ghost
commented
4 years ago I’ll just add that there is such a product as OpnSense and there is Suricata with rules from Snort that work correctly.
Closed ghost closed 4 years ago
ghost
commented
4 years ago I’ll just add that there is such a product as OpnSense and there is Suricata with rules from Snort that work correctly.
pevma
commented
4 years ago Suricata has some coverage for VRT/Snort rules but not complete - neither intends to as those rules are neither written nor tested for Suricata and its specific engine features. Scirius aims to cover rulesets for Suricata only.
regit
commented
4 years ago Can we see the errors at import ?
ghost
commented
4 years ago UNIQUE constraint failed: rules_rule.sidAnd made an import
Source test failure:
SC_ERR_INVALID_SIGNATURE: "http_raw_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office directory traversal attempt"; flow:to_server,established; file_data; content:"..|5C|"; http_raw_uri; content:"InfoPath.3|3B| ms-office|3B| MSOffice 15"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http; reference:cve,2019-0801; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0801; classtype:attempted-user; sid:49733; rev:1;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection"; flow:to_client,established; file_data; content:"Web Center|3A|"; nocase; http_header; content:"Nom de l ordinateur|3A|"; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:url,www.megasecurity.org/trojans/w/webcenter/Webcenter1.0.html; classtype:trojan-activity; sid:12239; rev:8;)"
SC_ERR_INVALID_SIGNATURE: "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_server,established; file_data; content:"POST"; http_method; content:"|00 09 00 00|"; depth:5; offset:1; fast_pattern; content:!"|00|"; depth:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:43364; rev:4;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple coils - too many outputs"; flow:to_server,established; modbus_func:write_multiple_coils; byte_test:2,>,1968,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15076; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read multiple coils - too many inputs"; flow:to_server,established; modbus_func:read_coils; byte_test:2,>,2000,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15077; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple registers from external source"; flow:to_server,established; modbus_func:write_multiple_registers; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17782; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write single register from external source"; flow:to_server,established; modbus_func:write_single_register; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17783; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write single coil from external source"; flow:to_server,established; modbus_func:write_single_coil; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17784; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple coils from external source"; flow:to_server,established; modbus_func:write_multiple_coils; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17785; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record from external source"; flow:to_server,established; modbus_func:write_file_record; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17786; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read discrete inputs from external source"; flow:to_server,established; modbus_func:read_discrete_inputs; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17787; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read coils from external source"; flow:to_server,established; modbus_func:read_coils; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17788; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read input register from external source"; flow:to_server,established; modbus_func:read_input_registers; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17789; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read holding registers from external source"; flow:to_server,established; modbus_func:read_holding_registers; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17790; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read/write multiple registers from external source"; flow:to_server,established; modbus_func:read_write_multiple_registers; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17791; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read fifo queue from external source"; flow:to_server,established; modbus_func:read_fifo_queue; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17792; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read file record from external source"; flow:to_server,established; modbus_func:read_file_record; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17793; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read exception status from external source"; flow:to_server,established; modbus_func:read_exception_status; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17794; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus initiate diagnostic from external source"; flow:to_server,established; modbus_func:diagnostics; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17795; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus get com event counter from external source"; flow:to_server,established; modbus_func:get_comm_event_counter; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17796; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus get com event log from external source"; flow:to_server,established; modbus_func:get_comm_event_log; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17797; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus report slave id from external source"; flow:to_server,established; modbus_func:report_slave_id; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17798; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read device identification from external source"; flow:to_server,established; modbus_func:report_slave_id; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17799; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus mask write register from external source"; flow:to_server,established; modbus_func:mask_write_register; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17800; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read holding registers - too many inputs"; flow:to_server,established; modbus_func:read_holding_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29194; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read input register - too many inputs"; flow:to_server,established; modbus_func:read_input_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29195; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read input status - too many inputs"; flow:to_server,established; modbus_func:read_discrete_inputs; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,2000,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29196; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read write multiple registers - too many writes"; flow:to_server,established; modbus_func:read_write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29197; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read write multiple registers - too many writes"; flow:to_server,established; modbus_func:read_write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,14; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29198; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple registers - too many registers"; flow:to_server,established; modbus_func:write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,100,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29199; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write single coil - invalid state"; flow:to_server,established; modbus_func:write_single_coil; content:"|00 00|"; depth:2; offset:2; content:"|00|"; depth:1; offset:11; content:!"|FF|"; depth:1; offset:10; content:!"|00|"; depth:1; offset:10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29200; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read coil status response - too many coils"; flow:to_client,established; modbus_func:read_coils; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,250,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29201; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read coil status response - too many coils"; flow:to_client,established; modbus_func:read_discrete_inputs; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,250,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29202; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read fifo response invalid byte count"; flow:to_client,established; modbus_func:read_fifo_queue; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,31,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29203; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read holding register response - invalid byte count"; flow:to_client,established; modbus_func:read_holding_registers; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,250,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29204; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read input registers response invalid byte count"; flow:to_client,established; modbus_func:read_input_registers; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,125,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29205; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read write register response - invalid byte count"; flow:to_client,established; modbus_func:read_write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,200,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29206; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Tri PLC Nano 10 PLC denial of service attempt"; flow:to_server,established; content:"|00 06|"; depth:2; offset:4; modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2; metadata:policy max-detect-ips drop; reference:cve,2013-2784; classtype:denial-of-service; sid:29965; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - invalid reference type"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; content:!"|06|"; depth:1; offset:9; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30816; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - large byte count"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,251,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30817; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - large reference value"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:4,>,9999,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30818; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - small byte count"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,<,9,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30819; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - invalid reference type"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; content:!"|06|"; depth:1; offset:9; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30820; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - large byte count"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,251,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30821; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - large reference value"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:4,>,9999,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30822; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - small byte count"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,<,9,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30823; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Schneider Modicon TM221CE16R password retrieval attempt"; flow:to_server, established; modbus_func:90; modbus_data; content:"|00 03 00|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2017-7575; reference:url,download.schneider-electric.com/files?&p_File_Name=SEVD-2017-097-01-SoMachine+Basic.pdf; classtype:attempted-admin; sid:42861; rev:3;)"
SC_ERR_PCRE_MATCH: pcre_exec parse error, ret -1, string dea00001-6c97-11d1-8271-00a02442df7d, any_frag
SC_ERR_INVALID_SIGNATURE: Error parsing dec_iface option in signature
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> any any (msg:"PROTOCOL-SCADA PNIO-CM Connect Operation"; dce_iface:dea00001-6c97-11d1-8271-00a02442df7d, any_frag; dce_opnum:0; metadata:policy max-detect-ips drop, service dcerpc; reference:url,wiki.wireshark.org/PROFINET/IO; classtype:protocol-command-decode; sid:48576; rev:2;)"
SC_ERR_PCRE_MATCH: pcre_exec parse error, ret -1, string dea00001-6c97-11d1-8271-00a02442df7d, any_frag
SC_ERR_INVALID_SIGNATURE: Error parsing dec_iface option in signature
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> any any (msg:"PROTOCOL-SCADA PNIO-CM Connect Operation"; flow:to_server,established; dce_iface:dea00001-6c97-11d1-8271-00a02442df7d, any_frag; dce_opnum:0; metadata:policy max-detect-ips drop, service dcerpc; reference:url,wiki.wireshark.org/PROFINET/IO; classtype:protocol-command-decode; sid:48577; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".exe"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:3;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".jar"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.jar/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"<html><body><script>"; content:"var"; within:3; distance:1; content:"document.createElement"; content:"iframe"; within:6; distance:2; content:".setAttribute("; distance:0; content:"document.body.appendChild("; distance:0; fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26961; rev:4;)"
SC_ERR_INVALID_SIGNATURE: "http_stat_code" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror EK landing page attempt"; flow:to_client,established; file_data; content:"Set-Cookie"; content:"streams"; within:50; content:"campaigns"; within:50; content:"time"; within:50; content:"30"; within:2; http_stat_code; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45919; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00 00 00 00 00|"; depth:6; offset:4; content:"|00 00 29|"; within:3; distance:2; content:"|FE|"; within:1; distance:8; byte_test:2,>,4,-3,relative; byte_math:bytes 2,offset -3,oper -,rvalue 4,result rdlen_minus_four,relative; byte_test:2,>,rdlen_minus_four,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14496; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44482; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Linkury outbound time check"; flow:to_server,established; dsize:72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156; rev:3;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER CA ARCserve Axis2 default credential login attempt"; flow:to_server,established; content:"/axis2-admin/login"; fast_pattern:only; http_uri; content:"userName=admin"; nocase; http_client_body; content:"password="; nocase; http_client_body; pcre:"/^(admin|axis2)/iR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45625; reference:cve,2010-0219; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:18985; rev:12;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Piwik Analytics Platform PHP plugin installation detected"; flow:to_server,established; content:"CorePluginsAdmin"; fast_pattern:only; content:"uploadPlugin"; nocase; content:"pluginZip"; nocase; http_client_body; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:".php"; within:filename_len; distance:2; nocase; metadata:policy max-detect-ips drop, service http; reference:url,firefart.at/post/turning_piwik_superuser_creds_into_rce; classtype:policy-violation; sid:41647; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; http_uri; content:"page=config.html"; http_uri; content:"file=/home/config/pages/2.conf"; distance:0; http_uri; content:"section=PAGE2"; distance:0; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-4732; reference:url,ics-cert.us-cert.gov/advisories/ICSA-10-316-01A; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-10-293-01; classtype:web-application-attack; sid:42092; rev:3;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER NetBiter WebSCADA ws100/ws200 file read attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-4730; reference:cve,2010-4731; reference:cve,2010-4732; classtype:web-application-attack; sid:42093; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Sandvine PacketLogic http redirection attempt"; flow:to_client,established; content:"Temporary Redirect"; fast_pattern:only; id:13330; fragbits:!MDR; flags:FA; content:"307"; depth:3; http_stat_code; content:"Temporary Redirect"; nocase; http_stat_msg; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria; reference:url,github.com/citizenlab/badtraffic; classtype:misc-activity; sid:45983; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TP-Link device reboot attempt"; flow:to_server,established; file_data; content:"/userRpm/SysRebootRpm.htm"; http_uri; content:"Reboot="; http_uri; content:"Referer"; http_header; content:"Authorization"; http_header; metadata:policy max-detect-ips drop, service http; reference:url,trendnet.com/home; classtype:misc-activity; sid:46447; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TP-Link device enable remote management attempt"; flow:to_server,established; file_data; content:"/userRpm/ManageControlRpm.htm"; http_uri; content:"ip="; http_uri; content:"Referer"; http_header; content:"Authorization"; http_header; metadata:policy max-detect-ips drop, service http; reference:url,trendnet.com/home; classtype:misc-activity; sid:46448; rev:2;)"
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert ip any any -> any any (msg:"POLICY-OTHER IP option loose source routing attempt"; ipopts:lsrre; reference:cve,2019-12256; classtype:protocol-command-decode; sid:51036; rev:1;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Content-Length request offset smuggling attempt"; flow:to_server,established,no_stream; content:"Content-Length|3A|"; http_raw_header; byte_jump:10,0,string,relative,post_offset 4; pcre:"/^(GET|POST|TRACE|DESCRIBE|DELETE)/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14106; reference:cve,2005-2088; classtype:misc-attack; sid:16218; rev:10;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovet_demandpoll.exe format string execution attempt"; flow:to_server,established; content:"/OvCgi/webappmon.exe"; fast_pattern:only; http_uri; content:"sel="; http_client_body; pcre:"/^[^\x26]*?\x25/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40065; reference:cve,2010-1550; classtype:attempted-admin; sid:18795; rev:11;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell iManager ClassName handling overflow attempt"; flow:to_server,established; content:"/nps/servlet/webacc"; nocase; http_uri; content:"ClassName="; fast_pattern; nocase; http_client_body; pcre:"/^[^\x26]{512}/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40480; reference:cve,2010-1929; classtype:attempted-admin; sid:18796; rev:9;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt"; flow:to_server,established; content:"Using=_layouts/query"; nocase; http_uri; pcre:"/^(\.iqy|\.bqy).*(View|RowFolder)=[^&\x3b]*<\s*script/Ri"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1893; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-074; classtype:web-application-attack; sid:20116; rev:11;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:policy max-detect-ips drop, service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:9;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Devellion CubeCart multiple parameter XSS vulnerability"; flow:to_server,established; content:"gateway/WorldPay/return.php?"; http_uri; pcre:"/(amount|cartId|email|transId|transStatus)=[^&]*[\x22\x27\x3c\x3e]/R"; metadata:policy max-detect-ips drop, service http; reference:url,www.acunetix.com/blog/web-security-zone/articles/sql-injection-xss-cubecart-4-3-3/; classtype:web-application-attack; sid:21270; rev:6;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Airlive IP Camera directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/admin"; fast_pattern:only; content:"/cgi-bin/admin"; http_raw_uri; content:"filePath"; distance:0; nocase; http_raw_uri; content:"../"; distance:0; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,60549; reference:cve,2013-3541; classtype:web-application-attack; sid:29595; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Forefront Unified Access Gateway null session cookie denial of service"; flow:to_server,established; content:"|3D 3B|NLSession"; fast_pattern:only; content:"Cookie|3A 20|"; http_header; content:"NLSession"; http_cookie; content:"|3D 3B|NLSession"; within:50; distance:1; http_cookie; metadata:policy max-detect-ips drop, service http; reference:cve,2011-2012; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-079; classtype:attempted-user; sid:30209; rev:5;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt"; flow:to_server,established; content:"/agentUpload"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, service http; reference:bugtraq,69482; reference:cve,2014-6037; classtype:web-application-attack; sid:31838; rev:5;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rejetto HttpFileServer command injection attempt"; flow:to_server,established; content:"%00"; fast_pattern:only; content:"%00"; http_raw_uri; content:"|7B|."; http_uri; content:".|7D|"; distance:0; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,69782; reference:cve,2014-6287; classtype:web-application-attack; sid:31956; rev:6;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt"; flow:to_server,established; content:"/agentUpload"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, service http; reference:bugtraq,69482; reference:cve,2014-6037; classtype:web-application-attack; sid:32044; rev:4;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMemcachedAdmin path traversal attempt"; flow:to_server,established; content:"live_stats_id"; fast_pattern:only; content:"live_stats_id"; http_cookie; content:"="; within:1; distance:32; http_cookie; content:"../"; distance:0; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-8731; reference:url,securityfocus.com/archive/1/533968; classtype:web-application-attack; sid:32611; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Photo Gallery PHP code execution attempt"; flow:to_server,established; content:"bwg_UploadHandler"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:".php"; within:filename_len; distance:2; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2014-9312; classtype:attempted-admin; sid:33514; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34055; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34056; rev:3;)"
SC_ERR_INVALID_SIGNATURE: rule 34475 mixes keywords with conflicting directions
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Wordpress username enumeration attempt"; flow:to_client,established,only_stream; content:"?author="; fast_pattern:only; http_uri; detection_filter:track by_src,count 100, seconds 2; metadata:policy max-detect-ips drop, service http; reference:url,www.acunetix.com/blog/web-security-zone/wordpress-username-enumeration-using-http-fuzzer/; classtype:attempted-recon; sid:34475; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'http_raw_cookie'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt"; flow:to_server,established; content:"/borderpost/imp/compose.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_raw_cookie; content:"%3B"; distance:0; nocase; http_raw_cookie; pcre:"/sid=[^\x3b]*?%3B/Ki"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:attempted-admin; sid:35573; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36101; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36102; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt"; flow:to_server,established; file_data; dsize:>10; content:"STARTTLS|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-3556; reference:url,mailman.nginx.org/pipermail/nginx-announce/2014/000144.html; classtype:attempted-user; sid:36197; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Limesurvey unauthenticated file download attempt"; flow:to_server,established; content:"/limesurvey/index.php/admin/update/sa/backup"; fast_pattern:only; http_uri; file_data; content:"&datasupdateinfo="; nocase; base64_decode:bytes 100, offset 0, relative; base64_data; content:"../"; within:100; metadata:policy max-detect-ips drop, service http; reference:url,limesurvey.org/en/blog/76-limesurvey-news/security-advisories/1836-limesurvey-security-advisory-10-2015; classtype:web-application-attack; sid:37348; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP phar extension remote code execution attempt"; flow:to_server,established; file_data; content:"filename="; http_client_body; content:"|00|"; within:60; http_client_body; content:".phar"; within:60; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-4072; reference:url,bugs.php.net/bug.php?id=71860; reference:url,php.net/ChangeLog-7.php; classtype:attempted-user; sid:39662; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Plugin RevSlider file upload attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"Content-Disposition:"; nocase; http_client_body; content:"|22|client_action|22|"; within:50; http_client_body; content:"Content-Disposition:"; distance:0; nocase; http_client_body; content:"|22|update_file|22|"; within:50; nocase; http_client_body; file_data; content:"PK"; depth:2; metadata:policy max-detect-ips drop, service http; reference:cve,2014-9735; classtype:web-application-attack; sid:40497; rev:3;)"
SC_ERR_INVALID_SIGNATURE: "http_cookie" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A Series cross-site request forgery attempt"; flow:to_server,established; file_data; content:"Password508"; fast_pattern:only; content:"Password508"; http_cookie; pcre:"/^Host:\s*(?P<hostname>[^\s\x2F\x5C]+).*?Referer:\s*https?\x3A\x2F{2}(?!(?P=hostname))/smiH"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-8718; reference:url,www.talosintelligence.com/reports/TALOS-2016-0232/; classtype:attempted-user; sid:41352; rev:4;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP ZipArchive getFromIndex and getFromName integer overflow attempt"; flow:to_server,established; content:".php"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; content:"|00 00|"; within:2; distance:16; byte_test:4,>=,0x00FFFFFF,0,relative,little; metadata:policy max-detect-ips drop, service http; reference:cve,2016-3078; reference:url,bugs.php.net/bug.php?id=71923; classtype:attempted-admin; sid:41383; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Plugin RevSlider file upload attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"Content-Disposition:"; nocase; http_client_body; content:"|22|client_action|22|"; within:50; http_client_body; content:"Content-Disposition:"; distance:0; nocase; http_client_body; content:"|22|update_file|22|"; within:50; nocase; http_client_body; file_data; content:"<?php"; depth:5; metadata:policy max-detect-ips drop, service http; reference:cve,2014-9735; classtype:web-application-attack; sid:41914; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Aultware pwStore denial of service attempt"; flow:to_server, established; file_data; content:"|5C|x0d|5C|x0a"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2013-5657; classtype:web-application-attack; sid:42072; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; http_uri; content:"file="; distance:0; http_uri; content:"/home/config/users.cfg"; distance:0; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-4731; reference:url,ics-cert.us-cert.gov/advisories/ICSA-10-316-01A; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-10-293-01; classtype:web-application-attack; sid:42094; rev:3;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; fast_pattern:only; http_uri; content:"page="; nocase; pcre:"/page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/i"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-4730; reference:url,ics-cert.us-cert.gov/advisories/ICSA-10-316-01A; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-10-293-01; classtype:web-application-attack; sid:42095; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera multipart boundary stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; nocase; http_uri; content:"usrBeatHeart"; fast_pattern:only; content:"Boundary="; nocase; http_raw_header; isdataat:256,relative; content:!"|0A|"; within:256; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2830; reference:url,www.talosintelligence.com/reports/TALOS-2017-0331/; classtype:web-application-attack; sid:42437; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ReadyDesk arbitrary file upload attempt"; flow:established,to_server; content:"/readydesk/chat/sendfile.aspx"; fast_pattern:only; http_uri; content:"FRM=SUB"; http_uri; content:"SESID="; http_uri; file_data; content:"MZ"; depth:2; metadata:policy max-detect-ips drop, service http; reference:cve,2016-5050; classtype:web-application-attack; sid:42993; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ReadyDesk arbitrary file upload attempt"; flow:established,to_server; content:"/readydesk/chat/sendfile.aspx"; fast_pattern:only; http_uri; content:"FRM=SUB"; http_uri; content:"SESID="; http_uri; content:"Content-Disposition:"; http_client_body; content:"filename="; within:100; http_client_body; content:"aspx|22 0D 0A|"; within:100; http_client_body; file_data; content:"|3C|script"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-5050; classtype:web-application-attack; sid:42994; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP Squid ESI processing buffer overflow attempt"; flow:to_client,established; file_data; content:"Surrogate-Control:"; fast_pattern; http_header; content:"ESI/1.0"; within:100; nocase; http_header; content:"Content-Type:"; nocase; http_header; content:"text/"; within:50; nocase; http_header; content:"<"; isdataat:2000,relative; content:!">"; within:2000; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4054; reference:url,www.squid-cache.org/Advisories/SQUID-2016_6.txt; classtype:attempted-user; sid:43268; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ScadaBR remote credential export attempt"; flow:to_server,established; file_data; content:"ScadaBR/dwr/call/plaincall/EmportDwr.createExportData.dwr"; fast_pattern:only; http_uri; content:"JSESSIONID"; http_raw_header; content:"ScadaBR/emport.shtm"; http_client_body; content:"c0-scriptName=EmportDwr"; http_client_body; content:"c0-methodName=createExportData"; http_client_body; metadata:policy max-detect-ips drop, service http; reference:url,scadabr.com.br/?q=node/1375; classtype:web-application-attack; sid:43757; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX recording interface file upload code execution attempt"; flow:to_server,established; content:"config.php"; fast_pattern:only; content:"Content-Disposition"; nocase; http_client_body; content:"name="; distance:0; http_client_body; content:"../"; distance:0; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43454; reference:cve,2010-3490; classtype:web-application-attack; sid:45226; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_pattern:only; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'http_raw_cookie'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'http_raw_cookie'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd="; metadata:policy max-detect-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46826; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP phar extension remote code execution attempt"; flow:to_server,established; file_data; content:"|00 01 00 00 00 FF FF 00 00 01 00 00 00 00 00 00 00 00 00 FE FF FF FF 65 78 61 6D 70 6C 65 2E 70 68 70 1E 00 00 00 23 57|"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-4072; reference:url,bugs.php.net/bug.php?id=71860; reference:url,php.net/ChangeLog-7.php; classtype:attempted-user; sid:47207; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt"; flow:to_server,established; content:"query=--open-files-in-pager"; fast_pattern:only; content:"/tree/"; http_uri; content:"/search"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:47599; rev:1;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Syncope information disclosure by orderBy"; flow:to_server,established; content:"/syncope/rest/users"; fast_pattern:only; http_uri; content:"orderBy="; nocase; http_uri; pcre:"/[^&]*?(serialVersionUID|password|security(Question|Answer)|token(ExpireTime)?)/Ri"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-1322; reference:url,syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting; classtype:attempted-recon; sid:48233; rev:2;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Syncope information disclosure by fiql"; flow:to_server,established; content:"/syncope/rest/users"; fast_pattern:only; http_uri; content:"fiql="; nocase; http_uri; pcre:"/[^&]*?(serialVersionUID|password|type|udynMembershipCond|securityAnswer|token(ExpireTime)?)=/Ri"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-1322; reference:url,syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting; classtype:attempted-recon; sid:48234; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt"; flow:to_server,established; file_data; content:"/sitefinity/"; fast_pattern:only; http_uri; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"<script"; distance:0; nocase; metadata:service http; reference:cve,2018-17055; reference:url,knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018; classtype:attempted-user; sid:50658; rev:1;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt"; flow:to_client,established; file_data; content:"Content-"; nocase; http_header; content:"rfc822"; within:50; nocase; http_header; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11515; reference:cve,2004-1050; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:41714; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:16; dsize:29; content:"|05 00 00 03 10 00 00 00|"; depth:8; content:"|10 00|"; within:2; distance:14; byte_extract:1,0,memoryAddr,relative,multiplier 257; byte_test:2,=,memoryAddr,0,relative; byte_test:2,=,memoryAddr,1,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2006-6076; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:36877; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11968; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 401 unauthorized message"; flow:to_server; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11969; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt"; flow:to_server; sip_method:invite; content:"Remote-Party-Id"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/Hsmi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:11970; rev:13;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP MultiTech INVITE message buffer overflow attempt"; flow:to_server; sip_method:invite; pcre:"/^INVITE\s[^\s\r\n]{60}/smi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,15711; reference:cve,2005-4050; classtype:attempted-user; sid:11981; rev:10;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE message invalid IP address"; flow:to_server; sip_method:invite; pcre:"/^INVITE\s+sip\x3A[^\r\n\x40]+\x40((192\.0\.[02]\.\d{1,3})|(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(128\.0\.\d{1,3}\.\d{1,3})|(191\.255\.\d{1,3}\.\d{1,3})|(223\.255\.255\.\d{1,3})|(2(2[4-9]|[34][0-9]|5[0-5])\.\d{1,3}\.\d{1,3}\.\d{1,3}))/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12000; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP BYE flood"; flow:to_server; sip_method:bye; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12002; rev:11;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP CANCEL flood"; flow:to_server; sip_method:cancel; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12003; rev:11;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE message Content-Length header size of zero"; flow:to_server; sip_method:invite; pcre:"/^Content-Length\x3A\s+0[\r\n]/Hsmi"; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12004; rev:11;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12006; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 401 Unauthorized message"; flow:to_client; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12007; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 100 Trying message"; flow:to_server; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12073; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 100 Trying message"; flow:to_client; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12074; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 408 Request Timeout message"; flow:to_server; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12170; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 408 Request Timeout message"; flow:to_client; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12171; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 501 Not Implemented message"; flow:to_server; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12172; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 501 Not Implemented message"; flow:to_client; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12173; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 604 Does Not Exist Anywhere message"; flow:to_server; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12174; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 604 Does Not Exist Anywhere message"; flow:to_client; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12175; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 415 Unsupported Media Type message"; flow:to_server; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12176; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 415 Unsupported Media Type message"; flow:to_client; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12177; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 481 Call/Leg Transaction Does Not Exist"; flow:to_server; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12178; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 481 Call/Leg Transaction Does Not Exist"; flow:to_client; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12179; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 404 Not Found"; flow:to_server; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12180; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 404 Not Found"; flow:to_client; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12181; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP OPTIONS message Via header request misplaced - after terminating newline"; flow:to_server; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Via\x3A/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13589; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP OPTIONS message Call-ID header request misplaced - after terminating newline"; flow:to_server; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Call-ID\x3A/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13590; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19389; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE message URI contains global broadcast address"; flow:to_server; sip_method:invite; content:"@255.255.255."; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19409; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE message URI contains global broadcast address"; flow:to_server,established; sip_method:invite; content:"@255.255.255."; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19410; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound INVITE message"; flow:to_server,established; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20296; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound INVITE message"; flow:to_server,established; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20297; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Invalid request spaces at end of request line attempt"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_method:invite,bye,cancel; pcre:"/^(INVITE|BYE|CANCEL)\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0[^\r\n]\s[\r\n]/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20298; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Invalid request spaces at end of request line attempt"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_method:invite,bye,cancel; pcre:"/^(INVITE|BYE|CANCEL)\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0[^\r\n]\s[\r\n]/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20299; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP SIP URI possible format string attempt"; flow:to_server; sip_method:invite,bye,cancel,options; content:"%"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n]*%/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:misc-activity; sid:20303; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP SIP URI possible format string attempt"; flow:to_server,established; sip_method:invite,bye,cancel,options; content:"%"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n]*%/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:misc-activity; sid:20304; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP CSeq header multiple CSeq headers "; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"CSeq|3A|"; nocase; content:"CSeq|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20309; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP CSeq header multiple CSeq headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"CSeq|3A|"; nocase; content:"CSeq|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20310; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP From header multiple From headers"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"From|3A|"; nocase; content:"From|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20330; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP From header multiple From headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"From|3A|"; nocase; content:"From|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20331; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP To header multiple To headers"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"To|3A|"; nocase; content:"To|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20346; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP To header multiple To headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"To|3A|"; nocase; content:"To|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20347; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Call-ID header multiple Call-ID headers"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"Call-ID|3A|"; nocase; content:"Call-ID|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20362; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Call-ID header multiple Call-ID headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"Call-ID|3A|"; nocase; content:"Call-ID|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20363; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt"; flow:to_server; content:"a|3D|rtpmap|3A|"; fast_pattern:only; sip_method:invite,bye; pcre:"/(^a\x3Drtpmap\x3A[^\n]*\r\n){31}/Psmi"; metadata:policy max-detect-ips drop, service sip; reference:cve,2008-1289; classtype:misc-attack; sid:20391; rev:10;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt"; flow:to_server,established; content:"a|3D|rtpmap|3A|"; fast_pattern:only; sip_method:invite,bye; pcre:"/(^a\x3Drtpmap\x3A[^\n]*\r\n){31}/Psmi"; metadata:policy max-detect-ips drop, service sip; reference:cve,2008-1289; classtype:misc-attack; sid:20392; rev:10;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP BYE flood"; flow:to_server,established,only_stream; sip_method:bye; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20393; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP CANCEL flood"; flow:to_server,established,only_stream; sip_method:cancel; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20394; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server,established,only_stream; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20395; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE flood attempt"; flow:to_server; sip_method:invite; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:cve,2008-5180; reference:cve,2017-6648; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-tele; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20396; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE flood"; flow:to_server,established,only_stream; sip_method:invite; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:cve,2008-5180; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20397; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 420 Bad Extension response flood"; flow:to_client; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:420; detection_filter:track by_dst, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20398; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 420 Bad Extension response flood"; flow:to_client,established,only_stream; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:420; detection_filter:track by_dst, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20399; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 415 Unsupported Media Type response flood"; flow:to_client; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:415; detection_filter:track by_dst, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20400; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 415 Unsupported Media Type response flood"; flow:to_client,established,only_stream; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:415; detection_filter:track by_dst, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20401; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 405 Method Not Allowed response flood"; flow:to_client; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:405; detection_filter:track by_dst, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20402; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 405 Method Not Allowed response flood"; flow:to_client,established,only_stream; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:405; detection_filter:track by_dst, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20403; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 100 Trying message"; flow:to_server,established; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20404; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 408 Request Timeout message"; flow:to_server,established; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20405; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 501 Not Implemented message"; flow:to_server,established; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20406; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 604 Does Not Exist Anywhere message"; flow:to_server,established; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20407; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 415 Unsupported Media Type message"; flow:to_server,established; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20408; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 481 Call/Leg Transaction Does Not Exist"; flow:to_server,established; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20409; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 401 unauthorized message"; flow:to_server,established; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20410; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 404 Not Found"; flow:to_server,established; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20411; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 404 Not Found"; flow:to_client,established; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20412; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 100 Trying message"; flow:to_client,established; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20413; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 408 Request Timeout message"; flow:to_client,established; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20414; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 501 Not Implemented message"; flow:to_client,established; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20415; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 604 Does Not Exist Anywhere message"; flow:to_client,established; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20416; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 415 Unsupported Media Type message"; flow:to_client,established; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20417; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 481 Call/Leg Transaction Does Not Exist"; flow:to_client,established; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20418; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 401 Unauthorized message"; flow:to_client,established; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20419; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE message invalid IP address"; flow:to_server,established; sip_method:invite; pcre:"/^INVITE\s+sip\x3A[^\r\n\x40]+\x40((192\.0\.[02]\.\d{1,3})|(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(128\.0\.\d{1,3}\.\d{1,3})|(191\.255\.\d{1,3}\.\d{1,3})|(223\.255\.255\.\d{1,3})|(2(2[4-9]|[34][0-9]|5[0-5])\.\d{1,3}\.\d{1,3}\.\d{1,3}))/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20420; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE message Content-Length header size of zero"; flow:to_server,established,only_stream; sip_method:invite; pcre:"/^Content-Length\x3A\s+0[\r\n]/Hsmi"; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20421; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP OPTIONS message Via field request misplaced - after terminating newline"; flow:to_server,established; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Via\x3A/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20422; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP OPTIONS message Call-ID header request misplaced - after terminating newline"; flow:to_server,established; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Call-ID\x3A/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20423; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt"; flow:to_server,established; sip_method:invite; content:"Remote-Party-Id|3A|scsip|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/Hsmi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:20425; rev:11;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP MultiTech INVITE message buffer overflow attempt"; flow:to_server,established; sip_method:invite; pcre:"/^INVITE\s[^\s\r\n]{60}/smi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,15711; reference:cve,2005-4050; classtype:attempted-user; sid:20426; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP OpenSBC VIA header denial of service attempt"; flow:to_server; content:"Via|3A 3A|"; fast_pattern:only; sip_method:invite; metadata:policy max-detect-ips drop, service sip; reference:url,ims-bisf.nexginrc.org/OpenSBC-vul.html; classtype:denial-of-service; sid:20427; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"|0D 0A 0D 0A|"; content:!"Contact"; nocase; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21101; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"Contact"; nocase; pcre:"/Contact\x3A\s*\x3C\s*\x3E/miH"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21102; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"Contact:"; nocase; pcre:"/Contact\x3A\x0D\x0A/miH"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21103; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-VOIP Digium Asterisk invite malformed SDP denial of service attempt"; flow:to_server; sip_method:invite; sip_header; content:"INVITE"; depth:6; nocase; content:"INVITE"; distance:0; nocase; sip_body; content:"c=IN IP"; nocase; content:"c=IN IP"; distance:0; nocase; byte_test:10,>,255,1,relative,string,dec; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,23031; reference:cve,2007-1561; classtype:attempted-dos; sid:23966; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk SIP SDP header parsing stack buffer overflow attempt"; flow:to_server; sip_method:invite; sip_body; content:"sprop-parameter-sets"; nocase; pcre:"/^=[^,\r\n\x3b\s]{1,16},[^\r\n\x3b\s]{17}/iR"; metadata:policy max-detect-ips drop, service sip; reference:cve,2013-2685; classtype:attempted-admin; sid:26425; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk SIP SDP header parsing stack buffer overflow attempt"; flow:to_server; sip_method:invite; sip_body; content:"sprop-parameter-sets"; nocase; pcre:"/^=[^,\r\n\x3b\s]{17}/iR"; metadata:policy max-detect-ips drop, service sip; reference:cve,2013-2685; classtype:attempted-admin; sid:26426; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27899; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27900; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27901; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server,established,only_stream; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27902; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established,only_stream; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27903; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client,established,only_stream; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27904; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_body'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP attempted DOS detected"; flow:to_server; sip_body; content:"m="; content:"c="; distance:0; metadata:policy max-detect-ips drop, service sip; reference:cve,2013-5641; reference:cve,2013-5642; reference:url,downloads.asterisk.org/pub/security/AST-2013-005.html; classtype:denial-of-service; sid:28165; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Sipvicious User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: friendly-scanner"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,advantia.ca/weblog/less-than-friendly-scanner--sipvicious; classtype:attempted-recon; sid:28993; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk SIP channel driver denial of service attempt"; flow:to_server; sip_method:bye; sip_header; content:"Also|3A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:cve,2008-0095; reference:url,downloads.asterisk.org/pub/security/AST-2008-001.html; classtype:denial-of-service; sid:33445; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP javascript found in SIP headers attempt"; flow:to_server,established; sip_method:invite,message; content:"8c2NyaXB0P"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:cve,2015-6061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-123; classtype:attempted-user; sid:36733; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP javascript found in SIP headers attempt"; flow:to_server,established; sip_method:invite,message; content:"PHNjcmlwdD"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:cve,2015-6061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-123; classtype:attempted-user; sid:36734; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP javascript found in SIP headers attempt"; flow:to_server,established; sip_method:invite,message; content:"xzY3JpcHQ+"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:cve,2015-6061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-123; classtype:attempted-user; sid:36735; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP invite request denial of service attempt"; flow:to_server; sip_method:invite; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45577; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP options request denial of service attempt"; flow:to_server; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45578; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP subscribe request denial of service attempt"; flow:to_server; content:"branch=z9hg4bk-"; fast_pattern:only; sip_method:subscribe; detection_filter:track by_src, count 50, seconds 15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/mr.sip; classtype:attempted-dos; sid:45579; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP invite request denial of service attempt"; flow:to_server,established,only_stream; sip_method:invite; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45580; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP options request denial of service attempt"; flow:to_server,established,only_stream; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45581; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP subscribe request denial of service attempt"; flow:to_server,established,only_stream; sip_method:subscribe; content:"branch=z9hg4bk-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/mr.sip; classtype:attempted-dos; sid:45582; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP SIP servers discovery attempt"; flow:to_server; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; content:"To:"; content:"sip:@"; within:15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-recon; sid:45583; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP SIP servers discovery attempt"; flow:to_server,established; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; content:"To:"; content:"sip:@"; within:15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-recon; sid:45584; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sip-scan"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48309; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipvicious"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48310; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: CSipSimple"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48311; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipsak"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48312; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sundayddr"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48313; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: iWar"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48314; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIVuS"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48315; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Gulp"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48316; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipv"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48317; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: smap"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48318; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: friendly-request"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48319; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxIPUserAgent"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48320; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxSIPUserAgent"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48321; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: siparmyknife"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48322; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipcli"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48323; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Test Agent"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48324; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIPScan"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48325; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: pplsip"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48326; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Conaito"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48327; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Conaito"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48328; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: hamdan"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48329; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: pplsip"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48330; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: eyeBeam"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48331; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: hamdan"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48332; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: eyeBeam"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48333; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Ozeki"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48334; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Ozeki"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48335; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Test Agent"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48336; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIPScan"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48337; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sip-scan"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48338; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipcli"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48339; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipvicious"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48340; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipsak"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48341; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: friendly-request"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48342; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipv"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48343; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxIPUserAgent"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48344; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIVuS"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48345; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: iWar"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48346; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Gulp"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48347; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sundayddr"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48348; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: smap"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48349; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: CSipSimple"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48350; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxSIPUserAgent"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48351; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: siparmyknife"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48352; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt"; flow:to_server; sip_method:subscribe; content:"SUBSCRIBE"; fast_pattern:only; sip_header; content:"Accept:"; nocase; pcre:"/(^Accept:\s\w*[\n\r]*){33}$/Hmi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,103151; reference:cve,2018-7284; reference:url,downloads.asterisk.org/pub/security/AST-2018-004.html; classtype:denial-of-service; sid:51086; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt"; flow:to_server,established; sip_method:subscribe; content:"SUBSCRIBE"; fast_pattern:only; sip_header; content:"Accept:"; nocase; pcre:"/(^Accept:\s\w*[\n\r]*){33}$/Hmi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,103151; reference:cve,2018-7284; reference:url,downloads.asterisk.org/pub/security/AST-2018-004.html; classtype:denial-of-service; sid:51087; rev:1;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Certification service XSS attempt"; flow:to_server,established; content:"certfnsh|2E|asp"; nocase; http_uri; content:"TargetStoreFlagsObserve"; nocase; http_client_body; pcre:"/^=[^\s\x26]*[\x3C\x3E\x22\x27\x28\x29]/R"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-051; classtype:attempted-user; sid:19186; rev:10;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft ForeFront UAG ExcelTable.asp XSS attempt"; flow:to_server,established; content:"ExcelTable.asp"; fast_pattern:only; http_uri; content:"tableData="; nocase; http_client_body; pcre:"/^[^\&\r\n]*[<\(][^\&\r\n]+[\)>]/R"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1896; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:attempted-user; sid:20257; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt"; flow:to_server,established; content:"|FF|SMB|26 00 00 00 00|"; depth:9; offset:4; content:"|08 00|"; within:2; distance:34; byte_math:bytes 2,offset 0,oper +,rvalue 8, result dataOffset,relative,endian little; byte_test:4,>=,0xffff0800,dataOffset,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; sid:50628; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,5,4,relative,bitmask 0x0A
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET [3388,3389] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows RDP client buffer overflow attempt"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; distance:2; byte_test:1,=,5,4,relative,bitmask 0x0A; content:"|00 04|"; within:2; distance:10; byte_test:4,=,0x800,6,relative,little,bitmask 0x19B1F; byte_extract:4,10,alloc_sz,relative,little; byte_test:4,>,alloc_sz,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2019-0787; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0787; classtype:attempted-user; sid:51481; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'cvs'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Entry line flag remote heap overflow attempt"; flow:to_server,established; content:"Entry"; fast_pattern:only; cvs:invalid-entry; metadata:policy max-detect-ips drop; reference:bugtraq,10384; reference:cve,2004-0396; classtype:attempted-admin; sid:16437; rev:5;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Fortinet FortiOS appliedTags field cross site scripting attempt"; flow:to_client,established; file_data; content:"/firewall/policy"; fast_pattern:only; http_uri; pcre:"/<span\s+class=[\x22\x27\x60]tag_list[\x22\x27\x60]\s+id=[\x22\x27\x60]appliedTags[\x22\x27\x60]>\s*?<span\s+class=[\x22\x27\x60]object_tag\s+object_tag_remove[\x22\x27\x60]\s+mkey=[^>]+>\s*?<[^>]+?[\x22\x27\x60]\s*?</smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51708; classtype:attempted-user; sid:24290; rev:4;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow"; flow:to_server,established; content:"APSCOOKIE"; fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|"; nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6909; reference:url,fortiguard.com/advisory/FG-IR-16-023; classtype:attempted-admin; sid:40241; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cisco IOS authentication proxy authentication request attempt"; flow:to_server,established; content:"uname="; nocase; content:"pwd="; nocase; content:"Submit=Log+in"; fast_pattern:only; content:"Referer: "; http_header; content:"/php/auth/login.php"; distance:0; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2009-2863; classtype:attempted-user; sid:43514; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"SERVER-OTHER Quest Privilege Manager pmmasterd denial of service attempt"; flow:to_server,established; content:"|00 00 02 6C|"; depth:4; byte_math:bytes 4,offset 0,oper +,rvalue 79,result copy_size,relative; isdataat:!copy_size; metadata:policy max-detect-ips drop; reference:cve,2017-6553; reference:url,0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/; classtype:denial-of-service; sid:45394; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|00 00 00 07|"; within:4; distance:5; fast_pattern; content:"|00 00 00 01|"; within:4; distance:4; byte_math:bytes 4,offset 0,oper +,rvalue 8,result sub_len_plus_eight,relative; byte_test:4,!=,sub_len_plus_eight,-8,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-0171; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2; classtype:attempted-dos; sid:46468; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MSN MSNP2P SLP message integer overflow attempt"; flow:to_client,established; content:"MSG"; content:"|0A|P2P-Dest|3A|"; within:200; nocase; content:"|0D 0A 0D 0A|"; within:100; content:!"|00 00 00 00|"; within:4; distance:8; content:!"|00 00 00 00|"; within:4; distance:24; byte_extract:4,24,message_len,relative,little; byte_math:bytes 4, offset -20, oper +, rvalue message_len, result cumulative_size, relative, endian little; byte_test:4,>,cumulative_size,-20,relative,little; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29956; reference:cve,2008-2927; reference:url,pidgin.im/news/security/?id=25; classtype:attempted-user; sid:46784; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,0,-6,relative,bitmask 0x01
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET [25,443,587] -> $HOME_NET any (msg:"SERVER-OTHER OpenSSL invalid Diffie-Hellman parameter NULL pointer dereference attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|16 03|"; content:"|0C|"; within:1; distance:3; content:"|00 80|"; within:2; distance:3; content:"|00 01|"; within:2; distance:128; content:"|00 80|"; within:2; distance:1; byte_test:1,=,0,-6,relative,bitmask 0x01; metadata:policy max-detect-ips drop, service ssl; reference:cve,2017-3730; classtype:denial-of-service; sid:47820; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,0,-6,relative,bitmask 0x01
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET [25,443,587] (msg:"SERVER-OTHER OpenSSL invalid Diffie-Hellman parameter NULL pointer dereference attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|16 03|"; content:"|0C|"; within:1; distance:3; content:"|00 80|"; within:2; distance:3; content:"|00 01|"; within:2; distance:128; content:"|00 80|"; within:2; distance:1; byte_test:1,=,0,-6,relative,bitmask 0x01; metadata:policy max-detect-ips drop, service ssl; reference:cve,2017-3730; classtype:denial-of-service; sid:47821; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt"; flow:to_server,established; file_data; content:"q=1&l=0&lid=2&t=22&id=1&e=4&ew=1&eh=1&uls=0&df=&ds=0&tf=&ts=0&ds=0&gs=0"; fast_pattern; http_uri; urilen:>300; content:"&=yes"; distance:0; http_uri; metadata:policy max-detect-ips drop, service http; reference:url,reliance-scada.com/en/main; classtype:attempted-user; sid:48127; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 8500 (msg:"SERVER-OTHER Hashicorp Consul services API remote code execution attempt"; flow:to_server,established; content:"/v1/agent/service/register"; fast_pattern:only; http_uri; content:"PUT"; http_method; file_data; content:"check"; content:"script"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.rapid7.com/db/modules/exploit/multi/misc/consul_service_exec; classtype:attempted-admin; sid:49670; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,3,0,bitmask 0x06
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER NTPsec 1.1.2 ntp_control out-of-bounds read attempt"; flow:to_server; content:"|00 00 00|"; depth:4; offset:6; byte_test:1,=,3,0,bitmask 0x06; dsize:>512; metadata:policy max-detect-ips drop, service ntp; reference:cve,2019-6444; classtype:attempted-user; sid:51181; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,3,bitmask 0x02
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"SERVER-OTHER Squid proxy DNS CNAME record response denial of service attempt"; flow:to_client; byte_test:1,=,1,3,bitmask 0x02; content:"|00 01 00|"; depth:3; offset:4; byte_test:1,>=,2,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 1C 00 01|"; distance:0; content:"|00 05 00 01|"; distance:0; content:"|00 05 00 01|"; distance:0; metadata:policy max-detect-ips drop, service dns; reference:cve,2011-4096; reference:url,bugs.squid-cache.org/show_bug.cgi?id=3237#c12; classtype:denial-of-service; sid:51485; rev:1;)"
SC_ERR_INVALID_SIGNATURE: rule 35261 setup buffer file_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|03 90 36 3A 1A C8 F8 E5 45 D9 03 11 1F 7B 45 CB 3B E4 CD BF EA 11 1F AF 2C C9|"; file_data; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-admin; sid:35261; rev:2;)"
SC_ERR_INVALID_SIGNATURE: rule 35262 setup buffer file_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|54 32 9B 93 23 47 9F 9C CA 0D BB A8 F8 9D A3 D8 7F 7A E8 57 BF DC B0 96 58 6E|"; file_data; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-admin; sid:35262; rev:2;)"
SC_ERR_INVALID_SIGNATURE: rule 37627 setup buffer file_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt"; flow:to_client,established; content:"|F5 75 6F D0 7E 61 35 1B 1A 8B 16 4D DF 05 32 FE A4 4C 46 49 B7 7B 6B 75 F9 2B 5C 37 29 0B 91 37|"; fast_pattern:only; file_data; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:37627; rev:2;)"
SC_ERR_INVALID_SIGNATURE: rule 37628 setup buffer file_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt"; flow:to_server,established; content:"|F5 75 6F D0 7E 61 35 1B 1A 8B 16 4D DF 05 32 FE A4 4C 46 49 B7 7B 6B 75 F9 2B 5C 37 29 0B 91 37|"; fast_pattern:only; file_data; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:37628; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; dsize:<1201; byte_extract:4,1,file_length,relative; isdataat:!file_length,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4138; reference:cve,2017-2933; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39308; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; dsize:<1201; byte_extract:4,1,file_length,relative; isdataat:!file_length,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4138; reference:cve,2017-2933; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39309; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|localhost"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|localhost"; distance:0; nocase; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39540; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|127.0.0.1"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|127.0.0.1"; distance:0; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39543; rev:3;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,7,6,relative,bitmask 0xF0
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; byte_test:1,=,7,6,relative,bitmask 0xF0; content:"|00 00 FF E2|"; within:4; distance:11; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4936; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46260; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,7,6,relative,bitmask 0xF0
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; byte_test:1,=,7,6,relative,bitmask 0xF0; content:"|00 00 FF E2|"; within:4; distance:11; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4936; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46261; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,16,relative,bitmask 0x40
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,6,10,relative; byte_test:1,=,1,16,relative,bitmask 0x40; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46613; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,42,relative,bitmask 0x08
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x08; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46614; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,42,relative,bitmask 0x01
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x01; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46615; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,42,relative,bitmask 0x10
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x10; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46616; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,42,relative,bitmask 0x20
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x20; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46617; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,42,relative,bitmask 0x40
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x40; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46618; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,11,relative,bitmask 0x80
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,1,10,relative; byte_test:1,=,1,11,relative,bitmask 0x80; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46619; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-LINUX Debian apt remote code execution attempt"; flow:to_client,established; content:"201%20URI%20Done"; fast_pattern:only; content:"Location:"; http_header; content:!"http"; within:20; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,106690; reference:cve,2019-3462; reference:url,justi.cz/security/2019/01/22/apt-rce.html; classtype:attempted-user; sid:50190; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45443; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45444; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 2,=,0,1,relative,little,bitmask 0x8000
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=,0,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:5;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,2,relative,bitmask 0x01
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba tree connect andx memory corruption attempt"; flow:to_server,established; content:"|FF|SMB|75|"; fast_pattern:only; content:"|04 75 00|"; byte_test:1,=,1,2,relative,bitmask 0x01; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14746; classtype:attempted-user; sid:45255; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 2,=,1,1,relative,little,bitmask 0x8000
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=,1,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/"; within:2; content:"/"; within:len; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:49090; rev:1;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"|23 63 E2 77|"; within:4; distance:185; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37054; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"|23 63 E2 77|"; within:4; distance:185; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37055; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"|29 4C E1 77|"; within:4; distance:185; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37056; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"|29 4C E1 77|"; within:4; distance:185; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37057; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"AAAA"; within:4; distance:185; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37058; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"AAAA"; within:4; distance:185; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37059; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"APIE"; within:4; distance:185; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37060; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"APIE"; within:4; distance:185; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37061; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt"; flow:to_client,established; file_data; content:"BCFZ|04 10 01 00|"; depth:8; dsize:>500; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-6048; classtype:denial-of-service; sid:43946; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt"; flow:to_server,established; file_data; content:"BCFZ|04 10 01 00|"; depth:8; dsize:>500; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-6048; classtype:denial-of-service; sid:43947; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Bluezone Desktop buffer overflow attempt"; flow:to_client,established; dsize:>20; file_data; content:"BZ"; depth:2; content:"K"; within:1; distance:6; pcre:"/BZ(MD215AK|MP215AK|VT100AK|A[PD]200BK)/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,support.ixiacom.com/strikes/denial/misc/bluezone_desktop_DoS.xml; classtype:attempted-user; sid:44180; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Bluezone Desktop buffer overflow attempt"; flow:to_server,established; dsize:>20; file_data; content:"BZ"; depth:2; content:"K"; within:1; distance:6; pcre:"/BZ(MD215AK|MP215AK|VT100AK|A[PD]200BK)/"; metadata:policy max-detect-ips drop, service smtp; reference:url,support.ixiacom.com/strikes/denial/misc/bluezone_desktop_DoS.xml; classtype:attempted-user; sid:44181; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,!&,1,1,relative,bitmask 0x40
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; content:"|0B 40|"; within:2; byte_test:1,!&,1,1,relative,bitmask 0x40; byte_extract:4,18,y_val,relative,little; byte_test:4,>,y_val,4,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16401; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44919; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,!&,1,1,relative,bitmask 0x40
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; content:"|0B 40|"; within:2; byte_test:1,!&,1,1,relative,bitmask 0x40; byte_extract:4,18,y_val,relative,little; byte_test:4,>,y_val,4,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2017-16401; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44920; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45819; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45820; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45821; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45822; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,4,relative,little,bitmask 0x01
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt"; flow:to_client; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_test:1,=,1,4,relative,little,bitmask 0x01; byte_test:2,>,250,24,relative,little; byte_jump:2,38,relative,little,from_beginning; content:"PK|03 04|"; within:4; byte_test:2,<,10,22,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1000035; classtype:attempted-user; sid:47586; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,4,relative,little,bitmask 0x01
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt"; flow:to_server; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_test:1,=,1,4,relative,little,bitmask 0x01; byte_test:2,>,250,24,relative,little; byte_jump:2,38,relative,little,from_beginning; content:"PK|03 04|"; within:4; byte_test:2,<,10,22,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-1000035; classtype:attempted-user; sid:47587; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,4,1,relative,bitmask 0x7f
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"|08 40|"; within:2; distance:12; byte_test:1,=,4,1,relative,bitmask 0x7f; byte_extract:4,2,regionSize,relative,little; byte_test:4,>,regionSize,8,little,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12762; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47682; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,4,1,relative,bitmask 0x7f
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"|08 40|"; within:2; distance:12; byte_test:1,=,4,1,relative,bitmask 0x7f; byte_extract:4,2,regionSize,relative,little; byte_test:4,>,regionSize,8,little,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12762; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47683; rev:1;)"
SC_ERR_FLAGS_MODIFIER: cannot set DETECT_FLOW_FLAG_TOSERVER flag is already set
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft SharePoint deserialization attempt"; flow:to_server,to_server,established; file_data; content:"executeQueryAsync"; nocase; content:"<DynamicType"; fast_pattern:only; content:"<ObjectInstance"; nocase; content:"<MethodName>Deserialize</MethodName>"; within:100; nocase; content:"xsd:string"; within:100; base64_decode:bytes 1000,relative; base64_data; content:"|FF 01 32 BC 06|"; within:5; content:"<ObjectDataProvider"; within:550; content:"cmd.exe"; within:250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-1257; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1257; classtype:attempted-admin; sid:51475; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt"; flow:to_server,established; content:"%25%7B"; fast_pattern:only; content:"%25%7B"; nocase; http_raw_uri; content:"{"; http_uri; content:"}"; within:25; http_uri; pcre:"/%25%7B[^\x2f\x5c]+?%7D/Ii"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,60346; reference:cve,2013-2134; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-admin; sid:29592; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts CookieInterceptor classloader access attempt"; flow:to_server,established; content:"ClassLoader"; fast_pattern:only; content:"class"; nocase; http_cookie; content:"ClassLoader"; distance:0; nocase; http_cookie; pcre:"/class([\x2e\x5b]|%2e|%5b)([\x22\x27]|%22|%27)?ClassLoader/Ci"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,67081; reference:cve,2014-0113; reference:url,cwiki.apache.org/confluence/display/WW/S2-021; classtype:attempted-admin; sid:30944; rev:4;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt"; flow:to_server,established; content:"Content-type|3A 20|multipart"; fast_pattern:only; nocase; content:"boundary|3D|"; nocase; http_raw_header; isdataat:71,relative,rawbytes; content:!"|0A|"; within:71; http_raw_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,91453; reference:cve,2016-3092; classtype:denial-of-service; sid:39908; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_session_crypto padding oracle brute force attempt"; flow:to_server,established,only_stream; content:"session="; fast_pattern:only; content:"session="; nocase; http_cookie; content:"AAAAAAAAAAA"; within:150; http_cookie; detection_filter:track by_src,count 20, seconds 2; metadata:policy max-detect-ips drop, service http; reference:cve,2016-0736; reference:url,attack.mitre.org/techniques/T1110; reference:url,httpd.apache.org/security/vulnerabilities_24.html; classtype:web-application-attack; sid:42133; rev:4;)"
SC_ERR_INVALID_SIGNATURE: rule 17328 setup buffer file_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow"; flow:to_server,established; flowbits:isset,qualcom.worldmail.ok; dsize:>668; content:"}|0D 0A|"; fast_pattern:only; file_data; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,15980; reference:cve,2005-4267; classtype:attempted-admin; sid:17328; rev:9;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home"; flow:to_server,established; content:"/scripts/worker.php"; fast_pattern:only; content:"Host|3A|"; nocase; http_header; content:"hujashka.com"; distance:0; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.Agent.bls&threatid=135991; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AARM&VSect=T; classtype:trojan-activity; sid:14081; rev:9;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Karagany.A variant outbound connection"; flow:to_server,established; content:"|2F|xgate|2E|php"; nocase; http_uri; content:"User-Agent|3A 20|Opera|2F|10|2E|60|20|Presto|2F|2|2E|2|2E|30"; fast_pattern:only; http_header; content:"id|3D 5F|"; http_client_body; pcre:"/^\d?\x5f\d+\x5f/R"; metadata:service http; reference:url,www.virustotal.com/#/file/b01a66b05b4cf27f063b33772eb6b30b/detection; classtype:trojan-activity; sid:18279; rev:10;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Clampi variant outbound connection"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\s+\/[A-Z0-9]{16}\s+/Ri"; content:"|0D 0A 0D 0A|o="; depth:256; fast_pattern; pcre:"/^[iacdu](&s=[^&]*)?&b=/Ri"; metadata:service http; reference:url,www.virustotal.com/en/file/858aa58a910e47453f220c511fb8044592a55b4ef081ff86c2193ff65b8c6707/analysis/; classtype:trojan-activity; sid:19332; rev:9;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lancafdo.A variant outbound connection"; flow:to_server,established; content:"_TEST_"; fast_pattern:only; content:"id="; nocase; http_client_body; content:"ln="; distance:0; nocase; http_client_body; content:"cn="; distance:0; nocase; http_client_body; content:"nt="; distance:0; nocase; http_client_body; content:"bid="; distance:0; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/file/ae77218a209712f1a8fc90d29cd5e3def2ed86396d7dea573646086a5aa4e7aa/analysis/; classtype:trojan-activity; sid:21474; rev:6;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chewbacca outbound connection"; flow:to_server,established; urilen:4; dsize:<200; content:"/ip/"; depth:4; fast_pattern; http_uri; content:"Keep-Alive|3A 20|300|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/chewbacca-latest-malware-to-take-a-liking-to-tor/103220; reference:url,www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware; classtype:trojan-activity; sid:29440; rev:5;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ANDR.Trojan.FakeApp outbound connection"; flow:to_server,established; content:"/cp/server.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B| boundary=Aab03x"; http_header; content:"User-Agent: Dalvik"; http_header; file_data; content:"AaB03x"; content:"name=|22|phone"; distance:0; content:"name=|22|type"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,securityaffairs.co/wordpress/22465/cyber-crime/banking-trojan-hit-islamic-mobile.html; reference:url,www.virustotal.com/file/66911EE32FC4777BB9272F9BE9EB8970B39440768B612FBAB4AC01D8E23F9AA1/analysis/; classtype:trojan-activity; sid:29978; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Critroni outbound connection"; flow:to_server,established; dsize:174; urilen:1; content:"/"; http_uri; content:"Host|3A| ip.telize.com|0D 0A|Accept|3A| */*|0D 0A|User-Agent|3A| Mozilla/5.0 |28|Windows NT 6.1|3B| WOW64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/31.0.1650.63 Safari/537.36"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b3c92d7a9dead6011f3c99829c745c384dd776d88f57bbd60bc4f9d66641819b/analysis/; classtype:trojan-activity; sid:31718; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro outbound connection"; flow:to_server,established; dsize:<200; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/"; http_header; content:"ompatible|3B| MSIE 31|3B| "; within:20; distance:6; fast_pattern; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f5c716890a2a76785d53e8f9a5db2268501a30df807df4c4323967672efe452c/analysis/; classtype:trojan-activity; sid:31813; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Tavdig outbound connection"; flow:to_server,established; content:"Cookie|3A| catid="; fast_pattern:only; content:"|3B| task="; http_cookie; content:"|3B| forumid="; within:100; http_cookie; content:"|3B| Itemid="; within:50; http_cookie; content:"|3B| link="; within:50; http_cookie; content:"|3B| layout="; within:50; http_cookie; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122/analysis/; classtype:trojan-activity; sid:31944; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dalgan variant outbound connection"; flow:to_server, established; content:"MUID="; fast_pattern:only; content:"MCI="; depth:4; http_cookie; content:"MUID="; within:18; distance:16; http_cookie; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/07db7603d2d27a08553d2864cf2bef3c9515635e0f8692514f42c1a0debe8eb4/analysis/; classtype:trojan-activity; sid:32070; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rehtesyk outbound connection"; flow:to_server,established; content:"User-Agent: Firefox|0D 0A|"; fast_pattern:only; content:"first="; depth:6; http_client_body; content:"&data="; within:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea/analysis/; classtype:trojan-activity; sid:32311; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)"; fast_pattern:only; http_header; content:"/"; depth:1; offset:9; http_uri; content:"/"; within:1; distance:8; http_uri; content:"Host:"; http_header; content:":8080"; within:30; http_header; content:"POST"; http_method; dsize:<480; pcre:"/^\/[a-f0-9]{8}\/[a-f0-9]{8}\/$/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/27c298c77e16bbc3f056653034c2d918418f877bb0193a9ca533b5527d830a94/analysis/; classtype:trojan-activity; sid:32770; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.AAEH variant outbound connection"; flow:to_server,established; urilen:<15; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| SV1)"; fast_pattern:only; content:"Host: "; nocase; http_header; content:"|3A|"; within:16; http_header; content:!"Referer: "; nocase; http_header; content:!"Accept"; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0ccade380fd3a9ef7635e5c4e54b82c4ccd434c0bc3bbf76af3a99d744a1c5e7/analysis/; classtype:trojan-activity; sid:34246; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Panskeg outbound connection"; flow:to_server,established; file_data; dsize:10; content:"|79 40 1F F2 03 3C 20 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/81c6fa11d46bf173932b067c32a852f048ba51873210c3e24ac367c95e799e42/analysis/; classtype:trojan-activity; sid:36610; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&vs="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"v="; nocase; http_client_body; content:"&id="; distance:0; nocase; http_client_body; content:"&uid="; distance:0; nocase; http_client_body; content:"&vs="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36629; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&syspath="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"&macid="; nocase; http_client_body; content:"&os1="; distance:0; nocase; http_client_body; content:"&os2="; distance:0; nocase; http_client_body; content:"&syspath="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36630; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC Win.Trojan.Trochulis variant outbound connection"; flow:to_server,established; file_data; content:"|BF BF AF AF 7E 00 00 00|"; fast_pattern:only; dsize:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/da6905d96cc860b443deb5f27271a2cfb2ce17f067a59ca7f0fd12c1d70c4372/analysis/; classtype:trojan-activity; sid:37370; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Helminth variant outbound connection"; flow:to_server,established; content:"UIET9fWR"; fast_pattern:only; content:"User-Agent: Mozilla/5.0"; http_header; content:"|20|Trident/5.0|0D 0A|"; within:14; distance:39; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/632be0a3d8d298f2ded928a4ac27846904ed842ad08b355acab53132d31eaf24/analysis/; classtype:trojan-activity; sid:39176; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)"
SC_ERR_INVALID_SIGNATURE: depth or urilen 11 smaller than content len 17
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)"
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED MISC source route lsrre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-038; classtype:bad-unknown; sid:501; rev:9;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-FRONTPAGE rad overflow attempt"; flow:to_server,established; dsize:>258; content:"/fp30reg.dll"; nocase; http_uri; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-035; classtype:web-application-attack; sid:1246; rev:18;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-FRONTPAGE rad overflow attempt"; flow:to_server,established; dsize:>259; content:"/fp4areg.dll"; nocase; http_uri; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:14;)"
SC_ERR_INVALID_SIGNATURE: rule 2349 setup buffer dce_stub_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; reference:bugtraq,21220; reference:cve,2006-6114; reference:cve,2008-0639; classtype:protocol-command-decode; sid:2349; rev:13;)"
SC_ERR_INVALID_SIGNATURE: rule 14661 setup buffer dce_stub_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP spoolss EnumJobs attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:4; dce_stub_data; flowbits:set,dce.spoolss.4.call; flowbits:noalert; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14661; rev:17;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BOTNET-CNC Trojan Win32.Murofet.A outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"|2F|forum|2F|"; fast_pattern; nocase; http_uri; content:!"|0D 0A|Referer|3A|"; nocase; http_header; pcre:"/\x2Fforum\x2F$/Ui"; pcre:"/^Host\x3A\x20[a-z]{10,16}\x2E(net|info|org|com|biz)/Rm"; reference:url,www.virustotal.com/file-scan/report.html?id=a3203f202e04fdaab5c51f8b99d3750e64b4911c7cc62114d69ac2264aa18d02-1286757825; classtype:trojan-activity; sid:19051; rev:6;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED POLICY-OTHER HP Universal CMDB server axis2 default credentials attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/axis2/axis2-admin/login"; fast_pattern:only; http_uri; content:"username=admin"; nocase; http_client_body; content:"password="; nocase; http_client_body; pcre:"/^(admin|axis2)/iR"; reference:url,secunia.com/advisories/42763/; classtype:attempted-admin; sid:19157; rev:6;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"DELETED SERVER-OTHER Apple CUPS IPP memory corruption attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; http_header; content:"application/ipp"; within:20; fast_pattern; nocase; http_header; content:"|01|"; depth:9; http_client_body; pcre:"/^.{8}\x01[\x35\x36\x41\x42\x44-\x49]/P"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; pcre:"/[\x37-\x40\x43]\x00\x00/R"; reference:cve,2010-2941; classtype:attempted-admin; sid:23138; rev:5;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"DELETED SERVER-OTHER Apple CUPS IPP memory corruption attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; http_header; content:"application/ipp"; within:20; fast_pattern; nocase; http_header; content:"|01|"; depth:9; http_client_body; pcre:"/^.{8}\x01[\x37-\x40\x43]/P"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; pcre:"/[\x35\x36\x41\x42\x44-\x49]\x00\x00/R"; reference:cve,2010-2941; classtype:attempted-admin; sid:23139; rev:5;)"
SC_ERR_INVALID_SIGNATURE: rule 26618 mixes keywords with conflicting directions
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"DELETED SERVER-WEBAPP Potential hostile executable served from local compromised or malicious WordPress site"; flow:to_client,established; content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\/\d+\.exe$/U"; metadata:ruleset community; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:26618; rev:4;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Backdoor.Win32.Wolyx.A runtime detection"; flow:to_server,established; dsize:12; content:"|0D 0A 0D 0A|"; offset:8; content:!"/"; http_uri; pcre:"/^[0-9a-f]{8}\r\n\r\n$/i"; reference:url,www.virustotal.com/file/bf8c756d34efc346e4bc100310f2ead2731c9745d49dec242c9f237e53bceb41/analysis; classtype:trojan-activity; sid:26821; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt"; flow:to_server,established; content:"Content-Type|3A|"; http_header; content:"charset=euc-jp"; within:64; nocase; http_header; file_data; isdataat:4094; content:"|8F|"; depth:1; offset:4094; content:"//"; within:100; reference:cve,2013-3192; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-059; classtype:attempted-user; sid:29169; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"cmap"; depth:500; offset:12; byte_extract:4,4,cmapOffset,relative; byte_jump:4,-4,relative,big,from_beginning; byte_math:bytes 4, offset 8, oper +, rvalue cmapOffset, result formatTable, relative; content:"|00 00|"; depth:2; offset:formatTable; byte_test:2, >, 262, 0, relative; reference:cve,2018-4908; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45838; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"cmap"; depth:500; offset:12; byte_extract:4,4,cmapOffset,relative; byte_jump:4,-4,relative,big,from_beginning; byte_math:bytes 4, offset 8, oper +, rvalue cmapOffset, result formatTable, relative; content:"|00 00|"; depth:2; offset:formatTable; byte_test:2, >, 262, 0, relative; reference:cve,2018-4908; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45839; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_stat_code" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Terror landing page redirect attempt"; flow:to_client,established; file_data; content:"meta"; content:"refresh"; within:30; content:"content"; within:30; content:"1|3B|url=http:|2F 2F|"; within:20; content:"30"; within:2; http_stat_code; classtype:attempted-user; sid:45924; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|92 86|"; http_client_body; byte_extract:4,6,offset,relative,big; content:"|0D 0A 0D 0A|"; http_client_body; content:"JIS|00 00 00 00 00|"; within:8; distance:offset; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40244; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|21 F9 04 08 0A 00 00 00 2C|"; fast_pattern; byte_extract:2,0,img_left_pos,relative,little; byte_math:bytes 2,offset 2,oper +,rvalue img_left_pos,result overflow,relative,endian little; byte_test:2,<,overflow,6,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:49962; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_server,established; flowbits:isset,file.gif; file_data; content:"|21 F9 04 08 0A 00 00 00 2C|"; fast_pattern; byte_extract:2,0,img_left_pos,relative,little; byte_math:bytes 2,offset 2,oper +,rvalue img_left_pos,result overflow,relative,endian little; byte_test:2,<,overflow,6,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:49963; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|21 F9 04 08 0A 00 00 00 2C|"; fast_pattern; byte_extract:2,2,img_top_pos,relative,little; byte_math:bytes 2,offset 2,oper +,rvalue img_top_pos,result overflow,relative,endian little; byte_test:2,<,overflow,8,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:50960; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_server,established; flowbits:isset,file.gif; file_data; content:"|21 F9 04 08 0A 00 00 00 2C|"; fast_pattern; byte_extract:2,2,img_top_pos,relative,little; byte_math:bytes 2,offset 2,oper +,rvalue img_top_pos,result overflow,relative,endian little; byte_test:2,<,overflow,8,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:50961; rev:1;)"
Source test warnings:
Custom address variable "$FILE_DATA_PORTS" is used and need to be defined in probes configuration
Custom address variable "$FTP_PORTS" is used and need to be defined in probes configuration
Custom address variable "$SIP_SERVERS" is used and need to be defined in probes configuration
Custom address variable "$SIP_PORTS" is used and need to be defined in probes configuration@pevma
I understand this very well and could use suricata -> snort -> clean traffic (but this is an overhead because of the same rules)
regit
commented
4 years ago Import is ugliest than I thought. Suricata does not recognize a big bunch of signatures.
Regarding DDOS rules, the explanation may be simple, here is the complete file:
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#------------
# DDOS RULES
#------------On first screenshot it appears more than 40k rules have been found. You should be able to find them in other categories.
ghost
commented
4 years ago I understood. So the scheme suricata ->snort -> clean traffic
Thanks for the help
Scirius: latest of git master branch OS: ubuntu 18.04 Problem: I try to use rules from snort, but only categories are displayed.
What am I doing:
snortrules-snapshot-29150.tar.gz1)
2)
Result: