Closed ghost closed 4 years ago
I’ll just add that there is such a product as OpnSense
and there is Suricata
with rules from Snort
that work correctly.
Suricata has some coverage for VRT/Snort rules but not complete - neither intends to as those rules are neither written nor tested for Suricata and its specific engine features. Scirius aims to cover rulesets for Suricata only.
Can we see the errors at import ?
UNIQUE constraint failed: rules_rule.sid
And made an import
Source test failure:
SC_ERR_INVALID_SIGNATURE: "http_raw_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-OFFICE Microsoft Office directory traversal attempt"; flow:to_server,established; file_data; content:"..|5C|"; http_raw_uri; content:"InfoPath.3|3B| ms-office|3B| MSOffice 15"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http; reference:cve,2019-0801; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0801; classtype:attempted-user; sid:49733; rev:1;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection"; flow:to_client,established; file_data; content:"Web Center|3A|"; nocase; http_header; content:"Nom de l ordinateur|3A|"; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:url,www.megasecurity.org/trojans/w/webcenter/Webcenter1.0.html; classtype:trojan-activity; sid:12239; rev:8;)"
SC_ERR_INVALID_SIGNATURE: "http_method" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_server,established; file_data; content:"POST"; http_method; content:"|00 09 00 00|"; depth:5; offset:1; fast_pattern; content:!"|00|"; depth:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:43364; rev:4;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple coils - too many outputs"; flow:to_server,established; modbus_func:write_multiple_coils; byte_test:2,>,1968,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15076; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read multiple coils - too many inputs"; flow:to_server,established; modbus_func:read_coils; byte_test:2,>,2000,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:15077; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple registers from external source"; flow:to_server,established; modbus_func:write_multiple_registers; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17782; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write single register from external source"; flow:to_server,established; modbus_func:write_single_register; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17783; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write single coil from external source"; flow:to_server,established; modbus_func:write_single_coil; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17784; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple coils from external source"; flow:to_server,established; modbus_func:write_multiple_coils; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17785; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record from external source"; flow:to_server,established; modbus_func:write_file_record; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17786; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read discrete inputs from external source"; flow:to_server,established; modbus_func:read_discrete_inputs; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17787; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read coils from external source"; flow:to_server,established; modbus_func:read_coils; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17788; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read input register from external source"; flow:to_server,established; modbus_func:read_input_registers; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17789; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read holding registers from external source"; flow:to_server,established; modbus_func:read_holding_registers; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17790; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read/write multiple registers from external source"; flow:to_server,established; modbus_func:read_write_multiple_registers; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17791; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read fifo queue from external source"; flow:to_server,established; modbus_func:read_fifo_queue; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17792; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read file record from external source"; flow:to_server,established; modbus_func:read_file_record; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17793; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read exception status from external source"; flow:to_server,established; modbus_func:read_exception_status; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17794; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus initiate diagnostic from external source"; flow:to_server,established; modbus_func:diagnostics; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17795; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus get com event counter from external source"; flow:to_server,established; modbus_func:get_comm_event_counter; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17796; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus get com event log from external source"; flow:to_server,established; modbus_func:get_comm_event_log; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17797; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus report slave id from external source"; flow:to_server,established; modbus_func:report_slave_id; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17798; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read device identification from external source"; flow:to_server,established; modbus_func:report_slave_id; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17799; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus mask write register from external source"; flow:to_server,established; modbus_func:mask_write_register; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:17800; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read holding registers - too many inputs"; flow:to_server,established; modbus_func:read_holding_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29194; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read input register - too many inputs"; flow:to_server,established; modbus_func:read_input_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29195; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read input status - too many inputs"; flow:to_server,established; modbus_func:read_discrete_inputs; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,2000,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29196; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read write multiple registers - too many writes"; flow:to_server,established; modbus_func:read_write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29197; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus read write multiple registers - too many writes"; flow:to_server,established; modbus_func:read_write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,125,14; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29198; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write multiple registers - too many registers"; flow:to_server,established; modbus_func:write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,100,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29199; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write single coil - invalid state"; flow:to_server,established; modbus_func:write_single_coil; content:"|00 00|"; depth:2; offset:2; content:"|00|"; depth:1; offset:11; content:!"|FF|"; depth:1; offset:10; content:!"|00|"; depth:1; offset:10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29200; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read coil status response - too many coils"; flow:to_client,established; modbus_func:read_coils; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,250,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29201; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read coil status response - too many coils"; flow:to_client,established; modbus_func:read_discrete_inputs; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,250,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29202; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read fifo response invalid byte count"; flow:to_client,established; modbus_func:read_fifo_queue; content:"|00 00|"; depth:2; offset:2; byte_test:2,>,31,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29203; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read holding register response - invalid byte count"; flow:to_client,established; modbus_func:read_holding_registers; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,250,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29204; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read input registers response invalid byte count"; flow:to_client,established; modbus_func:read_input_registers; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,125,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29205; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus read write register response - invalid byte count"; flow:to_client,established; modbus_func:read_write_multiple_registers; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,200,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:29206; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Tri PLC Nano 10 PLC denial of service attempt"; flow:to_server,established; content:"|00 06|"; depth:2; offset:4; modbus_func:1; modbus_data; content:"|00 00|"; depth:2; offset:2; metadata:policy max-detect-ips drop; reference:cve,2013-2784; classtype:denial-of-service; sid:29965; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - invalid reference type"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; content:!"|06|"; depth:1; offset:9; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30816; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - large byte count"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,251,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30817; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - large reference value"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:4,>,9999,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30818; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Modbus write file record - small byte count"; flow:to_server,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,<,9,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30819; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - invalid reference type"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; content:!"|06|"; depth:1; offset:9; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30820; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - large byte count"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,>,251,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30821; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - large reference value"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:4,>,9999,10; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30822; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA Modbus write file record - small byte count"; flow:to_client,established; modbus_func:write_file_record; content:"|00 00|"; depth:2; offset:2; byte_test:1,<,9,8; metadata:policy max-detect-ips drop; reference:url,www.modbus.org/docs/Modbus_Application_Protocol_V1_1b.pdf; classtype:protocol-command-decode; sid:30823; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'modbus_func'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 502 (msg:"PROTOCOL-SCADA Schneider Modicon TM221CE16R password retrieval attempt"; flow:to_server, established; modbus_func:90; modbus_data; content:"|00 03 00|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:cve,2017-7575; reference:url,download.schneider-electric.com/files?&p_File_Name=SEVD-2017-097-01-SoMachine+Basic.pdf; classtype:attempted-admin; sid:42861; rev:3;)"
SC_ERR_PCRE_MATCH: pcre_exec parse error, ret -1, string dea00001-6c97-11d1-8271-00a02442df7d, any_frag
SC_ERR_INVALID_SIGNATURE: Error parsing dec_iface option in signature
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> any any (msg:"PROTOCOL-SCADA PNIO-CM Connect Operation"; dce_iface:dea00001-6c97-11d1-8271-00a02442df7d, any_frag; dce_opnum:0; metadata:policy max-detect-ips drop, service dcerpc; reference:url,wiki.wireshark.org/PROFINET/IO; classtype:protocol-command-decode; sid:48576; rev:2;)"
SC_ERR_PCRE_MATCH: pcre_exec parse error, ret -1, string dea00001-6c97-11d1-8271-00a02442df7d, any_frag
SC_ERR_INVALID_SIGNATURE: Error parsing dec_iface option in signature
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> any any (msg:"PROTOCOL-SCADA PNIO-CM Connect Operation"; flow:to_server,established; dce_iface:dea00001-6c97-11d1-8271-00a02442df7d, any_frag; dce_opnum:0; metadata:policy max-detect-ips drop, service dcerpc; reference:url,wiki.wireshark.org/PROFINET/IO; classtype:protocol-command-decode; sid:48577; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".exe"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:3;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".jar"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.jar/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"<html><body><script>"; content:"var"; within:3; distance:1; content:"document.createElement"; content:"iframe"; within:6; distance:2; content:".setAttribute("; distance:0; content:"document.body.appendChild("; distance:0; fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26961; rev:4;)"
SC_ERR_INVALID_SIGNATURE: "http_stat_code" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror EK landing page attempt"; flow:to_client,established; file_data; content:"Set-Cookie"; content:"streams"; within:50; content:"campaigns"; within:50; content:"time"; within:50; content:"30"; within:2; http_stat_code; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45919; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 00 00 00 00 00|"; depth:6; offset:4; content:"|00 00 29|"; within:3; distance:2; content:"|FE|"; within:1; distance:8; byte_test:2,>,4,-3,relative; byte_math:bytes 2,offset -3,oper -,rvalue 4,result rdlen_minus_four,relative; byte_test:2,>,rdlen_minus_four,1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-14496; reference:url,security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; classtype:attempted-admin; sid:44482; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Linkury outbound time check"; flow:to_server,established; dsize:72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156; rev:3;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER CA ARCserve Axis2 default credential login attempt"; flow:to_server,established; content:"/axis2-admin/login"; fast_pattern:only; http_uri; content:"userName=admin"; nocase; http_client_body; content:"password="; nocase; http_client_body; pcre:"/^(admin|axis2)/iR"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,45625; reference:cve,2010-0219; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:18985; rev:12;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Piwik Analytics Platform PHP plugin installation detected"; flow:to_server,established; content:"CorePluginsAdmin"; fast_pattern:only; content:"uploadPlugin"; nocase; content:"pluginZip"; nocase; http_client_body; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:".php"; within:filename_len; distance:2; nocase; metadata:policy max-detect-ips drop, service http; reference:url,firefart.at/post/turning_piwik_superuser_creds_into_rce; classtype:policy-violation; sid:41647; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER NetBiter WebSCADA ws100/ws200 logo modification attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; http_uri; content:"page=config.html"; http_uri; content:"file=/home/config/pages/2.conf"; distance:0; http_uri; content:"section=PAGE2"; distance:0; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-4732; reference:url,ics-cert.us-cert.gov/advisories/ICSA-10-316-01A; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-10-293-01; classtype:web-application-attack; sid:42092; rev:3;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER NetBiter WebSCADA ws100/ws200 file read attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-4730; reference:cve,2010-4731; reference:cve,2010-4732; classtype:web-application-attack; sid:42093; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Sandvine PacketLogic http redirection attempt"; flow:to_client,established; content:"Temporary Redirect"; fast_pattern:only; id:13330; fragbits:!MDR; flags:FA; content:"307"; depth:3; http_stat_code; content:"Temporary Redirect"; nocase; http_stat_msg; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria; reference:url,github.com/citizenlab/badtraffic; classtype:misc-activity; sid:45983; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TP-Link device reboot attempt"; flow:to_server,established; file_data; content:"/userRpm/SysRebootRpm.htm"; http_uri; content:"Reboot="; http_uri; content:"Referer"; http_header; content:"Authorization"; http_header; metadata:policy max-detect-ips drop, service http; reference:url,trendnet.com/home; classtype:misc-activity; sid:46447; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TP-Link device enable remote management attempt"; flow:to_server,established; file_data; content:"/userRpm/ManageControlRpm.htm"; http_uri; content:"ip="; http_uri; content:"Referer"; http_header; content:"Authorization"; http_header; metadata:policy max-detect-ips drop, service http; reference:url,trendnet.com/home; classtype:misc-activity; sid:46448; rev:2;)"
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert ip any any -> any any (msg:"POLICY-OTHER IP option loose source routing attempt"; ipopts:lsrre; reference:cve,2019-12256; classtype:protocol-command-decode; sid:51036; rev:1;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Content-Length request offset smuggling attempt"; flow:to_server,established,no_stream; content:"Content-Length|3A|"; http_raw_header; byte_jump:10,0,string,relative,post_offset 4; pcre:"/^(GET|POST|TRACE|DESCRIBE|DELETE)/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14106; reference:cve,2005-2088; classtype:misc-attack; sid:16218; rev:10;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HP OpenView Network Node Manager ovet_demandpoll.exe format string execution attempt"; flow:to_server,established; content:"/OvCgi/webappmon.exe"; fast_pattern:only; http_uri; content:"sel="; http_client_body; pcre:"/^[^\x26]*?\x25/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40065; reference:cve,2010-1550; classtype:attempted-admin; sid:18795; rev:11;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Novell iManager ClassName handling overflow attempt"; flow:to_server,established; content:"/nps/servlet/webacc"; nocase; http_uri; content:"ClassName="; fast_pattern; nocase; http_client_body; pcre:"/^[^\x26]{512}/R"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,40480; reference:cve,2010-1929; classtype:attempted-admin; sid:18796; rev:9;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt"; flow:to_server,established; content:"Using=_layouts/query"; nocase; http_uri; pcre:"/^(\.iqy|\.bqy).*(View|RowFolder)=[^&\x3b]*<\s*script/Ri"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1893; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-074; classtype:web-application-attack; sid:20116; rev:11;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/applications/upload"; http_uri; pcre:"/^(Frame)?\.jsf/R"; content:!"JSESSIONID="; flowbits:set,glassfish_unauth_attempt; metadata:policy max-detect-ips drop, service http; reference:bugtraq,47438; reference:cve,2011-0807; classtype:attempted-admin; sid:20159; rev:9;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Devellion CubeCart multiple parameter XSS vulnerability"; flow:to_server,established; content:"gateway/WorldPay/return.php?"; http_uri; pcre:"/(amount|cartId|email|transId|transStatus)=[^&]*[\x22\x27\x3c\x3e]/R"; metadata:policy max-detect-ips drop, service http; reference:url,www.acunetix.com/blog/web-security-zone/articles/sql-injection-xss-cubecart-4-3-3/; classtype:web-application-attack; sid:21270; rev:6;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Airlive IP Camera directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/admin"; fast_pattern:only; content:"/cgi-bin/admin"; http_raw_uri; content:"filePath"; distance:0; nocase; http_raw_uri; content:"../"; distance:0; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,60549; reference:cve,2013-3541; classtype:web-application-attack; sid:29595; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Microsoft Forefront Unified Access Gateway null session cookie denial of service"; flow:to_server,established; content:"|3D 3B|NLSession"; fast_pattern:only; content:"Cookie|3A 20|"; http_header; content:"NLSession"; http_cookie; content:"|3D 3B|NLSession"; within:50; distance:1; http_cookie; metadata:policy max-detect-ips drop, service http; reference:cve,2011-2012; reference:url,technet.microsoft.com/en-us/security/bulletin/ms11-079; classtype:attempted-user; sid:30209; rev:5;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt"; flow:to_server,established; content:"/agentUpload"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, service http; reference:bugtraq,69482; reference:cve,2014-6037; classtype:web-application-attack; sid:31838; rev:5;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Rejetto HttpFileServer command injection attempt"; flow:to_server,established; content:"%00"; fast_pattern:only; content:"%00"; http_raw_uri; content:"|7B|."; http_uri; content:".|7D|"; distance:0; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,69782; reference:cve,2014-6287; classtype:web-application-attack; sid:31956; rev:6;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine Eventlog Analyzer directory traversal attempt"; flow:to_server,established; content:"/agentUpload"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, service http; reference:bugtraq,69482; reference:cve,2014-6037; classtype:web-application-attack; sid:32044; rev:4;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP phpMemcachedAdmin path traversal attempt"; flow:to_server,established; content:"live_stats_id"; fast_pattern:only; content:"live_stats_id"; http_cookie; content:"="; within:1; distance:32; http_cookie; content:"../"; distance:0; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-8731; reference:url,securityfocus.com/archive/1/533968; classtype:web-application-attack; sid:32611; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Photo Gallery PHP code execution attempt"; flow:to_server,established; content:"bwg_UploadHandler"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:".php"; within:filename_len; distance:2; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2014-9312; classtype:attempted-admin; sid:33514; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34055; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lexmark Markvision Enterprise LibraryFileUploadServlet directory traversal attempt"; flow:to_server,established; content:"/mve/upload/library"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; depth:4; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,72726; reference:cve,2014-9375; classtype:web-application-attack; sid:34056; rev:3;)"
SC_ERR_INVALID_SIGNATURE: rule 34475 mixes keywords with conflicting directions
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Wordpress username enumeration attempt"; flow:to_client,established,only_stream; content:"?author="; fast_pattern:only; http_uri; detection_filter:track by_src,count 100, seconds 2; metadata:policy max-detect-ips drop, service http; reference:url,www.acunetix.com/blog/web-security-zone/wordpress-username-enumeration-using-http-fuzzer/; classtype:attempted-recon; sid:34475; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'http_raw_cookie'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Watchguard XCS compose.php SQL injection attempt"; flow:to_server,established; content:"/borderpost/imp/compose.php"; fast_pattern:only; http_uri; content:"sid="; nocase; http_raw_cookie; content:"%3B"; distance:0; nocase; http_raw_cookie; pcre:"/sid=[^\x3b]*?%3B/Ki"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.watchguard.com/support/release-notes/xcs/index.aspx; classtype:attempted-admin; sid:35573; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"../"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36101; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt"; flow:to_server,established; content:"/ExportImport.do"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; byte_extract:2,22,filename_len,relative,little; content:"..|5C|"; within:filename_len; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.manageengine.com/products/service-desk/service-packs.html; classtype:web-application-attack; sid:36102; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt"; flow:to_server,established; file_data; dsize:>10; content:"STARTTLS|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2014-3556; reference:url,mailman.nginx.org/pipermail/nginx-announce/2014/000144.html; classtype:attempted-user; sid:36197; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Limesurvey unauthenticated file download attempt"; flow:to_server,established; content:"/limesurvey/index.php/admin/update/sa/backup"; fast_pattern:only; http_uri; file_data; content:"&datasupdateinfo="; nocase; base64_decode:bytes 100, offset 0, relative; base64_data; content:"../"; within:100; metadata:policy max-detect-ips drop, service http; reference:url,limesurvey.org/en/blog/76-limesurvey-news/security-advisories/1836-limesurvey-security-advisory-10-2015; classtype:web-application-attack; sid:37348; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP phar extension remote code execution attempt"; flow:to_server,established; file_data; content:"filename="; http_client_body; content:"|00|"; within:60; http_client_body; content:".phar"; within:60; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-4072; reference:url,bugs.php.net/bug.php?id=71860; reference:url,php.net/ChangeLog-7.php; classtype:attempted-user; sid:39662; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Plugin RevSlider file upload attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"Content-Disposition:"; nocase; http_client_body; content:"|22|client_action|22|"; within:50; http_client_body; content:"Content-Disposition:"; distance:0; nocase; http_client_body; content:"|22|update_file|22|"; within:50; nocase; http_client_body; file_data; content:"PK"; depth:2; metadata:policy max-detect-ips drop, service http; reference:cve,2014-9735; classtype:web-application-attack; sid:40497; rev:3;)"
SC_ERR_INVALID_SIGNATURE: "http_cookie" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Moxa AWK-3131A Series cross-site request forgery attempt"; flow:to_server,established; file_data; content:"Password508"; fast_pattern:only; content:"Password508"; http_cookie; pcre:"/^Host:\s*(?P<hostname>[^\s\x2F\x5C]+).*?Referer:\s*https?\x3A\x2F{2}(?!(?P=hostname))/smiH"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-8718; reference:url,www.talosintelligence.com/reports/TALOS-2016-0232/; classtype:attempted-user; sid:41352; rev:4;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP ZipArchive getFromIndex and getFromName integer overflow attempt"; flow:to_server,established; content:".php"; fast_pattern:only; http_uri; file_data; content:"PK|03 04|"; content:"|00 00|"; within:2; distance:16; byte_test:4,>=,0x00FFFFFF,0,relative,little; metadata:policy max-detect-ips drop, service http; reference:cve,2016-3078; reference:url,bugs.php.net/bug.php?id=71923; classtype:attempted-admin; sid:41383; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress Plugin RevSlider file upload attempt"; flow:to_server,established; content:"/wp-admin/admin-ajax.php"; fast_pattern:only; http_uri; content:"Content-Disposition:"; nocase; http_client_body; content:"|22|client_action|22|"; within:50; http_client_body; content:"Content-Disposition:"; distance:0; nocase; http_client_body; content:"|22|update_file|22|"; within:50; nocase; http_client_body; file_data; content:"<?php"; depth:5; metadata:policy max-detect-ips drop, service http; reference:cve,2014-9735; classtype:web-application-attack; sid:41914; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Aultware pwStore denial of service attempt"; flow:to_server, established; file_data; content:"|5C|x0d|5C|x0a"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2013-5657; classtype:web-application-attack; sid:42072; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 information gathering attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; http_uri; content:"file="; distance:0; http_uri; content:"/home/config/users.cfg"; distance:0; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-4731; reference:url,ics-cert.us-cert.gov/advisories/ICSA-10-316-01A; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-10-293-01; classtype:web-application-attack; sid:42094; rev:3;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetBiter WebSCADA ws100/ws200 directory traversal attempt"; flow:to_server,established; file_data; content:"/cgi-bin/read.cgi"; fast_pattern:only; http_uri; content:"page="; nocase; pcre:"/page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/i"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-4730; reference:url,ics-cert.us-cert.gov/advisories/ICSA-10-316-01A; reference:url,ics-cert.us-cert.gov/alerts/ICS-ALERT-10-293-01; classtype:web-application-attack; sid:42095; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Foscam IP Camera multipart boundary stack buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/CGIProxy.fcgi"; nocase; http_uri; content:"usrBeatHeart"; fast_pattern:only; content:"Boundary="; nocase; http_raw_header; isdataat:256,relative; content:!"|0A|"; within:256; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-2830; reference:url,www.talosintelligence.com/reports/TALOS-2017-0331/; classtype:web-application-attack; sid:42437; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ReadyDesk arbitrary file upload attempt"; flow:established,to_server; content:"/readydesk/chat/sendfile.aspx"; fast_pattern:only; http_uri; content:"FRM=SUB"; http_uri; content:"SESID="; http_uri; file_data; content:"MZ"; depth:2; metadata:policy max-detect-ips drop, service http; reference:cve,2016-5050; classtype:web-application-attack; sid:42993; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ReadyDesk arbitrary file upload attempt"; flow:established,to_server; content:"/readydesk/chat/sendfile.aspx"; fast_pattern:only; http_uri; content:"FRM=SUB"; http_uri; content:"SESID="; http_uri; content:"Content-Disposition:"; http_client_body; content:"filename="; within:100; http_client_body; content:"aspx|22 0D 0A|"; within:100; http_client_body; file_data; content:"|3C|script"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-5050; classtype:web-application-attack; sid:42994; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-WEBAPP Squid ESI processing buffer overflow attempt"; flow:to_client,established; file_data; content:"Surrogate-Control:"; fast_pattern; http_header; content:"ESI/1.0"; within:100; nocase; http_header; content:"Content-Type:"; nocase; http_header; content:"text/"; within:50; nocase; http_header; content:"<"; isdataat:2000,relative; content:!">"; within:2000; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4054; reference:url,www.squid-cache.org/Advisories/SQUID-2016_6.txt; classtype:attempted-user; sid:43268; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP ScadaBR remote credential export attempt"; flow:to_server,established; file_data; content:"ScadaBR/dwr/call/plaincall/EmportDwr.createExportData.dwr"; fast_pattern:only; http_uri; content:"JSESSIONID"; http_raw_header; content:"ScadaBR/emport.shtm"; http_client_body; content:"c0-scriptName=EmportDwr"; http_client_body; content:"c0-methodName=createExportData"; http_client_body; metadata:policy max-detect-ips drop, service http; reference:url,scadabr.com.br/?q=node/1375; classtype:web-application-attack; sid:43757; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FreePBX recording interface file upload code execution attempt"; flow:to_server,established; content:"config.php"; fast_pattern:only; content:"Content-Disposition"; nocase; http_client_body; content:"name="; distance:0; http_client_body; content:"../"; distance:0; http_client_body; metadata:policy max-detect-ips drop, service http; reference:bugtraq,43454; reference:cve,2010-3490; classtype:web-application-attack; sid:45226; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_pattern:only; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'http_raw_cookie'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR admin password leak attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd=list"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46825; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'http_raw_cookie'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt"; flow:to_server,established; content:"/device.rsp"; fast_pattern:only; http_uri; content:"uid="; http_raw_cookie; content:"cmd="; metadata:policy max-detect-ips drop, service http; reference:cve,2018-9995; classtype:web-application-attack; sid:46826; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP phar extension remote code execution attempt"; flow:to_server,established; file_data; content:"|00 01 00 00 00 FF FF 00 00 01 00 00 00 00 00 00 00 00 00 FE FF FF FF 65 78 61 6D 70 6C 65 2E 70 68 70 1E 00 00 00 23 57|"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-4072; reference:url,bugs.php.net/bug.php?id=71860; reference:url,php.net/ChangeLog-7.php; classtype:attempted-user; sid:47207; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt"; flow:to_server,established; content:"query=--open-files-in-pager"; fast_pattern:only; content:"/tree/"; http_uri; content:"/search"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:47599; rev:1;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Syncope information disclosure by orderBy"; flow:to_server,established; content:"/syncope/rest/users"; fast_pattern:only; http_uri; content:"orderBy="; nocase; http_uri; pcre:"/[^&]*?(serialVersionUID|password|security(Question|Answer)|token(ExpireTime)?)/Ri"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-1322; reference:url,syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting; classtype:attempted-recon; sid:48233; rev:2;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Apache Syncope information disclosure by fiql"; flow:to_server,established; content:"/syncope/rest/users"; fast_pattern:only; http_uri; content:"fiql="; nocase; http_uri; pcre:"/[^&]*?(serialVersionUID|password|type|udynMembershipCond|securityAnswer|token(ExpireTime)?)=/Ri"; metadata:policy max-detect-ips drop, service http; reference:cve,2018-1322; reference:url,syncope.apache.org/security.html#CVE-2018-1322:_Information_disclosure_via_FIQL_and_ORDER_BY_sorting; classtype:attempted-recon; sid:48234; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt"; flow:to_server,established; file_data; content:"/sitefinity/"; fast_pattern:only; http_uri; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; content:"<script"; distance:0; nocase; metadata:service http; reference:cve,2018-17055; reference:url,knowledgebase.progress.com/articles/Article/Security-Advisory-for-Resolving-Security-vulnerabilities-September-2018; classtype:attempted-user; sid:50658; rev:1;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION rfc822 HTTP transfer encoding attempt attempt"; flow:to_client,established; file_data; content:"Content-"; nocase; http_header; content:"rfc822"; within:50; nocase; http_header; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11515; reference:cve,2004-1050; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:41714; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:16; dsize:29; content:"|05 00 00 03 10 00 00 00|"; depth:8; content:"|10 00|"; within:2; distance:14; byte_extract:1,0,memoryAddr,relative,multiplier 257; byte_test:2,=,memoryAddr,0,relative; byte_test:2,=,memoryAddr,1,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2006-6076; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:36877; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11968; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 401 unauthorized message"; flow:to_server; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11969; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt"; flow:to_server; sip_method:invite; content:"Remote-Party-Id"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/Hsmi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:11970; rev:13;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP MultiTech INVITE message buffer overflow attempt"; flow:to_server; sip_method:invite; pcre:"/^INVITE\s[^\s\r\n]{60}/smi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,15711; reference:cve,2005-4050; classtype:attempted-user; sid:11981; rev:10;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE message invalid IP address"; flow:to_server; sip_method:invite; pcre:"/^INVITE\s+sip\x3A[^\r\n\x40]+\x40((192\.0\.[02]\.\d{1,3})|(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(128\.0\.\d{1,3}\.\d{1,3})|(191\.255\.\d{1,3}\.\d{1,3})|(223\.255\.255\.\d{1,3})|(2(2[4-9]|[34][0-9]|5[0-5])\.\d{1,3}\.\d{1,3}\.\d{1,3}))/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12000; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP BYE flood"; flow:to_server; sip_method:bye; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12002; rev:11;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP CANCEL flood"; flow:to_server; sip_method:cancel; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12003; rev:11;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE message Content-Length header size of zero"; flow:to_server; sip_method:invite; pcre:"/^Content-Length\x3A\s+0[\r\n]/Hsmi"; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:12004; rev:11;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12006; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 401 Unauthorized message"; flow:to_client; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12007; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 100 Trying message"; flow:to_server; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12073; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 100 Trying message"; flow:to_client; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12074; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 408 Request Timeout message"; flow:to_server; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12170; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 408 Request Timeout message"; flow:to_client; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12171; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 501 Not Implemented message"; flow:to_server; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12172; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 501 Not Implemented message"; flow:to_client; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12173; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 604 Does Not Exist Anywhere message"; flow:to_server; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12174; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 604 Does Not Exist Anywhere message"; flow:to_client; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12175; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 415 Unsupported Media Type message"; flow:to_server; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12176; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 415 Unsupported Media Type message"; flow:to_client; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12177; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 481 Call/Leg Transaction Does Not Exist"; flow:to_server; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12178; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 481 Call/Leg Transaction Does Not Exist"; flow:to_client; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12179; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 404 Not Found"; flow:to_server; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12180; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 404 Not Found"; flow:to_client; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:12181; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP OPTIONS message Via header request misplaced - after terminating newline"; flow:to_server; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Via\x3A/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13589; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP OPTIONS message Call-ID header request misplaced - after terminating newline"; flow:to_server; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Call-ID\x3A/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:13590; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19389; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE message URI contains global broadcast address"; flow:to_server; sip_method:invite; content:"@255.255.255."; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19409; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE message URI contains global broadcast address"; flow:to_server,established; sip_method:invite; content:"@255.255.255."; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:19410; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound INVITE message"; flow:to_server,established; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20296; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound INVITE message"; flow:to_server,established; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20297; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Invalid request spaces at end of request line attempt"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_method:invite,bye,cancel; pcre:"/^(INVITE|BYE|CANCEL)\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0[^\r\n]\s[\r\n]/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20298; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Invalid request spaces at end of request line attempt"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_method:invite,bye,cancel; pcre:"/^(INVITE|BYE|CANCEL)\s+sip\x3A[^\r\n\s]+\x40[^\r\n\s]+\s+SIP\x2F2\x2E0[^\r\n]\s[\r\n]/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20299; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP SIP URI possible format string attempt"; flow:to_server; sip_method:invite,bye,cancel,options; content:"%"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n]*%/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:misc-activity; sid:20303; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP SIP URI possible format string attempt"; flow:to_server,established; sip_method:invite,bye,cancel,options; content:"%"; fast_pattern:only; pcre:"/^[A-Z]+\s+sip\x3A[^\r\n]*%/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:misc-activity; sid:20304; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP CSeq header multiple CSeq headers "; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"CSeq|3A|"; nocase; content:"CSeq|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20309; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP CSeq header multiple CSeq headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"CSeq|3A|"; nocase; content:"CSeq|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20310; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP From header multiple From headers"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"From|3A|"; nocase; content:"From|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20330; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP From header multiple From headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"From|3A|"; nocase; content:"From|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20331; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP To header multiple To headers"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"To|3A|"; nocase; content:"To|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20346; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP To header multiple To headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"To|3A|"; nocase; content:"To|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20347; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Call-ID header multiple Call-ID headers"; flow:to_server; content:" sip|3A|"; fast_pattern:only; sip_header; content:"Call-ID|3A|"; nocase; content:"Call-ID|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20362; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Call-ID header multiple Call-ID headers"; flow:to_server,established; content:" sip|3A|"; fast_pattern:only; sip_header; content:"Call-ID|3A|"; nocase; content:"Call-ID|3A|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:attempted-dos; sid:20363; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt"; flow:to_server; content:"a|3D|rtpmap|3A|"; fast_pattern:only; sip_method:invite,bye; pcre:"/(^a\x3Drtpmap\x3A[^\n]*\r\n){31}/Psmi"; metadata:policy max-detect-ips drop, service sip; reference:cve,2008-1289; classtype:misc-attack; sid:20391; rev:10;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk Attribute header rtpmap field buffer overflow attempt"; flow:to_server,established; content:"a|3D|rtpmap|3A|"; fast_pattern:only; sip_method:invite,bye; pcre:"/(^a\x3Drtpmap\x3A[^\n]*\r\n){31}/Psmi"; metadata:policy max-detect-ips drop, service sip; reference:cve,2008-1289; classtype:misc-attack; sid:20392; rev:10;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP BYE flood"; flow:to_server,established,only_stream; sip_method:bye; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20393; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP CANCEL flood"; flow:to_server,established,only_stream; sip_method:cancel; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20394; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP SIP REGISTER flood attempt"; flow:to_server,established,only_stream; sip_method:register; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2014-2154; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20395; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE flood attempt"; flow:to_server; sip_method:invite; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:cve,2008-5180; reference:cve,2017-6648; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-tele; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20396; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE flood"; flow:to_server,established,only_stream; sip_method:invite; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:cve,2008-5180; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20397; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 420 Bad Extension response flood"; flow:to_client; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:420; detection_filter:track by_dst, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20398; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 420 Bad Extension response flood"; flow:to_client,established,only_stream; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:420; detection_filter:track by_dst, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20399; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 415 Unsupported Media Type response flood"; flow:to_client; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:415; detection_filter:track by_dst, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20400; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 415 Unsupported Media Type response flood"; flow:to_client,established,only_stream; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:415; detection_filter:track by_dst, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20401; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 405 Method Not Allowed response flood"; flow:to_client; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:405; detection_filter:track by_dst, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20402; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Response code 405 Method Not Allowed response flood"; flow:to_client,established,only_stream; content:"SIP/2.0"; fast_pattern:only; sip_stat_code:405; detection_filter:track by_dst, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc4475.txt; classtype:protocol-command-decode; sid:20403; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 100 Trying message"; flow:to_server,established; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20404; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 408 Request Timeout message"; flow:to_server,established; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20405; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 501 Not Implemented message"; flow:to_server,established; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20406; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 604 Does Not Exist Anywhere message"; flow:to_server,established; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20407; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 415 Unsupported Media Type message"; flow:to_server,established; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20408; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 481 Call/Leg Transaction Does Not Exist"; flow:to_server,established; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20409; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 401 unauthorized message"; flow:to_server,established; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20410; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP inbound 404 Not Found"; flow:to_server,established; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20411; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 404 Not Found"; flow:to_client,established; content:"SIP/2.0 404 Not Found"; fast_pattern:only; sip_stat_code:404; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20412; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 100 Trying message"; flow:to_client,established; content:"SIP/2.0 100 Trying"; fast_pattern:only; sip_stat_code:100; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20413; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 408 Request Timeout message"; flow:to_client,established; content:"SIP/2.0 408 Request Timeout"; fast_pattern:only; sip_stat_code:408; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20414; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 501 Not Implemented message"; flow:to_client,established; content:"SIP/2.0 501 Not Implemented"; fast_pattern:only; sip_stat_code:501; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20415; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 604 Does Not Exist Anywhere message"; flow:to_client,established; content:"SIP/2.0 604 Does Not Exist Anywhere"; fast_pattern:only; sip_stat_code:604; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20416; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 415 Unsupported Media Type message"; flow:to_client,established; content:"SIP/2.0 415 Unsupported Media Type"; fast_pattern:only; sip_stat_code:415; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20417; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 481 Call/Leg Transaction Does Not Exist"; flow:to_client,established; content:"SIP/2.0 481 Call/Leg Transaction Does Not Exist"; fast_pattern:only; sip_stat_code:481; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20418; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP outbound 401 Unauthorized message"; flow:to_client,established; content:"SIP/2.0 401 Unauthorized"; fast_pattern:only; sip_stat_code:401; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20419; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE message invalid IP address"; flow:to_server,established; sip_method:invite; pcre:"/^INVITE\s+sip\x3A[^\r\n\x40]+\x40((192\.0\.[02]\.\d{1,3})|(127\.\d{1,3}\.\d{1,3}\.\d{1,3})|(128\.0\.\d{1,3}\.\d{1,3})|(191\.255\.\d{1,3}\.\d{1,3})|(223\.255\.255\.\d{1,3})|(2(2[4-9]|[34][0-9]|5[0-5])\.\d{1,3}\.\d{1,3}\.\d{1,3}))/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20420; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP INVITE message Content-Length header size of zero"; flow:to_server,established,only_stream; sip_method:invite; pcre:"/^Content-Length\x3A\s+0[\r\n]/Hsmi"; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:attempted-dos; sid:20421; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP OPTIONS message Via field request misplaced - after terminating newline"; flow:to_server,established; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Via\x3A/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20422; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP OPTIONS message Call-ID header request misplaced - after terminating newline"; flow:to_server,established; sip_method:options; pcre:"/^OPTIONS.+\r\n\r\n(.+)?^Call-ID\x3A/smi"; metadata:policy max-detect-ips drop, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:20423; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt"; flow:to_server,established; sip_method:invite; content:"Remote-Party-Id|3A|scsip|3A|"; fast_pattern:only; pcre:"/^Remote-Party-ID\x3A\scsip\x3A[^@]+@\d{1,3}\x2E\d{1,3}\x2E\xD1/Hsmi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,23047; reference:cve,2007-1542; reference:url,www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml; classtype:attempted-dos; sid:20425; rev:11;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP MultiTech INVITE message buffer overflow attempt"; flow:to_server,established; sip_method:invite; pcre:"/^INVITE\s[^\s\r\n]{60}/smi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,15711; reference:cve,2005-4050; classtype:attempted-user; sid:20426; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP OpenSBC VIA header denial of service attempt"; flow:to_server; content:"Via|3A 3A|"; fast_pattern:only; sip_method:invite; metadata:policy max-detect-ips drop, service sip; reference:url,ims-bisf.nexginrc.org/OpenSBC-vul.html; classtype:denial-of-service; sid:20427; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"|0D 0A 0D 0A|"; content:!"Contact"; nocase; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21101; rev:7;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"Contact"; nocase; pcre:"/Contact\x3A\s*\x3C\s*\x3E/miH"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21102; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk channel driver denial of service attempt"; flow:to_server; sip_method:register; sip_header; content:"Contact:"; nocase; pcre:"/Contact\x3A\x0D\x0A/miH"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,50117; reference:cve,2011-4063; classtype:attempted-dos; sid:21103; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-VOIP Digium Asterisk invite malformed SDP denial of service attempt"; flow:to_server; sip_method:invite; sip_header; content:"INVITE"; depth:6; nocase; content:"INVITE"; distance:0; nocase; sip_body; content:"c=IN IP"; nocase; content:"c=IN IP"; distance:0; nocase; byte_test:10,>,255,1,relative,string,dec; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,23031; reference:cve,2007-1561; classtype:attempted-dos; sid:23966; rev:6;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk SIP SDP header parsing stack buffer overflow attempt"; flow:to_server; sip_method:invite; sip_body; content:"sprop-parameter-sets"; nocase; pcre:"/^=[^,\r\n\x3b\s]{1,16},[^\r\n\x3b\s]{17}/iR"; metadata:policy max-detect-ips drop, service sip; reference:cve,2013-2685; classtype:attempted-admin; sid:26425; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk SIP SDP header parsing stack buffer overflow attempt"; flow:to_server; sip_method:invite; sip_body; content:"sprop-parameter-sets"; nocase; pcre:"/^=[^,\r\n\x3b\s]{17}/iR"; metadata:policy max-detect-ips drop, service sip; reference:cve,2013-2685; classtype:attempted-admin; sid:26426; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27899; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27900; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27901; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server,established,only_stream; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27902; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established,only_stream; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27903; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_stat_code'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client,established,only_stream; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27904; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_body'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP attempted DOS detected"; flow:to_server; sip_body; content:"m="; content:"c="; distance:0; metadata:policy max-detect-ips drop, service sip; reference:cve,2013-5641; reference:cve,2013-5642; reference:url,downloads.asterisk.org/pub/security/AST-2013-005.html; classtype:denial-of-service; sid:28165; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Sipvicious User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: friendly-scanner"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,advantia.ca/weblog/less-than-friendly-scanner--sipvicious; classtype:attempted-recon; sid:28993; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk SIP channel driver denial of service attempt"; flow:to_server; sip_method:bye; sip_header; content:"Also|3A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:cve,2008-0095; reference:url,downloads.asterisk.org/pub/security/AST-2008-001.html; classtype:denial-of-service; sid:33445; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP javascript found in SIP headers attempt"; flow:to_server,established; sip_method:invite,message; content:"8c2NyaXB0P"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:cve,2015-6061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-123; classtype:attempted-user; sid:36733; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP javascript found in SIP headers attempt"; flow:to_server,established; sip_method:invite,message; content:"PHNjcmlwdD"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:cve,2015-6061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-123; classtype:attempted-user; sid:36734; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP javascript found in SIP headers attempt"; flow:to_server,established; sip_method:invite,message; content:"xzY3JpcHQ+"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:cve,2015-6061; reference:url,technet.microsoft.com/en-us/security/bulletin/MS15-123; classtype:attempted-user; sid:36735; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP invite request denial of service attempt"; flow:to_server; sip_method:invite; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45577; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP options request denial of service attempt"; flow:to_server; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45578; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP subscribe request denial of service attempt"; flow:to_server; content:"branch=z9hg4bk-"; fast_pattern:only; sip_method:subscribe; detection_filter:track by_src, count 50, seconds 15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/mr.sip; classtype:attempted-dos; sid:45579; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP invite request denial of service attempt"; flow:to_server,established,only_stream; sip_method:invite; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45580; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP options request denial of service attempt"; flow:to_server,established,only_stream; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-dos; sid:45581; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP subscribe request denial of service attempt"; flow:to_server,established,only_stream; sip_method:subscribe; content:"branch=z9hg4bk-"; fast_pattern:only; detection_filter:track by_src, count 50, seconds 15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/mr.sip; classtype:attempted-dos; sid:45582; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP SIP servers discovery attempt"; flow:to_server; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; content:"To:"; content:"sip:@"; within:15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-recon; sid:45583; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Mr.SIP SIP servers discovery attempt"; flow:to_server,established; sip_method:options; content:"branch=z9hG4bK-"; fast_pattern:only; content:"To:"; content:"sip:@"; within:15; metadata:policy max-detect-ips drop, service sip; reference:url,github.com/meliht/Mr.SIP; classtype:attempted-recon; sid:45584; rev:3;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server; sip_header; content:"SIP/2.0/UDP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48264; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP SIP wildcard VIA address flood attempt"; flow:to_server,established,only_stream; sip_header; content:"SIP/2.0/TCP 0.0.0.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 5; metadata:policy max-detect-ips drop, policy security-ips drop, service sip; reference:cve,2018-15454; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos; classtype:attempted-dos; sid:48265; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sip-scan"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48309; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipvicious"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48310; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: CSipSimple"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48311; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipsak"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48312; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sundayddr"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48313; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: iWar"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48314; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIVuS"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48315; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Gulp"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48316; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipv"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48317; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: smap"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48318; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: friendly-request"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48319; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxIPUserAgent"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48320; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxSIPUserAgent"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48321; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: siparmyknife"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48322; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipcli"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48323; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Test Agent"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48324; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIPScan"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48325; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: pplsip"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48326; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Conaito"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48327; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Conaito"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48328; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: hamdan"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48329; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: pplsip"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48330; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: eyeBeam"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48331; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: hamdan"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48332; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: eyeBeam"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48333; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Ozeki"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48334; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Ozeki"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48335; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Test Agent"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48336; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIPScan"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48337; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sip-scan"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48338; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipcli"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48339; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipvicious"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48340; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipsak"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48341; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: friendly-request"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48342; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sipv"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48343; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxIPUserAgent"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48344; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: SIVuS"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48345; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: iWar"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48346; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: Gulp"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48347; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: sundayddr"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48348; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: smap"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48349; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: CSipSimple"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48350; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: VaxSIPUserAgent"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48351; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Known SIP scanner User-Agent detected"; flow:to_server; sip_header; content:"User-Agent: siparmyknife"; fast_pattern:only; metadata:policy max-detect-ips drop, service sip; reference:url,blog.kolmisoft.com/sip-attack-friendly-scanner/; classtype:attempted-recon; sid:48352; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt"; flow:to_server; sip_method:subscribe; content:"SUBSCRIBE"; fast_pattern:only; sip_header; content:"Accept:"; nocase; pcre:"/(^Accept:\s\w*[\n\r]*){33}$/Hmi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,103151; reference:cve,2018-7284; reference:url,downloads.asterisk.org/pub/security/AST-2018-004.html; classtype:denial-of-service; sid:51086; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_method'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt"; flow:to_server,established; sip_method:subscribe; content:"SUBSCRIBE"; fast_pattern:only; sip_header; content:"Accept:"; nocase; pcre:"/(^Accept:\s\w*[\n\r]*){33}$/Hmi"; metadata:policy max-detect-ips drop, service sip; reference:bugtraq,103151; reference:cve,2018-7284; reference:url,downloads.asterisk.org/pub/security/AST-2018-004.html; classtype:denial-of-service; sid:51087; rev:1;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Certification service XSS attempt"; flow:to_server,established; content:"certfnsh|2E|asp"; nocase; http_uri; content:"TargetStoreFlagsObserve"; nocase; http_client_body; pcre:"/^=[^\s\x26]*[\x3C\x3E\x22\x27\x28\x29]/R"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1264; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-051; classtype:attempted-user; sid:19186; rev:10;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-WINDOWS Microsoft ForeFront UAG ExcelTable.asp XSS attempt"; flow:to_server,established; content:"ExcelTable.asp"; fast_pattern:only; http_uri; content:"tableData="; nocase; http_client_body; pcre:"/^[^\&\r\n]*[<\(][^\&\r\n]+[\)>]/R"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-1896; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:attempted-user; sid:20257; rev:8;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt"; flow:to_server,established; content:"|FF|SMB|26 00 00 00 00|"; depth:9; offset:4; content:"|08 00|"; within:2; distance:34; byte_math:bytes 2,offset 0,oper +,rvalue 8, result dataOffset,relative,endian little; byte_test:4,>=,0xffff0800,dataOffset,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; classtype:attempted-admin; sid:50628; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,5,4,relative,bitmask 0x0A
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET [3388,3389] -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows RDP client buffer overflow attempt"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; distance:2; byte_test:1,=,5,4,relative,bitmask 0x0A; content:"|00 04|"; within:2; distance:10; byte_test:4,=,0x800,6,relative,little,bitmask 0x19B1F; byte_extract:4,10,alloc_sz,relative,little; byte_test:4,>,alloc_sz,4,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2019-0787; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0787; classtype:attempted-user; sid:51481; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'cvs'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Entry line flag remote heap overflow attempt"; flow:to_server,established; content:"Entry"; fast_pattern:only; cvs:invalid-entry; metadata:policy max-detect-ips drop; reference:bugtraq,10384; reference:cve,2004-0396; classtype:attempted-admin; sid:16437; rev:5;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER Fortinet FortiOS appliedTags field cross site scripting attempt"; flow:to_client,established; file_data; content:"/firewall/policy"; fast_pattern:only; http_uri; pcre:"/<span\s+class=[\x22\x27\x60]tag_list[\x22\x27\x60]\s+id=[\x22\x27\x60]appliedTags[\x22\x27\x60]>\s*?<span\s+class=[\x22\x27\x60]object_tag\s+object_tag_remove[\x22\x27\x60]\s+mkey=[^>]+>\s*?<[^>]+?[\x22\x27\x60]\s*?</smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51708; classtype:attempted-user; sid:24290; rev:4;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Fortigate Firewall HTTP cookie buffer overflow"; flow:to_server,established; content:"APSCOOKIE"; fast_pattern:only; content:"APSCOOKIE"; http_cookie; content:"Cookie|3A|"; nocase; http_raw_header; content:!"|0A|"; within:200; http_raw_header; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6909; reference:url,fortiguard.com/advisory/FG-IR-16-023; classtype:attempted-admin; sid:40241; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cisco IOS authentication proxy authentication request attempt"; flow:to_server,established; content:"uname="; nocase; content:"pwd="; nocase; content:"Submit=Log+in"; fast_pattern:only; content:"Referer: "; http_header; content:"/php/auth/login.php"; distance:0; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2009-2863; classtype:attempted-user; sid:43514; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"SERVER-OTHER Quest Privilege Manager pmmasterd denial of service attempt"; flow:to_server,established; content:"|00 00 02 6C|"; depth:4; byte_math:bytes 4,offset 0,oper +,rvalue 79,result copy_size,relative; isdataat:!copy_size; metadata:policy max-detect-ips drop; reference:cve,2017-6553; reference:url,0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/; classtype:denial-of-service; sid:45394; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|00 00 00 07|"; within:4; distance:5; fast_pattern; content:"|00 00 00 01|"; within:4; distance:4; byte_math:bytes 4,offset 0,oper +,rvalue 8,result sub_len_plus_eight,relative; byte_test:4,!=,sub_len_plus_eight,-8,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2018-0171; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2; classtype:attempted-dos; sid:46468; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER Pidgin MSN MSNP2P SLP message integer overflow attempt"; flow:to_client,established; content:"MSG"; content:"|0A|P2P-Dest|3A|"; within:200; nocase; content:"|0D 0A 0D 0A|"; within:100; content:!"|00 00 00 00|"; within:4; distance:8; content:!"|00 00 00 00|"; within:4; distance:24; byte_extract:4,24,message_len,relative,little; byte_math:bytes 4, offset -20, oper +, rvalue message_len, result cumulative_size, relative, endian little; byte_test:4,>,cumulative_size,-20,relative,little; metadata:policy max-detect-ips drop, service http; reference:bugtraq,29956; reference:cve,2008-2927; reference:url,pidgin.im/news/security/?id=25; classtype:attempted-user; sid:46784; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,0,-6,relative,bitmask 0x01
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET [25,443,587] -> $HOME_NET any (msg:"SERVER-OTHER OpenSSL invalid Diffie-Hellman parameter NULL pointer dereference attempt"; flow:to_client,established; ssl_state:server_keyx; content:"|16 03|"; content:"|0C|"; within:1; distance:3; content:"|00 80|"; within:2; distance:3; content:"|00 01|"; within:2; distance:128; content:"|00 80|"; within:2; distance:1; byte_test:1,=,0,-6,relative,bitmask 0x01; metadata:policy max-detect-ips drop, service ssl; reference:cve,2017-3730; classtype:denial-of-service; sid:47820; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,0,-6,relative,bitmask 0x01
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET [25,443,587] (msg:"SERVER-OTHER OpenSSL invalid Diffie-Hellman parameter NULL pointer dereference attempt"; flow:to_server,established; ssl_state:client_keyx; content:"|16 03|"; content:"|0C|"; within:1; distance:3; content:"|00 80|"; within:2; distance:3; content:"|00 01|"; within:2; distance:128; content:"|00 80|"; within:2; distance:1; byte_test:1,=,0,-6,relative,bitmask 0x01; metadata:policy max-detect-ips drop, service ssl; reference:cve,2017-3730; classtype:denial-of-service; sid:47821; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_uri" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt"; flow:to_server,established; file_data; content:"q=1&l=0&lid=2&t=22&id=1&e=4&ew=1&eh=1&uls=0&df=&ds=0&tf=&ts=0&ds=0&gs=0"; fast_pattern; http_uri; urilen:>300; content:"&=yes"; distance:0; http_uri; metadata:policy max-detect-ips drop, service http; reference:url,reliance-scada.com/en/main; classtype:attempted-user; sid:48127; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 8500 (msg:"SERVER-OTHER Hashicorp Consul services API remote code execution attempt"; flow:to_server,established; content:"/v1/agent/service/register"; fast_pattern:only; http_uri; content:"PUT"; http_method; file_data; content:"check"; content:"script"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.rapid7.com/db/modules/exploit/multi/misc/consul_service_exec; classtype:attempted-admin; sid:49670; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,3,0,bitmask 0x06
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"SERVER-OTHER NTPsec 1.1.2 ntp_control out-of-bounds read attempt"; flow:to_server; content:"|00 00 00|"; depth:4; offset:6; byte_test:1,=,3,0,bitmask 0x06; dsize:>512; metadata:policy max-detect-ips drop, service ntp; reference:cve,2019-6444; classtype:attempted-user; sid:51181; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,3,bitmask 0x02
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"SERVER-OTHER Squid proxy DNS CNAME record response denial of service attempt"; flow:to_client; byte_test:1,=,1,3,bitmask 0x02; content:"|00 01 00|"; depth:3; offset:4; byte_test:1,>=,2,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 1C 00 01|"; distance:0; content:"|00 05 00 01|"; distance:0; content:"|00 05 00 01|"; distance:0; metadata:policy max-detect-ips drop, service dns; reference:cve,2011-4096; reference:url,bugs.squid-cache.org/show_bug.cgi?id=3237#c12; classtype:denial-of-service; sid:51485; rev:1;)"
SC_ERR_INVALID_SIGNATURE: rule 35261 setup buffer file_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|03 90 36 3A 1A C8 F8 E5 45 D9 03 11 1F 7B 45 CB 3B E4 CD BF EA 11 1F AF 2C C9|"; file_data; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-admin; sid:35261; rev:2;)"
SC_ERR_INVALID_SIGNATURE: rule 35262 setup buffer file_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; flow:to_client,established; flowbits:isset,file.swf; content:"|54 32 9B 93 23 47 9F 9C CA 0D BB A8 F8 9D A3 D8 7F 7A E8 57 BF DC B0 96 58 6E|"; file_data; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5122; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-04.html; classtype:attempted-admin; sid:35262; rev:2;)"
SC_ERR_INVALID_SIGNATURE: rule 37627 setup buffer file_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt"; flow:to_client,established; content:"|F5 75 6F D0 7E 61 35 1B 1A 8B 16 4D DF 05 32 FE A4 4C 46 49 B7 7B 6B 75 F9 2B 5C 37 29 0B 91 37|"; fast_pattern:only; file_data; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:37627; rev:2;)"
SC_ERR_INVALID_SIGNATURE: rule 37628 setup buffer file_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt"; flow:to_server,established; content:"|F5 75 6F D0 7E 61 35 1B 1A 8B 16 4D DF 05 32 FE A4 4C 46 49 B7 7B 6B 75 F9 2B 5C 37 29 0B 91 37|"; fast_pattern:only; file_data; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,72283; reference:cve,2015-0311; reference:url,helpx.adobe.com/security/products/flash-player/apsa15-01.html; classtype:attempted-user; sid:37628; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; dsize:<1201; byte_extract:4,1,file_length,relative; isdataat:!file_length,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-4138; reference:cve,2017-2933; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39308; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.atf; file_data; content:"ATF"; depth:3; content:"|FF|"; within:1; distance:3; dsize:<1201; byte_extract:4,1,file_length,relative; isdataat:!file_length,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-4138; reference:cve,2017-2933; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-18.html; reference:url,helpx.adobe.com/security/products/flash-player/apsb17-02.html; classtype:attempted-user; sid:39309; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|localhost"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|localhost"; distance:0; nocase; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39540; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-FLASH Adobe Flash Player local-with-filesystem security bypass attempt"; flow:to_server,established; content:"|5C 5C 2E 5C|127.0.0.1"; fast_pattern:only; content:".swf?"; nocase; http_raw_uri; content:"|5C 5C 2E 5C|127.0.0.1"; distance:0; http_raw_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-4178; reference:url,helpx.adobe.com/security/products/flash-player/apsb16-25.html; classtype:attempted-user; sid:39543; rev:3;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,7,6,relative,bitmask 0xF0
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; byte_test:1,=,7,6,relative,bitmask 0xF0; content:"|00 00 FF E2|"; within:4; distance:11; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4936; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46260; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,7,6,relative,bitmask 0xF0
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|BF 03|"; byte_test:1,=,7,6,relative,bitmask 0xF0; content:"|00 00 FF E2|"; within:4; distance:11; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4936; reference:url,helpx.adobe.com/security/products/flash-player/apsb18-08.html; classtype:attempted-user; sid:46261; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,16,relative,bitmask 0x40
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,6,10,relative; byte_test:1,=,1,16,relative,bitmask 0x40; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46613; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,42,relative,bitmask 0x08
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x08; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46614; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,42,relative,bitmask 0x01
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x01; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46615; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,42,relative,bitmask 0x10
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x10; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46616; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,42,relative,bitmask 0x20
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x20; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46617; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,42,relative,bitmask 0x40
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x40; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46618; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,11,relative,bitmask 0x80
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,1,10,relative; byte_test:1,=,1,11,relative,bitmask 0x80; metadata:policy max-detect-ips drop, service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46619; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"OS-LINUX Debian apt remote code execution attempt"; flow:to_client,established; content:"201%20URI%20Done"; fast_pattern:only; content:"Location:"; http_header; content:!"http"; within:20; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,106690; reference:cve,2019-3462; reference:url,justi.cz/security/2019/01/22/apt-rce.html; classtype:attempted-user; sid:50190; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert udp $EXTERNAL_NET any -> any any (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'sip_header'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> any any (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45443; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,3,0,relative,bitmask 0xF0
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-OTHER Intel x64 side-channel analysis information leak attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe|file.elf; content:"|0F 01 F9|"; content:"|0F 01 F9|"; within:50; content:"|0F AE|"; byte_test:1,=,3,0,relative,bitmask 0xF0; content:"|0F AE|"; within:75; byte_test:1,=,3,0,relative,bitmask 0xF0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-5715; reference:cve,2017-5753; reference:cve,2017-5754; classtype:attempted-recon; sid:45444; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 2,=,0,1,relative,little,bitmask 0x8000
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=,0,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:5;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,0x05,6,relative,bitmask 0x14
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,2,relative,bitmask 0x01
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba tree connect andx memory corruption attempt"; flow:to_server,established; content:"|FF|SMB|75|"; fast_pattern:only; content:"|04 75 00|"; byte_test:1,=,1,2,relative,bitmask 0x01; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14746; classtype:attempted-user; sid:45255; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 2,=,1,1,relative,little,bitmask 0x8000
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=,1,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/"; within:2; content:"/"; within:len; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:49090; rev:1;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"|23 63 E2 77|"; within:4; distance:185; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37054; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"|23 63 E2 77|"; within:4; distance:185; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37055; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"|29 4C E1 77|"; within:4; distance:185; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37056; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"|29 4C E1 77|"; within:4; distance:185; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37057; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"AAAA"; within:4; distance:185; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37058; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"AAAA"; within:4; distance:185; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37059; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"APIE"; within:4; distance:185; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37060; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER BACnet OPC client csv file buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.csv; file_data; dsize:>900; content:"|0A 5C|"; depth:84; content:"APIE"; within:4; distance:185; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43289; reference:cve,2010-4740; classtype:attempted-user; sid:37061; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt"; flow:to_client,established; file_data; content:"BCFZ|04 10 01 00|"; depth:8; dsize:>500; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-6048; classtype:denial-of-service; sid:43946; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt"; flow:to_server,established; file_data; content:"BCFZ|04 10 01 00|"; depth:8; dsize:>500; metadata:policy max-detect-ips drop, service smtp; reference:cve,2012-6048; classtype:denial-of-service; sid:43947; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Bluezone Desktop buffer overflow attempt"; flow:to_client,established; dsize:>20; file_data; content:"BZ"; depth:2; content:"K"; within:1; distance:6; pcre:"/BZ(MD215AK|MP215AK|VT100AK|A[PD]200BK)/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,support.ixiacom.com/strikes/denial/misc/bluezone_desktop_DoS.xml; classtype:attempted-user; sid:44180; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Bluezone Desktop buffer overflow attempt"; flow:to_server,established; dsize:>20; file_data; content:"BZ"; depth:2; content:"K"; within:1; distance:6; pcre:"/BZ(MD215AK|MP215AK|VT100AK|A[PD]200BK)/"; metadata:policy max-detect-ips drop, service smtp; reference:url,support.ixiacom.com/strikes/denial/misc/bluezone_desktop_DoS.xml; classtype:attempted-user; sid:44181; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,!&,1,1,relative,bitmask 0x40
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; content:"|0B 40|"; within:2; byte_test:1,!&,1,1,relative,bitmask 0x40; byte_extract:4,18,y_val,relative,little; byte_test:4,>,y_val,4,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2017-16401; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44919; rev:2;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,!&,1,1,relative,bitmask 0x40
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"EMF+"; within:4; distance:8; content:"|0B 40|"; within:2; byte_test:1,!&,1,1,relative,bitmask 0x40; byte_extract:4,18,y_val,relative,little; byte_test:4,>,y_val,4,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2017-16401; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; classtype:attempted-user; sid:44920; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45819; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45820; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_client,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|00|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 8,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45821; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt"; flow:to_server,established; file_data; content:"|46 00 00 00|"; content:"|45 4D 46 2B|"; within:4; distance:8; fast_pattern; content:"|0B 40|"; distance:0; content:"|02|"; within:1; distance:1; byte_math:bytes 4,offset 4,oper /,rvalue 16,result total_rects,relative,endian little; byte_test:4,>,total_rects,8,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-4896; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45822; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,4,relative,little,bitmask 0x01
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt"; flow:to_client; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_test:1,=,1,4,relative,little,bitmask 0x01; byte_test:2,>,250,24,relative,little; byte_jump:2,38,relative,little,from_beginning; content:"PK|03 04|"; within:4; byte_test:2,<,10,22,relative,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-1000035; classtype:attempted-user; sid:47586; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,1,4,relative,little,bitmask 0x01
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt"; flow:to_server; flowbits:isset,file.zip; file_data; content:"PK|01 02|"; byte_test:1,=,1,4,relative,little,bitmask 0x01; byte_test:2,>,250,24,relative,little; byte_jump:2,38,relative,little,from_beginning; content:"PK|03 04|"; within:4; byte_test:2,<,10,22,relative,little; metadata:policy max-detect-ips drop, service smtp; reference:cve,2018-1000035; classtype:attempted-user; sid:47587; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,4,1,relative,bitmask 0x7f
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt"; flow:to_client,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"|08 40|"; within:2; distance:12; byte_test:1,=,4,1,relative,bitmask 0x7f; byte_extract:4,2,regionSize,relative,little; byte_test:4,>,regionSize,8,little,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-12762; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47682; rev:1;)"
SC_ERR_PCRE_PARSE: parse error, ret -1, string 1,=,4,1,relative,bitmask 0x7f
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt"; flow:to_server,established; file_data; flowbits:isset,file.emf; content:"|46 00 00 00|"; content:"|08 40|"; within:2; distance:12; byte_test:1,=,4,1,relative,bitmask 0x7f; byte_extract:4,2,regionSize,relative,little; byte_test:4,>,regionSize,8,little,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-12762; reference:url,helpx.adobe.com/security/products/acrobat/APSB18-21.html; classtype:attempted-user; sid:47683; rev:1;)"
SC_ERR_FLAGS_MODIFIER: cannot set DETECT_FLOW_FLAG_TOSERVER flag is already set
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER Microsoft SharePoint deserialization attempt"; flow:to_server,to_server,established; file_data; content:"executeQueryAsync"; nocase; content:"<DynamicType"; fast_pattern:only; content:"<ObjectInstance"; nocase; content:"<MethodName>Deserialize</MethodName>"; within:100; nocase; content:"xsd:string"; within:100; base64_decode:bytes 1000,relative; base64_data; content:"|FF 01 32 BC 06|"; within:5; content:"<ObjectDataProvider"; within:550; content:"cmd.exe"; within:250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2019-1257; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1257; classtype:attempted-admin; sid:51475; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt"; flow:to_server,established; content:"%25%7B"; fast_pattern:only; content:"%25%7B"; nocase; http_raw_uri; content:"{"; http_uri; content:"}"; within:25; http_uri; pcre:"/%25%7B[^\x2f\x5c]+?%7D/Ii"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,60346; reference:cve,2013-2134; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-admin; sid:29592; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts CookieInterceptor classloader access attempt"; flow:to_server,established; content:"ClassLoader"; fast_pattern:only; content:"class"; nocase; http_cookie; content:"ClassLoader"; distance:0; nocase; http_cookie; pcre:"/class([\x2e\x5b]|%2e|%5b)([\x22\x27]|%22|%27)?ClassLoader/Ci"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,67081; reference:cve,2014-0113; reference:url,cwiki.apache.org/confluence/display/WW/S2-021; classtype:attempted-admin; sid:30944; rev:4;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt"; flow:to_server,established; content:"Content-type|3A 20|multipart"; fast_pattern:only; nocase; content:"boundary|3D|"; nocase; http_raw_header; isdataat:71,relative,rawbytes; content:!"|0A|"; within:71; http_raw_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,91453; reference:cve,2016-3092; classtype:denial-of-service; sid:39908; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_session_crypto padding oracle brute force attempt"; flow:to_server,established,only_stream; content:"session="; fast_pattern:only; content:"session="; nocase; http_cookie; content:"AAAAAAAAAAA"; within:150; http_cookie; detection_filter:track by_src,count 20, seconds 2; metadata:policy max-detect-ips drop, service http; reference:cve,2016-0736; reference:url,attack.mitre.org/techniques/T1110; reference:url,httpd.apache.org/security/vulnerabilities_24.html; classtype:web-application-attack; sid:42133; rev:4;)"
SC_ERR_INVALID_SIGNATURE: rule 17328 setup buffer file_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow"; flow:to_server,established; flowbits:isset,qualcom.worldmail.ok; dsize:>668; content:"}|0D 0A|"; fast_pattern:only; file_data; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,15980; reference:cve,2005-4267; classtype:attempted-admin; sid:17328; rev:9;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home"; flow:to_server,established; content:"/scripts/worker.php"; fast_pattern:only; content:"Host|3A|"; nocase; http_header; content:"hujashka.com"; distance:0; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.Agent.bls&threatid=135991; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AARM&VSect=T; classtype:trojan-activity; sid:14081; rev:9;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Karagany.A variant outbound connection"; flow:to_server,established; content:"|2F|xgate|2E|php"; nocase; http_uri; content:"User-Agent|3A 20|Opera|2F|10|2E|60|20|Presto|2F|2|2E|2|2E|30"; fast_pattern:only; http_header; content:"id|3D 5F|"; http_client_body; pcre:"/^\d?\x5f\d+\x5f/R"; metadata:service http; reference:url,www.virustotal.com/#/file/b01a66b05b4cf27f063b33772eb6b30b/detection; classtype:trojan-activity; sid:18279; rev:10;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Clampi variant outbound connection"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\s+\/[A-Z0-9]{16}\s+/Ri"; content:"|0D 0A 0D 0A|o="; depth:256; fast_pattern; pcre:"/^[iacdu](&s=[^&]*)?&b=/Ri"; metadata:service http; reference:url,www.virustotal.com/en/file/858aa58a910e47453f220c511fb8044592a55b4ef081ff86c2193ff65b8c6707/analysis/; classtype:trojan-activity; sid:19332; rev:9;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lancafdo.A variant outbound connection"; flow:to_server,established; content:"_TEST_"; fast_pattern:only; content:"id="; nocase; http_client_body; content:"ln="; distance:0; nocase; http_client_body; content:"cn="; distance:0; nocase; http_client_body; content:"nt="; distance:0; nocase; http_client_body; content:"bid="; distance:0; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/file/ae77218a209712f1a8fc90d29cd5e3def2ed86396d7dea573646086a5aa4e7aa/analysis/; classtype:trojan-activity; sid:21474; rev:6;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chewbacca outbound connection"; flow:to_server,established; urilen:4; dsize:<200; content:"/ip/"; depth:4; fast_pattern; http_uri; content:"Keep-Alive|3A 20|300|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/chewbacca-latest-malware-to-take-a-liking-to-tor/103220; reference:url,www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware; classtype:trojan-activity; sid:29440; rev:5;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ANDR.Trojan.FakeApp outbound connection"; flow:to_server,established; content:"/cp/server.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B| boundary=Aab03x"; http_header; content:"User-Agent: Dalvik"; http_header; file_data; content:"AaB03x"; content:"name=|22|phone"; distance:0; content:"name=|22|type"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,securityaffairs.co/wordpress/22465/cyber-crime/banking-trojan-hit-islamic-mobile.html; reference:url,www.virustotal.com/file/66911EE32FC4777BB9272F9BE9EB8970B39440768B612FBAB4AC01D8E23F9AA1/analysis/; classtype:trojan-activity; sid:29978; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Critroni outbound connection"; flow:to_server,established; dsize:174; urilen:1; content:"/"; http_uri; content:"Host|3A| ip.telize.com|0D 0A|Accept|3A| */*|0D 0A|User-Agent|3A| Mozilla/5.0 |28|Windows NT 6.1|3B| WOW64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/31.0.1650.63 Safari/537.36"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b3c92d7a9dead6011f3c99829c745c384dd776d88f57bbd60bc4f9d66641819b/analysis/; classtype:trojan-activity; sid:31718; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro outbound connection"; flow:to_server,established; dsize:<200; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/"; http_header; content:"ompatible|3B| MSIE 31|3B| "; within:20; distance:6; fast_pattern; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f5c716890a2a76785d53e8f9a5db2268501a30df807df4c4323967672efe452c/analysis/; classtype:trojan-activity; sid:31813; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Tavdig outbound connection"; flow:to_server,established; content:"Cookie|3A| catid="; fast_pattern:only; content:"|3B| task="; http_cookie; content:"|3B| forumid="; within:100; http_cookie; content:"|3B| Itemid="; within:50; http_cookie; content:"|3B| link="; within:50; http_cookie; content:"|3B| layout="; within:50; http_cookie; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122/analysis/; classtype:trojan-activity; sid:31944; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dalgan variant outbound connection"; flow:to_server, established; content:"MUID="; fast_pattern:only; content:"MCI="; depth:4; http_cookie; content:"MUID="; within:18; distance:16; http_cookie; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/07db7603d2d27a08553d2864cf2bef3c9515635e0f8692514f42c1a0debe8eb4/analysis/; classtype:trojan-activity; sid:32070; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rehtesyk outbound connection"; flow:to_server,established; content:"User-Agent: Firefox|0D 0A|"; fast_pattern:only; content:"first="; depth:6; http_client_body; content:"&data="; within:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea/analysis/; classtype:trojan-activity; sid:32311; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)"
SC_ERR_INVALID_SIGNATURE: "http_header" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)"; fast_pattern:only; http_header; content:"/"; depth:1; offset:9; http_uri; content:"/"; within:1; distance:8; http_uri; content:"Host:"; http_header; content:":8080"; within:30; http_header; content:"POST"; http_method; dsize:<480; pcre:"/^\/[a-f0-9]{8}\/[a-f0-9]{8}\/$/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/27c298c77e16bbc3f056653034c2d918418f877bb0193a9ca533b5527d830a94/analysis/; classtype:trojan-activity; sid:32770; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.AAEH variant outbound connection"; flow:to_server,established; urilen:<15; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| SV1)"; fast_pattern:only; content:"Host: "; nocase; http_header; content:"|3A|"; within:16; http_header; content:!"Referer: "; nocase; http_header; content:!"Accept"; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0ccade380fd3a9ef7635e5c4e54b82c4ccd434c0bc3bbf76af3a99d744a1c5e7/analysis/; classtype:trojan-activity; sid:34246; rev:3;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Panskeg outbound connection"; flow:to_server,established; file_data; dsize:10; content:"|79 40 1F F2 03 3C 20 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/81c6fa11d46bf173932b067c32a852f048ba51873210c3e24ac367c95e799e42/analysis/; classtype:trojan-activity; sid:36610; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&vs="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"v="; nocase; http_client_body; content:"&id="; distance:0; nocase; http_client_body; content:"&uid="; distance:0; nocase; http_client_body; content:"&vs="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36629; rev:2;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&syspath="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"&macid="; nocase; http_client_body; content:"&os1="; distance:0; nocase; http_client_body; content:"&os2="; distance:0; nocase; http_client_body; content:"&syspath="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36630; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC Win.Trojan.Trochulis variant outbound connection"; flow:to_server,established; file_data; content:"|BF BF AF AF 7E 00 00 00|"; fast_pattern:only; dsize:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/da6905d96cc860b443deb5f27271a2cfb2ce17f067a59ca7f0fd12c1d70c4372/analysis/; classtype:trojan-activity; sid:37370; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:3;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Helminth variant outbound connection"; flow:to_server,established; content:"UIET9fWR"; fast_pattern:only; content:"User-Agent: Mozilla/5.0"; http_header; content:"|20|Trident/5.0|0D 0A|"; within:14; distance:39; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/632be0a3d8d298f2ded928a4ac27846904ed842ad08b355acab53132d31eaf24/analysis/; classtype:trojan-activity; sid:39176; rev:1;)"
SC_ERR_INVALID_SIGNATURE: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)"
SC_ERR_INVALID_SIGNATURE: depth or urilen 11 smaller than content len 17
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)"
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED MISC source route lsrre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-038; classtype:bad-unknown; sid:501; rev:9;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-FRONTPAGE rad overflow attempt"; flow:to_server,established; dsize:>258; content:"/fp30reg.dll"; nocase; http_uri; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-035; classtype:web-application-attack; sid:1246; rev:18;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-FRONTPAGE rad overflow attempt"; flow:to_server,established; dsize:>259; content:"/fp4areg.dll"; nocase; http_uri; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:14;)"
SC_ERR_INVALID_SIGNATURE: rule 2349 setup buffer dce_stub_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; reference:bugtraq,21220; reference:cve,2006-6114; reference:cve,2008-0639; classtype:protocol-command-decode; sid:2349; rev:13;)"
SC_ERR_INVALID_SIGNATURE: rule 14661 setup buffer dce_stub_data but didn't add matches to it
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"DELETED NETBIOS DCERPC NCACN-IP-TCP spoolss EnumJobs attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:4; dce_stub_data; flowbits:set,dce.spoolss.4.call; flowbits:noalert; reference:cve,2008-1446; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-062; classtype:protocol-command-decode; sid:14661; rev:17;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED BOTNET-CNC Trojan Win32.Murofet.A outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"|2F|forum|2F|"; fast_pattern; nocase; http_uri; content:!"|0D 0A|Referer|3A|"; nocase; http_header; pcre:"/\x2Fforum\x2F$/Ui"; pcre:"/^Host\x3A\x20[a-z]{10,16}\x2E(net|info|org|com|biz)/Rm"; reference:url,www.virustotal.com/file-scan/report.html?id=a3203f202e04fdaab5c51f8b99d3750e64b4911c7cc62114d69ac2264aa18d02-1286757825; classtype:trojan-activity; sid:19051; rev:6;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DELETED POLICY-OTHER HP Universal CMDB server axis2 default credentials attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/axis2/axis2-admin/login"; fast_pattern:only; http_uri; content:"username=admin"; nocase; http_client_body; content:"password="; nocase; http_client_body; pcre:"/^(admin|axis2)/iR"; reference:url,secunia.com/advisories/42763/; classtype:attempted-admin; sid:19157; rev:6;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"DELETED SERVER-OTHER Apple CUPS IPP memory corruption attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; http_header; content:"application/ipp"; within:20; fast_pattern; nocase; http_header; content:"|01|"; depth:9; http_client_body; pcre:"/^.{8}\x01[\x35\x36\x41\x42\x44-\x49]/P"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; pcre:"/[\x37-\x40\x43]\x00\x00/R"; reference:cve,2010-2941; classtype:attempted-admin; sid:23138; rev:5;)"
SC_ERR_INVALID_SIGNATURE: pcre with /R (relative) needs preceeding match in the same buffer
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET 631 (msg:"DELETED SERVER-OTHER Apple CUPS IPP memory corruption attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; http_header; content:"application/ipp"; within:20; fast_pattern; nocase; http_header; content:"|01|"; depth:9; http_client_body; pcre:"/^.{8}\x01[\x37-\x40\x43]/P"; byte_jump:2,0,relative,little; byte_jump:2,0,relative,little; pcre:"/[\x35\x36\x41\x42\x44-\x49]\x00\x00/R"; reference:cve,2010-2941; classtype:attempted-admin; sid:23139; rev:5;)"
SC_ERR_INVALID_SIGNATURE: rule 26618 mixes keywords with conflicting directions
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"DELETED SERVER-WEBAPP Potential hostile executable served from local compromised or malicious WordPress site"; flow:to_client,established; content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\/\d+\.exe$/U"; metadata:ruleset community; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:26618; rev:4;)"
SC_ERR_INVALID_SIGNATURE: Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Backdoor.Win32.Wolyx.A runtime detection"; flow:to_server,established; dsize:12; content:"|0D 0A 0D 0A|"; offset:8; content:!"/"; http_uri; pcre:"/^[0-9a-f]{8}\r\n\r\n$/i"; reference:url,www.virustotal.com/file/bf8c756d34efc346e4bc100310f2ead2731c9745d49dec242c9f237e53bceb41/analysis; classtype:trojan-activity; sid:26821; rev:2;)"
SC_ERR_INVALID_SIGNATURE: Can't use file_data with flow:to_server or flow:from_client with http.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt"; flow:to_server,established; content:"Content-Type|3A|"; http_header; content:"charset=euc-jp"; within:64; nocase; http_header; file_data; isdataat:4094; content:"|8F|"; depth:1; offset:4094; content:"//"; within:100; reference:cve,2013-3192; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-059; classtype:attempted-user; sid:29169; rev:5;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt"; flow:to_client,established; flowbits:isset,file.ttf; file_data; content:"cmap"; depth:500; offset:12; byte_extract:4,4,cmapOffset,relative; byte_jump:4,-4,relative,big,from_beginning; byte_math:bytes 4, offset 8, oper +, rvalue cmapOffset, result formatTable, relative; content:"|00 00|"; depth:2; offset:formatTable; byte_test:2, >, 262, 0, relative; reference:cve,2018-4908; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45838; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DELETED FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt"; flow:to_server,established; flowbits:isset,file.ttf; file_data; content:"cmap"; depth:500; offset:12; byte_extract:4,4,cmapOffset,relative; byte_jump:4,-4,relative,big,from_beginning; byte_math:bytes 4, offset 8, oper +, rvalue cmapOffset, result formatTable, relative; content:"|00 00|"; depth:2; offset:formatTable; byte_test:2, >, 262, 0, relative; reference:cve,2018-4908; reference:url,helpx.adobe.com/security/products/acrobat/apsb18-02.html; classtype:attempted-user; sid:45839; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_stat_code" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Terror landing page redirect attempt"; flow:to_client,established; file_data; content:"meta"; content:"refresh"; within:30; content:"content"; within:30; content:"1|3B|url=http:|2F 2F|"; within:20; content:"30"; within:2; http_stat_code; classtype:attempted-user; sid:45924; rev:2;)"
SC_ERR_INVALID_SIGNATURE: "http_client_body" keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-IMAGE PHP exif_process_user_comment null pointer dereference attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|92 86|"; http_client_body; byte_extract:4,6,offset,relative,big; content:"|0D 0A 0D 0A|"; http_client_body; content:"JIS|00 00 00 00 00|"; within:8; distance:offset; http_client_body; metadata:policy max-detect-ips drop, service http; reference:cve,2016-6292; reference:url,bugs.php.net/bug.php?id=72618; classtype:attempted-user; sid:40244; rev:2;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|21 F9 04 08 0A 00 00 00 2C|"; fast_pattern; byte_extract:2,0,img_left_pos,relative,little; byte_math:bytes 2,offset 2,oper +,rvalue img_left_pos,result overflow,relative,endian little; byte_test:2,<,overflow,6,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:49962; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_server,established; flowbits:isset,file.gif; file_data; content:"|21 F9 04 08 0A 00 00 00 2C|"; fast_pattern; byte_extract:2,0,img_left_pos,relative,little; byte_math:bytes 2,offset 2,oper +,rvalue img_left_pos,result overflow,relative,endian little; byte_test:2,<,overflow,6,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:49963; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"|21 F9 04 08 0A 00 00 00 2C|"; fast_pattern; byte_extract:2,2,img_top_pos,relative,little; byte_math:bytes 2,offset 2,oper +,rvalue img_top_pos,result overflow,relative,endian little; byte_test:2,<,overflow,8,little; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:50960; rev:1;)"
SC_ERR_RULE_KEYWORD_UNKNOWN: unknown rule keyword 'byte_math'.
SC_ERR_INVALID_SIGNATURE: error parsing signature "alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt"; flow:to_server,established; flowbits:isset,file.gif; file_data; content:"|21 F9 04 08 0A 00 00 00 2C|"; fast_pattern; byte_extract:2,2,img_top_pos,relative,little; byte_math:bytes 2,offset 2,oper +,rvalue img_top_pos,result overflow,relative,endian little; byte_test:2,<,overflow,8,little; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,49106; reference:cve,2011-2131; classtype:attempted-user; sid:50961; rev:1;)"
Source test warnings:
Custom address variable "$FILE_DATA_PORTS" is used and need to be defined in probes configuration
Custom address variable "$FTP_PORTS" is used and need to be defined in probes configuration
Custom address variable "$SIP_SERVERS" is used and need to be defined in probes configuration
Custom address variable "$SIP_PORTS" is used and need to be defined in probes configuration
@pevma
I understand this very well and could use suricata
-> snort
-> clean traffic (but this is an overhead because of the same rules)
Import is ugliest than I thought. Suricata does not recognize a big bunch of signatures.
Regarding DDOS rules, the explanation may be simple, here is the complete
file:
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#------------
# DDOS RULES
#------------
On first screenshot it appears more than 40k rules have been found. You should be able to find them in other categories.
I understood. So the scheme suricata
->snort
-> clean traffic
Thanks for the help
Scirius: latest of git master branch OS: ubuntu 18.04 Problem: I try to use rules from snort, but only categories are displayed.
What am I doing:
snortrules-snapshot-29150.tar.gz
1)![snort1](https://user-images.githubusercontent.com/58167613/69529216-e2970500-0f80-11ea-8db0-5b886c42496b.png)
2)![snort2](https://user-images.githubusercontent.com/58167613/69529220-e591f580-0f80-11ea-9475-e043816e24bb.png)
Result:![snort3](https://user-images.githubusercontent.com/58167613/69529227-e7f44f80-0f80-11ea-8bef-5f95c6db2a6e.png)