not Allowed response flood 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: DC_SERVERS: [1:10002558] [PT OPEN] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002558] [PT OPEN] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:21103] PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:21103] PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:27903] PROTOCOL-VOIP Ghost call attack attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:27903] PROTOCOL-VOIP Ghost call attack attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20421] PROTOCOL-VOIP INVITE message Content-Length header size of zero 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20421] PROTOCOL-VOIP INVITE message Content-Length header size of zero 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20306] PROTOCOL-VOIP CSeq header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20306] PROTOCOL-VOIP CSeq header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11972] PROTOCOL-VOIP Max-Forwards value over 70 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11972] PROTOCOL-VOIP Max-Forwards value over 70 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:12181] PROTOCOL-VOIP outbound 404 Not Found 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:12181] PROTOCOL-VOIP outbound 404 Not Found 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20341] PROTOCOL-VOIP To header unquoted tokens in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20341] PROTOCOL-VOIP To header unquoted tokens in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20371] PROTOCOL-VOIP Contact header whitespace in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20371] PROTOCOL-VOIP Contact header whitespace in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20328] PROTOCOL-VOIP From header missing terminating quote 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20328] PROTOCOL-VOIP From header missing terminating quote 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19377] PROTOCOL-VOIP Origin invalid header 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19377] PROTOCOL-VOIP Origin invalid header 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20406] PROTOCOL-VOIP inbound 501 Not Implemented message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20406] PROTOCOL-VOIP inbound 501 Not Implemented message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20393] PROTOCOL-VOIP BYE flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20393] PROTOCOL-VOIP BYE flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20310] PROTOCOL-VOIP CSeq header multiple CSeq headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20310] PROTOCOL-VOIP CSeq header multiple CSeq headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12680] PROTOCOL-VOIP Via header hostname buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12680] PROTOCOL-VOIP Via header hostname buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11992] PROTOCOL-VOIP Content-Type header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11992] PROTOCOL-VOIP Content-Type header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20297] PROTOCOL-VOIP outbound INVITE message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20297] PROTOCOL-VOIP outbound INVITE message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12172] PROTOCOL-VOIP inbound 501 Not Implemented message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12172] PROTOCOL-VOIP inbound 501 Not Implemented message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20375] PROTOCOL-VOIP Contact header missing terminating quote 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20375] PROTOCOL-VOIP Contact header missing terminating quote 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20332] PROTOCOL-VOIP To header contains recursive URL-encoded data 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20332] PROTOCOL-VOIP To header contains recursive URL-encoded data 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19381] PROTOCOL-VOIP Session Name header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19381] PROTOCOL-VOIP Session Name header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:36734] PROTOCOL-VOIP javascript found in SIP headers attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:36734] PROTOCOL-VOIP javascript found in SIP headers attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:32211] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:32211] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20362] PROTOCOL-VOIP Call-ID header multiple Call-ID headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20362] PROTOCOL-VOIP Call-ID header multiple Call-ID headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:34023] PROTOCOL-VOIP Unity Conversation Manager record-route INVITE anomaly denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20397] PROTOCOL-VOIP INVITE flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20397] PROTOCOL-VOIP INVITE flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11996] PROTOCOL-VOIP CSeq header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11996] PROTOCOL-VOIP CSeq header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20301] PROTOCOL-VOIP TEL URI type overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20301] PROTOCOL-VOIP TEL URI type overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:16351] PROTOCOL-VOIP CSeq buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:16351] PROTOCOL-VOIP CSeq buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20320] PROTOCOL-VOIP From header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20320] PROTOCOL-VOIP From header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19337] PROTOCOL-VOIP invalid SIP-Version field 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19337] PROTOCOL-VOIP invalid SIP-Version field 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:32215] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:32215] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20366] PROTOCOL-VOIP Contact header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20366] PROTOCOL-VOIP Contact header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:30886] PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:30886] PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20385] PROTOCOL-VOIP Version header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20385] PROTOCOL-VOIP Version header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:29441] PROTOCOL-VOIP CISCO Telepresence VCS SIP denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:29441] PROTOCOL-VOIP CISCO Telepresence VCS SIP denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11984] PROTOCOL-VOIP Time header contains long value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11984] PROTOCOL-VOIP Time header contains long value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:45578] PROTOCOL-VOIP Mr.SIP options request denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:45578] PROTOCOL-VOIP Mr.SIP options request denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11979] PROTOCOL-VOIP Media header port field invalid value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11979] PROTOCOL-VOIP Media header port field invalid value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:36735] PROTOCOL-VOIP javascript found in SIP headers attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:36735] PROTOCOL-VOIP javascript found in SIP headers attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20324] PROTOCOL-VOIP From header whitespace in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20324] PROTOCOL-VOIP From header whitespace in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20354] PROTOCOL-VOIP Call-ID header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20354] PROTOCOL-VOIP Call-ID header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:30890] PROTOCOL-VOIP Content-Type media type overflow denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:30890] PROTOCOL-VOIP Content-Type media type overflow denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20389] PROTOCOL-VOIP Attribute header buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20389] PROTOCOL-VOIP Attribute header buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:30282] PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:30282] PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:33445] PROTOCOL-VOIP Digium Asterisk SIP channel driver denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:33445] PROTOCOL-VOIP Digium Asterisk SIP channel driver denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11988] PROTOCOL-VOIP From header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11988] PROTOCOL-VOIP From header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20424] PROTOCOL-VOIP Sivus scanner detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20424] PROTOCOL-VOIP Sivus scanner detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:13590] PROTOCOL-VOIP OPTIONS message Call-ID header request misplaced - after terminating newline 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:13590] PROTOCOL-VOIP OPTIONS message Call-ID header request misplaced - after terminating newline 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:45582] PROTOCOL-VOIP Mr.SIP subscribe request denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:45582] PROTOCOL-VOIP Mr.SIP subscribe request denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11983] PROTOCOL-VOIP Time header contains negative value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11983] PROTOCOL-VOIP Time header contains negative value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20318] PROTOCOL-VOIP From header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20318] PROTOCOL-VOIP From header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20344] PROTOCOL-VOIP To header missing terminating quote 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20344] PROTOCOL-VOIP To header missing terminating quote 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12002] PROTOCOL-VOIP BYE flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12002] PROTOCOL-VOIP BYE flood 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: DC_SERVERS: [1:10002557] [PT OPEN] DCShadow Replication Attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002557] [PT OPEN] DCShadow Replication Attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20358] PROTOCOL-VOIP Call-ID header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20358] PROTOCOL-VOIP Call-ID header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19364] PROTOCOL-VOIP Time Stop header invalid value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19364] PROTOCOL-VOIP Time Stop header invalid value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20409] PROTOCOL-VOIP inbound 481 Call/Leg Transaction Does Not Exist 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20409] PROTOCOL-VOIP inbound 481 Call/Leg Transaction Does Not Exist 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20313] PROTOCOL-VOIP Via header missing SIP field 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20313] PROTOCOL-VOIP Via header missing SIP field 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11971] PROTOCOL-VOIP CSeq buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11971] PROTOCOL-VOIP CSeq buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20348] PROTOCOL-VOIP Subject header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20348] PROTOCOL-VOIP Subject header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19333] PROTOCOL-VOIP Content-Type header invalid format too many slashes 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19333] PROTOCOL-VOIP Content-Type header invalid format too many slashes 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:12006] PROTOCOL-VOIP outbound INVITE message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:12006] PROTOCOL-VOIP outbound INVITE message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20378] PROTOCOL-VOIP Date header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20378] PROTOCOL-VOIP Date header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19384] PROTOCOL-VOIP Session Name invalid header attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19384] PROTOCOL-VOIP Session Name invalid header attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20413] PROTOCOL-VOIP outbound 100 Trying message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20413] PROTOCOL-VOIP outbound 100 Trying message 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20416] PROTOCOL-VOIP outbound 604 Does Not Exist Anywhere message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20416] PROTOCOL-VOIP outbound 604 Does Not Exist Anywhere message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20317] PROTOCOL-VOIP Via header invalid seperators 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20317] PROTOCOL-VOIP Via header invalid seperators 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:27904] PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:27904] PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11975] PROTOCOL-VOIP Via header missing SIP field 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11975] PROTOCOL-VOIP Via header missing SIP field 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12176] PROTOCOL-VOIP inbound 415 Unsupported Media Type message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12176] PROTOCOL-VOIP inbound 415 Unsupported Media Type message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20336] PROTOCOL-VOIP To header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20336] PROTOCOL-VOIP To header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:12171] PROTOCOL-VOIP outbound 408 Request Timeout message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:12171] PROTOCOL-VOIP outbound 408 Request Timeout message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20382] PROTOCOL-VOIP Media header port field invalid value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20382] PROTOCOL-VOIP Media header port field invalid value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20331] PROTOCOL-VOIP From header multiple From headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20331] PROTOCOL-VOIP From header multiple From headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19388] PROTOCOL-VOIP Media header description field format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19388] PROTOCOL-VOIP Media header description field format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20401] PROTOCOL-VOIP Response code 415 Unsupported Media Type response flood 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20401] PROTOCOL-VOIP Response code 415 Unsupported Media Type response flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:21102] PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:21102] PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:27902] PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:27902] PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20420] PROTOCOL-VOIP INVITE message invalid IP address 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20420] PROTOCOL-VOIP INVITE message invalid IP address 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20305] PROTOCOL-VOIP CSeq header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20305] PROTOCOL-VOIP CSeq header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12683] PROTOCOL-VOIP From header field buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12683] PROTOCOL-VOIP From header field buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11995] PROTOCOL-VOIP Content-Type header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11995] PROTOCOL-VOIP Content-Type header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12180] PROTOCOL-VOIP inbound 404 Not Found 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12180] PROTOCOL-VOIP inbound 404 Not Found 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20340] PROTOCOL-VOIP To header unquoted tokens in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20340] PROTOCOL-VOIP To header unquoted tokens in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:12175] PROTOCOL-VOIP outbound 604 Does Not Exist Anywhere message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:12175] PROTOCOL-VOIP outbound 604 Does Not Exist Anywhere message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20370] PROTOCOL-VOIP Contact header whitespace in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20370] PROTOCOL-VOIP Contact header whitespace in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20335] PROTOCOL-VOIP To header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20335] PROTOCOL-VOIP To header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19376] PROTOCOL-VOIP Origin header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19376] PROTOCOL-VOIP Origin header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20405] PROTOCOL-VOIP inbound 408 Request Timeout message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20405] PROTOCOL-VOIP inbound 408 Request Timeout message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20670] PROTOCOL-VOIP Digium Asterisk data length field overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20392] PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20392] PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20309] PROTOCOL-VOIP CSeq header multiple CSeq headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20309] PROTOCOL-VOIP CSeq header multiple CSeq headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11999] PROTOCOL-VOIP Via header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11999] PROTOCOL-VOIP Via header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20296] PROTOCOL-VOIP inbound INVITE message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20296] PROTOCOL-VOIP inbound INVITE message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:32207] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:32207] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20374] PROTOCOL-VOIP Contact header missing terminating quote 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20374] PROTOCOL-VOIP Contact header missing terminating quote 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20323] PROTOCOL-VOIP From header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20323] PROTOCOL-VOIP From header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19380] PROTOCOL-VOIP Session Name header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19380] PROTOCOL-VOIP Session Name header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:36733] PROTOCOL-VOIP javascript found in SIP headers attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:36733] PROTOCOL-VOIP javascript found in SIP headers attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:32210] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:32210] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20361] PROTOCOL-VOIP Call-ID header invalid seperators 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20361] PROTOCOL-VOIP Call-ID header invalid seperators 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19375] PROTOCOL-VOIP Origin header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19375] PROTOCOL-VOIP Origin header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:30885] PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:30885] PROTOCOL-VOIP Cisco SIP malformed date header buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:34022] PROTOCOL-VOIP Cisco Unity Connection malformed contact header denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:34022] PROTOCOL-VOIP Cisco Unity Connection malformed contact header denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20396] PROTOCOL-VOIP INVITE flood attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20396] PROTOCOL-VOIP INVITE flood attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11987] PROTOCOL-VOIP Via header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11987] PROTOCOL-VOIP Via header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20300] PROTOCOL-VOIP SIP URI type overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20300] PROTOCOL-VOIP SIP URI type overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12167] PROTOCOL-VOIP SIP URI multiple at signs in message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12167] PROTOCOL-VOIP SIP URI multiple at signs in message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20327] PROTOCOL-VOIP From header unquoted tokens in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20327] PROTOCOL-VOIP From header unquoted tokens in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19336] PROTOCOL-VOIP Content-Type header invalid format missing slash 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19336] PROTOCOL-VOIP Content-Type header invalid format missing slash 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:32214] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:32214] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20365] PROTOCOL-VOIP Contact header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20365] PROTOCOL-VOIP Contact header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:30889] PROTOCOL-VOIP Content-Type media type overflow denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:30889] PROTOCOL-VOIP Content-Type media type overflow denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20384] PROTOCOL-VOIP Time header contains long value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20384] PROTOCOL-VOIP Time header contains long value 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:12074] PROTOCOL-VOIP outbound 100 Trying message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:12074] PROTOCOL-VOIP outbound 100 Trying message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11991] PROTOCOL-VOIP CSeq header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11991] PROTOCOL-VOIP CSeq header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20427] PROTOCOL-VOIP OpenSBC VIA header denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20427] PROTOCOL-VOIP OpenSBC VIA header denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:45577] PROTOCOL-VOIP Mr.SIP invite request denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:45577] PROTOCOL-VOIP Mr.SIP invite request denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19302] PROTOCOL-VOIP Max-Forwards header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19302] PROTOCOL-VOIP Max-Forwards header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20347] PROTOCOL-VOIP To header multiple To headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20347] PROTOCOL-VOIP To header multiple To headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20353] PROTOCOL-VOIP Expires header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20353] PROTOCOL-VOIP Expires header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:45464] PROTOCOL-VOIP Cisco Unified Customer Voice Portal denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20388] PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20388] PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12359] PROTOCOL-VOIP Digium Asterisk data length field overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:13589] PROTOCOL-VOIP OPTIONS message Via header request misplaced - after terminating newline 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:13589] PROTOCOL-VOIP OPTIONS message Via header request misplaced - after terminating newline 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:45581] PROTOCOL-VOIP Mr.SIP options request denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:45581] PROTOCOL-VOIP Mr.SIP options request denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11982] PROTOCOL-VOIP To header contains recursive URL-encoded data 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11982] PROTOCOL-VOIP To header contains recursive URL-encoded data 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20351] PROTOCOL-VOIP Subject header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20351] PROTOCOL-VOIP Subject header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12001] PROTOCOL-VOIP Version header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12001] PROTOCOL-VOIP Version header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20357] PROTOCOL-VOIP Call-ID header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20357] PROTOCOL-VOIP Call-ID header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:26426] PROTOCOL-VOIP Digium Asterisk SIP SDP header parsing stack buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:26426] PROTOCOL-VOIP Digium Asterisk SIP SDP header parsing stack buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19387] PROTOCOL-VOIP Media header description field format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19387] PROTOCOL-VOIP Media header description field format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20408] PROTOCOL-VOIP inbound 415 Unsupported Media Type message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20408] PROTOCOL-VOIP inbound 415 Unsupported Media Type message 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: DC_SERVERS: [1:10002559] [PT OPEN] DCShadow: Fake DC Creation 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002559] [PT OPEN] DCShadow: Fake DC Creation 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:32042] OS-OTHER Bash environment variable injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:32042] OS-OTHER Bash environment variable injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20419] PROTOCOL-VOIP outbound 401 Unauthorized message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20419] PROTOCOL-VOIP outbound 401 Unauthorized message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20312] PROTOCOL-VOIP Max-Forwards header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20312] PROTOCOL-VOIP Max-Forwards header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11970] PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11970] PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:12179] PROTOCOL-VOIP outbound 481 Call/Leg Transaction Does Not Exist 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:12179] PROTOCOL-VOIP outbound 481 Call/Leg Transaction Does Not Exist 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20339] PROTOCOL-VOIP To header whitespace in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20339] PROTOCOL-VOIP To header whitespace in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12005] PROTOCOL-VOIP Connection header invalid value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12005] PROTOCOL-VOIP Connection header invalid value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20377] PROTOCOL-VOIP Content-Type header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20377] PROTOCOL-VOIP Content-Type header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20412] PROTOCOL-VOIP outbound 404 Not Found 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20412] PROTOCOL-VOIP outbound 404 Not Found 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20423] PROTOCOL-VOIP OPTIONS message Call-ID header request misplaced - after terminating newline 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20423] PROTOCOL-VOIP OPTIONS message Call-ID header request misplaced - after terminating newline 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20316] PROTOCOL-VOIP Via header invalid seperators 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20316] PROTOCOL-VOIP Via header invalid seperators 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20343] PROTOCOL-VOIP To header invalid seperators 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20343] PROTOCOL-VOIP To header invalid seperators 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12170] PROTOCOL-VOIP inbound 408 Request Timeout message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12170] PROTOCOL-VOIP inbound 408 Request Timeout message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20381] PROTOCOL-VOIP Remote-Party-ID header hexadecimal characters in IP address field 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20381] PROTOCOL-VOIP Remote-Party-ID header hexadecimal characters in IP address field 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20330] PROTOCOL-VOIP From header multiple From headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20330] PROTOCOL-VOIP From header multiple From headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19379] PROTOCOL-VOIP Session Name header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19379] PROTOCOL-VOIP Session Name header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20400] PROTOCOL-VOIP Response code 415 Unsupported Media Type response flood 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20400] PROTOCOL-VOIP Response code 415 Unsupported Media Type response flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20395] PROTOCOL-VOIP REGISTER flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20395] PROTOCOL-VOIP REGISTER flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:21101] PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:21101] PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:27901] PROTOCOL-VOIP Ghost call attack attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:27901] PROTOCOL-VOIP Ghost call attack attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20304] PROTOCOL-VOIP SIP URI possible format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20304] PROTOCOL-VOIP SIP URI possible format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12682] PROTOCOL-VOIP From header field buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12682] PROTOCOL-VOIP From header field buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11994] PROTOCOL-VOIP Contact header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11994] PROTOCOL-VOIP Contact header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20299] PROTOCOL-VOIP Invalid request spaces at end of request line attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20299] PROTOCOL-VOIP Invalid request spaces at end of request line attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:33870] PROTOCOL-VOIP Cisco TelePresence Video Communication Server SDP media description denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:33870] PROTOCOL-VOIP Cisco TelePresence Video Communication Server SDP media description denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12174] PROTOCOL-VOIP inbound 604 Does Not Exist Anywhere message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12174] PROTOCOL-VOIP inbound 604 Does Not Exist Anywhere message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20334] PROTOCOL-VOIP To header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20334] PROTOCOL-VOIP To header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19383] PROTOCOL-VOIP Session Name invalid header attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19383] PROTOCOL-VOIP Session Name invalid header attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:32209] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:32209] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20404] PROTOCOL-VOIP inbound 100 Trying message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20404] PROTOCOL-VOIP inbound 100 Trying message 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20399] PROTOCOL-VOIP Response code 420 Bad Extension response flood 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20399] PROTOCOL-VOIP Response code 420 Bad Extension response flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20308] PROTOCOL-VOIP CSeq header method mismatch attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20308] PROTOCOL-VOIP CSeq header method mismatch attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11998] PROTOCOL-VOIP To header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11998] PROTOCOL-VOIP To header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20303] PROTOCOL-VOIP SIP URI possible format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20303] PROTOCOL-VOIP SIP URI possible format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20373] PROTOCOL-VOIP Contact header unquoted tokens in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20373] PROTOCOL-VOIP Contact header unquoted tokens in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:32213] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:32213] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20360] PROTOCOL-VOIP Call-ID header invalid seperators 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20360] PROTOCOL-VOIP Call-ID header invalid seperators 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19374] PROTOCOL-VOIP Origin header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19374] PROTOCOL-VOIP Origin header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:30884] PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:30884] PROTOCOL-VOIP Cisco MXP Telepresence gssapi-data unauthenticated denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:39797] PROTOCOL-VOIP Cisco Unified Communications Manager null pointer dereference attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20387] PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20387] PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11986] PROTOCOL-VOIP Authorization header invalid characters in response parameter 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11986] PROTOCOL-VOIP Authorization header invalid characters in response parameter 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:45770] POLICY-OTHER Polycom VoIP config download attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:14609] PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:14609] PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20326] PROTOCOL-VOIP From header unquoted tokens in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20326] PROTOCOL-VOIP From header unquoted tokens in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20364] PROTOCOL-VOIP Contact header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20364] PROTOCOL-VOIP Contact header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20391] PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20391] PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12073] PROTOCOL-VOIP inbound 100 Trying message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12073] PROTOCOL-VOIP inbound 100 Trying message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19410] PROTOCOL-VOIP INVITE message URI contains global broadcast address 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19410] PROTOCOL-VOIP INVITE message URI contains global broadcast address 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:13693] PROTOCOL-VOIP Attribute header rtpmap field invalid payload type 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:13693] PROTOCOL-VOIP Attribute header rtpmap field invalid payload type 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11990] PROTOCOL-VOIP Contact header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11990] PROTOCOL-VOIP Contact header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20426] PROTOCOL-VOIP MultiTech INVITE message buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20426] PROTOCOL-VOIP MultiTech INVITE message buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11977] PROTOCOL-VOIP TEL URI type overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11977] PROTOCOL-VOIP TEL URI type overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19301] PROTOCOL-VOIP Expires header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19301] PROTOCOL-VOIP Expires header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20346] PROTOCOL-VOIP To header multiple To headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20346] PROTOCOL-VOIP To header multiple To headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20352] PROTOCOL-VOIP Expires header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20352] PROTOCOL-VOIP Expires header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20411] PROTOCOL-VOIP inbound 404 Not Found 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20411] PROTOCOL-VOIP inbound 404 Not Found 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20315] PROTOCOL-VOIP Via header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20315] PROTOCOL-VOIP Via header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:45580] PROTOCOL-VOIP Mr.SIP invite request denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:45580] PROTOCOL-VOIP Mr.SIP invite request denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11981] PROTOCOL-VOIP MultiTech INVITE message buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11981] PROTOCOL-VOIP MultiTech INVITE message buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20350] PROTOCOL-VOIP Subject header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20350] PROTOCOL-VOIP Subject header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19335] PROTOCOL-VOIP Content-Type header invalid format missing slash 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19335] PROTOCOL-VOIP Content-Type header invalid format missing slash 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12000] PROTOCOL-VOIP INVITE message invalid IP address 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12000] PROTOCOL-VOIP INVITE message invalid IP address 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20356] PROTOCOL-VOIP Call-ID header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20356] PROTOCOL-VOIP Call-ID header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:26425] PROTOCOL-VOIP Digium Asterisk SIP SDP header parsing stack buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:26425] PROTOCOL-VOIP Digium Asterisk SIP SDP header parsing stack buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19386] PROTOCOL-VOIP Media header description field overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19386] PROTOCOL-VOIP Media header description field overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20415] PROTOCOL-VOIP outbound 501 Not Implemented message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20415] PROTOCOL-VOIP outbound 501 Not Implemented message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:21669] PROTOCOL-VOIP Digium Asterisk missing SIP version denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:21669] PROTOCOL-VOIP Digium Asterisk missing SIP version denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:28165] PROTOCOL-VOIP attempted DOS detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:28165] PROTOCOL-VOIP attempted DOS detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12113] PROTOCOL-VOIP SIP URI overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12113] PROTOCOL-VOIP SIP URI overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:32041] OS-OTHER Bash environment variable injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:32041] OS-OTHER Bash environment variable injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20418] PROTOCOL-VOIP outbound 481 Call/Leg Transaction Does Not Exist 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20418] PROTOCOL-VOIP outbound 481 Call/Leg Transaction Does Not Exist 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20319] PROTOCOL-VOIP From header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20319] PROTOCOL-VOIP From header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11969] PROTOCOL-VOIP inbound 401 unauthorized message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11969] PROTOCOL-VOIP inbound 401 unauthorized message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12178] PROTOCOL-VOIP inbound 481 Call/Leg Transaction Does Not Exist 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12178] PROTOCOL-VOIP inbound 481 Call/Leg Transaction Does Not Exist 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20338] PROTOCOL-VOIP To header whitespace in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20338] PROTOCOL-VOIP To header whitespace in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12004] PROTOCOL-VOIP INVITE message Content-Length header size of zero 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12004] PROTOCOL-VOIP INVITE message Content-Length header size of zero 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20376] PROTOCOL-VOIP Content-Type header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20376] PROTOCOL-VOIP Content-Type header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20403] PROTOCOL-VOIP Response code 405 Method Not Allowed response flood 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20403] PROTOCOL-VOIP Response code 405 Method Not Allowed response flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20422] PROTOCOL-VOIP OPTIONS message Via field request misplaced - after terminating newline 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20422] PROTOCOL-VOIP OPTIONS message Via field request misplaced - after terminating newline 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:36246] PROTOCOL-VOIP Cisco IOS SIP header parsing memory leak attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:36246] PROTOCOL-VOIP Cisco IOS SIP header parsing memory leak attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20307] PROTOCOL-VOIP CSeq header method mismatch attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20307] PROTOCOL-VOIP CSeq header method mismatch attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11973] PROTOCOL-VOIP Via header hostname buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11973] PROTOCOL-VOIP Via header hostname buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20342] PROTOCOL-VOIP To header invalid seperators 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20342] PROTOCOL-VOIP To header invalid seperators 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:33869] PROTOCOL-VOIP Cisco TelePresence Video Communication Server SDP media description denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:33869] PROTOCOL-VOIP Cisco TelePresence Video Communication Server SDP media description denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20380] PROTOCOL-VOIP Authorization header invalid characters in response parameter 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20380] PROTOCOL-VOIP Authorization header invalid characters in response parameter 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20329] PROTOCOL-VOIP From header missing terminating quote 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20329] PROTOCOL-VOIP From header missing terminating quote 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19378] PROTOCOL-VOIP Origin invalid header 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19378] PROTOCOL-VOIP Origin invalid header 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20407] PROTOCOL-VOIP inbound 604 Does Not Exist Anywhere message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20407] PROTOCOL-VOIP inbound 604 Does Not Exist Anywhere message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20394] PROTOCOL-VOIP CANCEL flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20394] PROTOCOL-VOIP CANCEL flood 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:27900] PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:27900] PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:13664] PROTOCOL-VOIP Remote-Party-ID header hexadecimal characters in IP address field 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:13664] PROTOCOL-VOIP Remote-Party-ID header hexadecimal characters in IP address field 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20311] PROTOCOL-VOIP Max-Forwards value over 70 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20311] PROTOCOL-VOIP Max-Forwards value over 70 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12681] PROTOCOL-VOIP SIP URI overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12681] PROTOCOL-VOIP SIP URI overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11993] PROTOCOL-VOIP Call-ID header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11993] PROTOCOL-VOIP Call-ID header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20298] PROTOCOL-VOIP Invalid request spaces at end of request line attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20298] PROTOCOL-VOIP Invalid request spaces at end of request line attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:12173] PROTOCOL-VOIP outbound 501 Not Implemented message 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:12173] PROTOCOL-VOIP outbound 501 Not Implemented message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:42293] PROTOCOL-VOIP Cisco Unified Communications Manager SIP NOTIFY denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20333] PROTOCOL-VOIP To header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20333] PROTOCOL-VOIP To header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19382] PROTOCOL-VOIP Session Name header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19382] PROTOCOL-VOIP Session Name header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:32208] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:32208] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20363] PROTOCOL-VOIP Call-ID header multiple Call-ID headers 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20363] PROTOCOL-VOIP Call-ID header multiple Call-ID headers 26/7/2018 -- 20:58:42 - -- Rule has unknown source address var and will be disabled: SIP_SERVERS: # [1:20398] PROTOCOL-VOIP Response code 420 Bad Extension response flood 26/7/2018 -- 20:58:42 - -- Rule has unknown source port var and will be disabled: SIP_PORTS: # [1:20398] PROTOCOL-VOIP Response code 420 Bad Extension response flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11997] PROTOCOL-VOIP From header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11997] PROTOCOL-VOIP From header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20302] PROTOCOL-VOIP SIP URI multiple at signs in message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20302] PROTOCOL-VOIP SIP URI multiple at signs in message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20372] PROTOCOL-VOIP Contact header unquoted tokens in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20372] PROTOCOL-VOIP Contact header unquoted tokens in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20321] PROTOCOL-VOIP From header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20321] PROTOCOL-VOIP From header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19338] PROTOCOL-VOIP invalid SIP-Version field 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19338] PROTOCOL-VOIP invalid SIP-Version field 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:32212] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:32212] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20367] PROTOCOL-VOIP Contact header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20367] PROTOCOL-VOIP Contact header XSS injection attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19373] PROTOCOL-VOIP Origin header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19373] PROTOCOL-VOIP Origin header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:39796] PROTOCOL-VOIP Cisco Unified Communications Manager null pointer dereference attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20386] PROTOCOL-VOIP Connection header invalid value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20386] PROTOCOL-VOIP Connection header invalid value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002228] [PT OPEN] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:45584] PROTOCOL-VOIP Mr.SIP SIP servers discovery attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:45584] PROTOCOL-VOIP Mr.SIP SIP servers discovery attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11985] PROTOCOL-VOIP Expires header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11985] PROTOCOL-VOIP Expires header overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:45579] PROTOCOL-VOIP Mr.SIP subscribe request denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:45579] PROTOCOL-VOIP Mr.SIP subscribe request denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:14608] PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:14608] PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20325] PROTOCOL-VOIP From header whitespace in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20325] PROTOCOL-VOIP From header whitespace in field attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:32216] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:32216] PROTOCOL-VOIP missing media application format parameter denial-of-service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20355] PROTOCOL-VOIP Call-ID header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20355] PROTOCOL-VOIP Call-ID header invalid characters detected 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20390] PROTOCOL-VOIP Attribute header rtpmap field invalid payload type 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20390] PROTOCOL-VOIP Attribute header rtpmap field invalid payload type 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: [3:30283] PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:30283] PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19409] PROTOCOL-VOIP INVITE message URI contains global broadcast address 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19409] PROTOCOL-VOIP INVITE message URI contains global broadcast address 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11989] PROTOCOL-VOIP Call-ID header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11989] PROTOCOL-VOIP Call-ID header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20425] PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20425] PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:45583] PROTOCOL-VOIP Mr.SIP SIP servers discovery attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:45583] PROTOCOL-VOIP Mr.SIP SIP servers discovery attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:11976] PROTOCOL-VOIP SIP URI type overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:11976] PROTOCOL-VOIP SIP URI type overflow attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20345] PROTOCOL-VOIP To header missing terminating quote 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20345] PROTOCOL-VOIP To header missing terminating quote 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:12003] PROTOCOL-VOIP CANCEL flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:12003] PROTOCOL-VOIP CANCEL flood 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20359] PROTOCOL-VOIP Call-ID header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20359] PROTOCOL-VOIP Call-ID header format string attempt 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:19365] PROTOCOL-VOIP Time Stop Header invalid value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:19365] PROTOCOL-VOIP Time Stop Header invalid value 26/7/2018 -- 20:58:42 - -- Rule has unknown dest address var and will be disabled: SIP_SERVERS: # [1:20410] PROTOCOL-VOIP inbound 401 unauthorized message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: # [1:20410] PROTOCOL-VOIP inbound 401 unauthorized message 26/7/2018 -- 20:58:42 - -- Rule has unknown dest port var and will be disabled: SIP_PORTS: [3:40638] PROTOCOL-VOIP Cisco Meeting Server SIP SDP media description buffer overflow attempt 26/7/2018 -- 20:58:42 - -- Disabled 0 rules. 26/7/2018 -- 20:58:42 - -- Enabled 0 rules. 26/7/2018 -- 20:58:42 - -- Modified 0 rules. 26/7/2018 -- 20:58:42 - -- Dropped 0 rules. 26/7/2018 -- 20:58:43 - -- Enabled 50 rules for flowbit dependencies. 26/7/2018 -- 20:58:43 - -- Backing up current rules. 26/7/2018 -- 20:58:48 - -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 60656; enabled: 32889; added: 386; removed 15; modified: 1313 26/7/2018 -- 20:58:49 - -- Testing with suricata -T. 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 172 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED"; sid:442; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 205 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN"; sid: 24; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 446 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "POP_UU_DECODING_FAILED"; sid: 7; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 567 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_TCP_NO_SYN_ACK_RST"; sid:423; gid:116; rev:2; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 615 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_TCP_FILTERED_PORTSCAN"; sid: 5; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 851 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'. 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45820; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 1317 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_UNBOUNDED POST"; sid: 28; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 1367 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_BAD_TRH"; sid:140; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 1383 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "RPC_LARGE_FRAGSIZE"; sid: 3; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 1384 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "STREAM5_WINDOW_TOO_LARGE"; sid: 6; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 1569 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__CO_BAD_MAJ_VERSION"; sid: 27; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 1616 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV6_DST_RESERVED_MULTICAST"; sid:278; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 1813 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IP4_DST_THIS_NET"; sid:409; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 1958 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".jar"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.jar/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 2025 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_OPNUM"; sid: 38; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 2027 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV4_DGRAM_UNKNOWN"; sid:108; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 2114 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 2185 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_TCP_BAD_URP"; sid:419; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 2773 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_TCP_PORTSCAN"; sid: 1; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 3015 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)" from file /var/lib/suricata/rules/suricata.rules at line 3414 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_BAD_CONTENT_LEN"; sid: 16; gid: 140; rev: 2; metadata: rule-type preproc ; reference:cve,2014-3360; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-sip; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 3533 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt"; flow:to_server,established; file_data; content:"User-Agent"; nocase; http_header; content:"Rarog"; within:200; fast_pattern; nocase; http_header; pcre:"/User-Agent\s*:[^\r\n]*Rarog/iH"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46240; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 3800 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV6_DGRAM_LT_IPHDR"; sid:274; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 4007 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:8;)" from file /var/lib/suricata/rules/suricata.rules at line 4027 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_MULTIPLE_HOST_HDRS"; sid:24; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 4137 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__SMB_MULT_CHAIN_TC"; sid: 22; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 4161 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG"; sid: 34; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 4227 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DNP3_REASSEMBLY_BUFFER_CLEARED"; sid:4; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 4396 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,1,2,relative,bitmask 0x01 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba tree connect andx memory corruption attempt"; flow:to_server,established; content:"|FF|SMB|75|"; fast_pattern:only; content:"|04 75 00|"; byte_test:1,=,1,2,relative,bitmask 0x01; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14746; classtype:attempted-user; sid:45255; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 4498 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "IMAP_UNKNOWN_RESP"; sid: 2; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 4602 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"; sid: 8; gid: 120; rev: 2; metadata: rule-type preproc ; classtype:unknown; reference:cve,2013-2028; )" from file /var/lib/suricata/rules/suricata.rules at line 4632 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "FTPP_FTP_RESPONSE_LENGTH_OVERFLOW"; sid: 6; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-user; reference:cve,2007-3161; reference:cve,2010-1465; reference:url,www.kb.cert.org/vuls/id/276653; )" from file /var/lib/suricata/rules/suricata.rules at line 4769 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP6_TYPE_OTHER"; sid:431; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 4967 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "FRAG3_TEARDROP"; sid: 2; gid: 123; rev: 1; metadata: rule-type preproc ; reference:cve,1999-0015; reference:bugtraq,124; classtype:attempted-dos; )" from file /var/lib/suricata/rules/suricata.rules at line 5027 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_IP_FILTERED_PORTSCAN"; sid: 13; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 5205 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_BAD_80211_ETHLLC"; sid:133; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 5267 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sd_pattern'. 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid:138; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 5287 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_MISMATCH_METHOD"; sid: 25; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 5525 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_GRE_V1_INVALID_HEADER"; sid:164; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 5558 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_GRE_INVALID_VERSION"; sid:162; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 5680 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_MAX_HEADERS"; sid: 20; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 5743 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chewbacca outbound connection"; flow:to_server,established; urilen:4; dsize:<200; content:"/ip/"; depth:4; fast_pattern; http_uri; content:"Keep-Alive|3A 20|300|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/chewbacca-latest-malware-to-take-a-liking-to-tor/103220; reference:url,www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware; classtype:trojan-activity; sid:29440; rev:5;)" from file /var/lib/suricata/rules/suricata.rules at line 5881 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP_DOS_ATTEMPT"; sid:452; gid:116; rev:1; metadata:rule-type decode; reference:url,www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.3; reference:cve,2006-0454; reference:bugtraq,16532; classtype:denial-of-service;)" from file /var/lib/suricata/rules/suricata.rules at line 5936 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "IMAP_B64_DECODING_FAILED"; sid: 4; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 6311 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "IMAP_QP_DECODING_FAILED"; sid: 5; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 6342 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET"; sid:255; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 6629 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_PCRE_PARSE(7)] - parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)" from file /var/lib/suricata/rules/suricata.rules at line 6673 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Helminth variant outbound connection"; flow:to_server,established; content:"UIET9fWR"; fast_pattern:only; content:"User-Agent: Mozilla/5.0"; http_header; content:"|20|Trident/5.0|0D 0A|"; within:14; distance:39; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/632be0a3d8d298f2ded928a4ac27846904ed842ad08b355acab53132d31eaf24/analysis/; classtype:trojan-activity; sid:39176; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 6939 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP6_HDR_TRUNC"; sid:427; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 7155 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 7306 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_IP_PORTSCAN"; sid: 9; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 7396 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 7434 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|0A|User-Agent|3A 20|tiehttp"; fast_pattern; nocase; http_header; content:"Content-Disposition|3A 20|"; nocase; http_client_body; content:"form-data|3B| name=|22|filename|22|"; distance:0; nocase; http_client_body; content:"|0D 0A 0D 0A|"; within:4; http_client_body; pcre:"/^\d{0,10}_passes_\d{1,10}\.xm/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/latest-report.html?resource=f9775d5fc61ec53a7cab4b432ec2d227; classtype:trojan-activity; sid:21760; rev:5;)" from file /var/lib/suricata/rules/suricata.rules at line 7543 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SMTP_UU_DECODING_FAILED"; sid: 13; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 7633 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_AUTH_INVITE_DIFF_SESSION"; sid: 21; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 7712 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_LARGE_CHUNK"; sid: 16; gid: 119; rev: 2; metadata: rule-type preproc, service http ; classtype:attempted-admin; reference:cve,2013-2028; )" from file /var/lib/suricata/rules/suricata.rules at line 7930 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__CO_BAD_MIN_VERSION"; sid: 28; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 8124 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__CL_BAD_PDU_TYPE"; sid: 41; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 8182 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "STREAM5_BAD_SEGMENT"; sid: 5; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 8310 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV6_ROUTE_AND_HOPBYHOP"; sid:282; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 8387 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST"; sid: 3; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 8518 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. 26/7/2018 -- 20:58:49 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Outbound malicious vbscript attempt"; flow:to_server,established; file_data; content:"/ilha/"; fast_pattern; nocase; http_uri; content:"logs.php"; within:9; distance:2; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46792; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 8525 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__CL_DATA_LT_HDR"; sid: 42; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 8597 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP_ORIG_IP_VER_MISMATCH"; sid:251; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 8833 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 8890 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__SMB_DEPR_COMMAND_USED"; sid: 53; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 9003 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_U_ENCODE"; sid: 3; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; )" from file /var/lib/suricata/rules/suricata.rules at line 9231 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP_SOURCE_QUENCH"; sid:439; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 9344 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_UDP_FILTERED_PORTSCAN"; sid: 21; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 9582 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_BAD_TR_ETHLLC"; sid:141; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 9638 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SSH_EVENT_SECURECRT"; sid: 3; gid: 128; rev: 1; metadata: rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2001-1466; reference:cve,2002-1059; classtype:attempted-admin;)" from file /var/lib/suricata/rules/suricata.rules at line 9756 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_MULTI_MSGS"; sid: 17; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 9878 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "STREAM5_BAD_TIMESTAMP"; sid: 4; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; reference:cve,2009-1925; )" from file /var/lib/suricata/rules/suricata.rules at line 10016 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&vs="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"v="; nocase; http_client_body; content:"&id="; distance:0; nocase; http_client_body; content:"&uid="; distance:0; nocase; http_client_body; content:"&vs="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36629; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 10088 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC"; sid: 2; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 10095 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "FRAG3_ANOMALY_BADSIZE_LG"; sid: 7; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 10186 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 10225 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'. 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|00 00 00 07|"; within:4; distance:5; fast_pattern; content:"|00 00 00 01|"; within:4; distance:4; byte_math:bytes 4,offset 0,oper +,rvalue 8,result sub_len_plus_eight,relative; byte_test:4,!=,sub_len_plus_eight,-8,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-0171; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2; classtype:attempted-dos; sid:46468; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 10247 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_DIR_TRAV"; sid: 11; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2001-0333; reference:cve,2002-1744; reference:cve,2008-5515; )" from file /var/lib/suricata/rules/suricata.rules at line 10516 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "STREAM5_SESSION_HIJACKED_CLIENT"; sid: 9; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:attempted-user; )" from file /var/lib/suricata/rules/suricata.rules at line 10739 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN"; sid: 8; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 10924 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_BARE_BYTE"; sid: 4; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; )" from file /var/lib/suricata/rules/suricata.rules at line 11052 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_UDP_IPV6_ZERO_CHECKSUM"; sid:406; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 11135 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "FTPP_FTP_MALFORMED_PARAMETER"; sid: 4; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 11348 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV6_UNORDERED_EXTENSIONS"; sid:296; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 11397 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP_ICMPENUM"; sid:435; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 11549 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__SMB_INVALID_SHARE"; sid: 26; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 11594 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV4_DGRAM_GT_IPHDR"; sid:6; gid:116; rev:1; metadata:rule-type decode;classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 11694 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_TCP_PORTSWEEP"; sid: 3; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 11746 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_UDP_PORTSCAN"; sid: 17; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 11783 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "FRAG3_ANOMALY_BADSIZE_SM"; sid: 6; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 11935 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SMTP_UNKNOWN_CMD"; sid: 5; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 12009 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_BAD_VIA"; sid: 13; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 12083 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PPM_EVENT_RULE_TREE_DISABLED"; sid: 1; gid: 134; rev: 1; metadata: rule-type preproc ; classtype: not-suspicious; )" from file /var/lib/suricata/rules/suricata.rules at line 12275 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SMTP_BITENC_DECODING_FAILED"; sid: 12; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 12284 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IP6_EXCESS_EXT_HDR"; sid:456; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 12505 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "BO_SNORT_BUFFER_ATTACK"; sid: 4; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,2005-3252; )" from file /var/lib/suricata/rules/suricata.rules at line 12532 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_SERVER_UTF_NORM_FAIL"; sid: 4; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 12643 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'. 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45819; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 12655 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_IIS_UNICODE"; sid: 7; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2009-1535; )" from file /var/lib/suricata/rules/suricata.rules at line 12772 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "STREAM5_4WAY_HANDSHAKE"; sid: 13; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 12922 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IP4_SRC_MULTICAST"; sid:410; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 13031 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_BAD_PPPOE"; sid:120; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 13055 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_PIPELINE_MAX "; sid: 34; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 13114 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV6_IS_NOT"; sid:271; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 13163 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP4_HDR_TRUNC"; sid:426; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 13214 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_DOS_NAPTHA"; sid: 402; gid: 116; rev: 1; metadata: rule-type decode ; classtype:attempted-dos; reference:bugtraq,2022; reference:cve,2000-1039; reference:nessus,275; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; )" from file /var/lib/suricata/rules/suricata.rules at line 13310 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_UDP_DECOY_PORTSCAN"; sid: 18; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 13318 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".exe"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 13372 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_UDP_PORT_ZERO"; sid:447; gid:116; rev:1; metadata:rule-type decode; classtype: misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 13721 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV4_INVALID_HEADER_LEN"; sid:2; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 13869 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_TCP_SYN_FIN"; sid:420; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 14122 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SMTP_COMMAND_OVERFLOW"; sid: 1; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0260; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; )" from file /var/lib/suricata/rules/suricata.rules at line 14174 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DNS_EVENT_OBSOLETE_TYPES"; sid: 1; gid: 131; rev: 1; metadata: rule-type preproc, service dns ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 14242 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_BAD_FROM"; sid: 9; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 14258 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_TCP_FILTERED_DECOY_PORTSCAN"; sid: 6; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 14361 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "FRAG3_SHORT_FRAG"; sid: 3; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 14369 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Erebus variant outbound connection"; flow:to_server,established; file_data; urilen:1; content:"h="; depth:2; http_client_body; content:"&v="; within:3; distance:8; http_client_body; content:"&k="; within:3; distance:3; fast_pattern; http_client_body; content:"Expect|3A| 100-continue|0D 0A 0D 0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert, service http; reference:url,virustotal.com/en/file/0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f/analysis/; classtype:trojan-activity; sid:43351; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 14712 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_UDP_DGRAM_LT_UDPHDR"; sid:95; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 14819 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__SMB_CHAIN_TC_TDIS"; sid: 24; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 15010 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "STREAM5_SYN_ON_EST"; sid: 1; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 15092 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "FTPP_FTP_ENCRYPTED"; sid: 7; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 15386 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMPV6_TOO_BIG_BAD_MTU"; sid:285; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 15388 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SSL_INVALID_SERVER_HELLO"; sid: 2; gid: 137; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 15417 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_UDP_DGRAM_SHORT_PACKET"; sid:97; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 15649 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DNP3_DROPPED_SEGMENT"; sid:3; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 15742 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED"; sid:443; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 15908 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_ICMP_PORTSWEEP"; sid: 25; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 16147 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "POP_B64_DECODING_FAILED"; sid: 4; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 16270 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_BAD_CALL_ID"; sid: 5; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 16452 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_TCP_DECOY_PORTSCAN"; sid: 2; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 16551 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_stat_code" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 16783 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ERSPAN3_DGRAM_LT_HDR_STR"; sid:464; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 16871 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 17086 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV6_BAD_OPT_TYPE"; sid:279; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 17534 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "FTPP_FTP_PARAMETER_LENGTH_OVERFLOW"; sid: 3; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0286; reference:url,www.kb.cert.org/vuls/id/276653; reference:cve,1999-0368; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,2006-5815; reference:bugtraq,20992; )" from file /var/lib/suricata/rules/suricata.rules at line 17576 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DNS_EVENT_RDATA_OVERFLOW"; sid: 3; gid: 131; rev: 1; metadata: rule-type preproc, service dns, policy security-ips drop ; classtype:attempted-admin; reference:cve,2006-3441; reference:url,www.microsoft.com/technet/security/bulletin/ms06-041.mspx; )" from file /var/lib/suricata/rules/suricata.rules at line 17689 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_CALL_ID"; sid: 37; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 17751 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ARP_TRUNCATED"; sid:109; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 17833 26/7/2018 -- 20:58:50 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "FTPP_FTP_INVALID_CMD"; sid: 2; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; reference:cve,2010-4221; )" from file /var/lib/suricata/rules/suricata.rules at line 17885 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "STREAM5_WINDOW_SLAM"; sid: 19; gid: 129; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2013-0075; )" from file /var/lib/suricata/rules/suricata.rules at line 18120 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMPV6_ADVERT_BAD_CODE"; sid:288; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 18146 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_DOUBLE_DECODE"; sid: 2; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2009-1122; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; )" from file /var/lib/suricata/rules/suricata.rules at line 18306 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 18313 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 18547 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_MAX_SESSIONS"; sid: 1; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 18612 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_TCPOPT_TRUNCATED"; sid:55; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 18629 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sd_pattern'. 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Phone Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,(\d{3}) ?\d{3}-\d{4}; classtype:sdf; sid:6; gid:138; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 18796 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__SMB_EVASIVE_FILE_ATTRS"; sid: 57; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 18807 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_CONSECUTIVE_SMALL_CHUNK_SIZES"; sid: 27; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 19240 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__SMB_BAD_BCC"; sid: 6; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 19503 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP_DGRAM_LT_ICMPHDR"; sid:105; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 19986 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "MODBUS_RESERVED_FUNCTION"; sid:3; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 20075 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_MPLS_LABEL_STACK"; sid:176; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 20137 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/2.0/method/"; depth:12; nocase; http_uri; pcre:"/\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46238; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 20188 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IP_MULTIPLE_ENCAPSULATION"; sid:293; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 20507 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ETH_HDR_TRUNC"; sid:424; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 20655 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_IP_DECOY_PORTSCAN"; sid: 10; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 20895 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_BAD_80211_OTHER"; sid:134; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 20954 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'sd_pattern'. 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 20969 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_UNKOWN_METHOD"; sid: 26; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 21200 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_OVERSIZE_DIR"; sid: 15; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; reference:cve,2007-0774; reference:bugtraq,22791; reference:cve,2010-3281; reference:bugtraq,43338; reference:cve,2011-5007; )" from file /var/lib/suricata/rules/suricata.rules at line 21270 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_GRE_INVALID_HEADER"; sid:163; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 21363 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 21547 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV6_ISATAP_SPOOF"; sid:453; gid:116; rev:1; metadata:rule-type decode; reference:cve,2010-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS10-029.mspx; classtype:misc-attack; )" from file /var/lib/suricata/rules/suricata.rules at line 21615 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__SMB_BAD_NBSS_TYPE"; sid: 2; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 21676 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "RPC_INCOMPLETE_SEGMENT"; sid: 4; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 21844 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMPV6_SOLICITATION_BAD_CODE"; sid:287; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 21879 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMPV6_SOLICITATION_BAD_RESERVED"; sid:289; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 22687 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)" from file /var/lib/suricata/rules/suricata.rules at line 22716 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP_REDIRECT_HOST"; sid:436; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 22831 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__SMB_BAD_FORMAT"; sid: 7; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 22973 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_UDP_FILTERED_DECOY_PORTSCAN"; sid: 22; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 23063 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 23117 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_BAD_VLAN"; sid:130; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 23123 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SMTP_AUTH_ATTACK"; sid: 14; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 23291 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_BAD_STATUS_CODE"; sid: 22; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 23368 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier. 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_server,established; file_data; content:"POST"; http_method; content:"|00 09 00 00|"; depth:5; offset:1; fast_pattern; content:!"|00|"; depth:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadata:service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:43364; rev:3;)" from file /var/lib/suricata/rules/suricata.rules at line 23407 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_SIMPLE_REQUEST"; sid: 32; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 23418 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SDF_COMBO_ALERT"; sid: 1; gid: 139; rev: 1; metadata: rule-type preproc ; classtype:sdf; )" from file /var/lib/suricata/rules/suricata.rules at line 23514 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_MPLS_RESERVEDLABEL"; sid:175; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 23522 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "GTP_EVENT_BAD_MSG_LEN"; sid: 1; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 23769 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__SMB_BCC_LT_DSIZE"; sid: 16; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 23775 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IP_UNASSIGNED_PROTO"; sid:449; gid:116; rev:1; metadata:rule-type decode; classtype: non-standard-protocol; )" from file /var/lib/suricata/rules/suricata.rules at line 23776 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "STREAM5_BAD_ACK"; sid: 17; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 23790 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "BO_SERVER_TRAFFIC_DETECT"; sid: 3; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660;)" from file /var/lib/suricata/rules/suricata.rules at line 23806 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_UDP_DISTRIBUTED_PORTSCAN"; sid: 20; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 23977 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_NON_RFC_CHAR"; sid: 14; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 23986 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV6_TWO_ROUTE_HEADERS"; sid:283; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 24035 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_EMPTY_REQUEST_URI"; sid: 2; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2007-1306; )" from file /var/lib/suricata/rules/suricata.rules at line 24182 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "FTPP_TELNET_SUBNEG_BEGIN_NO_END"; sid: 3; gid: 126; rev: 1; metadata: rule-type preproc, service telnet ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 24264 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 24564 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__SMB_DEPR_DIALECT_NEGOTIATED"; sid: 52; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 24659 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_SERVER_CONSECUTIVE_SMALL_CHUNK_SIZES"; sid: 7; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 24673 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_SERVER_UTF7"; sid: 5; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 25076 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_TCP_LARGE_OFFSET"; sid:47; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 25089 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_TCPOPT_WSCALE_INVALID"; sid:59; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 25164 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_MISMATCH_CONTENT_LEN"; sid: 18; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 25552 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_BAD_MPLS_LABEL0"; sid:171; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 25713 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IP4_DST_RESERVED"; sid:412; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 25869 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV6_ROUTE_ZERO"; sid:461; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 25983 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "IMAP_UU_DECODING_FAILED"; sid: 7; gid: 141; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 26028 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_TCPOPT_EXPERIMENT"; sid:58; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 26089 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_SELF_DIR_TRAV"; sid: 10; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 26199 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Koobface variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/cap/?a=get&i="; nocase; http_uri; pcre:"/\d+&/miR"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16484; rev:9;)" from file /var/lib/suricata/rules/suricata.rules at line 26354 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "STREAM5_DATA_AFTER_RESET"; sid: 8; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 26415 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_UNESCAPED_SPACE_IN_URI"; sid:33; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 26610 26/7/2018 -- 20:58:51 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IP4_LEN_OFFSET"; sid:407; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 26810 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__MEMCAP"; sid: 1; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: attempted-dos; )" from file /var/lib/suricata/rules/suricata.rules at line 27057 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_GTP_MULTIPLE_ENCAPSULATION"; sid:297; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 27074 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IP_OPTION_SET"; sid:444; gid:116; rev:1; metadata:rule-type decode; classtype: bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 27221 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "STREAM5_DATA_AFTER_RST_RCVD"; sid: 18; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 27236 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_GRE_DGRAM_LT_GREHDR"; sid:160; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 27628 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SMTP_ILLEGAL_CMD"; sid: 6; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 27689 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_SERVER_JS_OBFUSCATION_EXCD"; sid: 9; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 28147 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMPV6_UNREACHABLE_NON_RFC_4443_CODE"; sid:457; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 28185 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_BOTH_TRUEIP_XFF_HDRS"; sid: 30; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 28257 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_UTF_8"; sid: 6; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2008-2938; reference:cve,2009-1535; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; )" from file /var/lib/suricata/rules/suricata.rules at line 28392 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "STREAM5_SMALL_SEGMENT"; sid: 12; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 28610 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__SMB_INVALID_DSIZE"; sid: 17; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 28656 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SSH_EVENT_RESPOVERFLOW"; sid: 1; gid: 128; rev: 1; metadata: rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2002-0639; reference:cve,2002-0640; classtype:attempted-admin;)" from file /var/lib/suricata/rules/suricata.rules at line 28751 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_SYN_TO_MULTICAST"; sid: 403; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 29006 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP_BROADSCAN_SMURF_SCANNER"; sid:440; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 29413 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "RPC_ZERO_LENGTH_FRAGMENT"; sid: 5; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 29427 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV4_DGRAM_LT_IPHDR"; sid:3; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 29566 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_ICMP_PORTSWEEP_FILTERED"; sid: 26; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 29649 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_BAD_MPLS"; sid:170; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 29651 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_BAD_TRAFFIC_LOOPBACK"; sid:150; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 29704 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Can't use file_data with flow:to_server or flow:from_client with http. 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ANDR.Trojan.FakeApp outbound connection"; flow:established, to_server; content:"/cp/server.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B| boundary=Aab03x"; http_header; content:"User-Agent: Dalvik"; http_header; file_data; content:"AaB03x"; content:"name=|22|phone"; distance:0; content:"name=|22|type"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,securityaffairs.co/wordpress/22465/cyber-crime/banking-trojan-hit-islamic-mobile.html; reference:url,www.virustotal.com/file/66911EE32FC4777BB9272F9BE9EB8970B39440768B612FBAB4AC01D8E23F9AA1/analysis/; classtype:trojan-activity; sid:29978; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 29745 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "POP_UNKNOWN_CMD"; sid: 1; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 29765 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_TCP_SYN_RST"; sid:421; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 29812 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SMTP_DATA_HDR_OVERFLOW"; sid: 2; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2002-1337; reference:cve,2010-4344; )" from file /var/lib/suricata/rules/suricata.rules at line 29873 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_SERVER_JS_EXCESS_WS"; sid: 10; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 29875 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_EMPTY_TO"; sid: 10; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 29954 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "HI_CLIENT_LONG_HOSTNAME"; sid:25; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 29983 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_TCP_PORTSWEEP_FILTERED"; sid: 7; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 30061 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__CO_FLEN_LT_HDR"; sid: 30; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 30370 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__SMB_DSENT_GT_TDCNT"; sid: 15; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 30503 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'byte_math'. 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45822; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 30526 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DCE2_EVENT__CO_BAD_PDU_TYPE"; sid: 29; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; )" from file /var/lib/suricata/rules/suricata.rules at line 30847 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "FTPP_TELNET_AYT_OVERFLOW"; sid: 1; gid: 126; rev: 1; metadata: rule-type preproc, service telnet, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0554; )" from file /var/lib/suricata/rules/suricata.rules at line 30854 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_BAD_TR_MR_LEN"; sid:142; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 30914 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "FRAG3_IPOPTIONS"; sid: 1; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 31016 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_IPV6_DST_ZERO"; sid:276; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 31050 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SSL_INVALID_CLIENT_HELLO"; sid: 1; gid: 137; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-011; reference:cve,2004-0120; reference:bugtraq,10115; )" from file /var/lib/suricata/rules/suricata.rules at line 31118 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_ICMP4_DST_MULTICAST"; sid:415; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; )" from file /var/lib/suricata/rules/suricata.rules at line 31183 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg:"DECODE_UDP_DGRAM_LONG_PACKET"; sid:98; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 31329 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "DNP3_DROPPED_FRAME"; sid:2; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 31425 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "RPC_FRAG_TRAFFIC"; sid: 1; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc ; classtype:protocol-command-decode; )" from file /var/lib/suricata/rules/suricata.rules at line 31607 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "TAG_LOG_PKT"; sid: 1; gid: 2; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; )" from file /var/lib/suricata/rules/suricata.rules at line 31626 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SMTP_B64_DECODING_FAILED"; sid: 10; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 31932 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "POP_QP_DECODING_FAILED"; sid: 5; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 31951 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "SIP_EVENT_BAD_CSEQ_NUM"; sid: 6; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; )" from file /var/lib/suricata/rules/suricata.rules at line 32125 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ( msg: "PSNG_TCP_DISTRIBUTED_PORTSCAN"; sid: 4; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; )" from file /var/lib/suricata/rules/suricata.rules at line 32197 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords). 26/7/2018 -- 20:58:52 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"