regit
commented
3 days ago Sorry for the delay, I confirm the issue. Suricata -T is detecting the problem but it is ignored by SLS.
suricata -l /tmp -T -S pawpatrules.rules
{"timestamp":"2024-11-28T22:38:20.799554+0100","log_level":"Notice","event_type":"engine","engine":{"message":"This is Suricata version 8.0.0-dev (7bb86a15f7 2024-11-28) running in SYSTEM mode","thread_name":"Suricata-Main","module":"suricata"}}
{"timestamp":"2024-11-28T22:38:20.864329+0100","log_level":"Warning","event_type":"engine","engine":{"message":"eve module 'ikev2' has been replaced by 'ike'","thread_name":"Suricata-Main","module":"runmodes"}}
{"timestamp":"2024-11-28T22:38:20.876879+0100","log_level":"Error","event_type":"engine","engine":{"message":"bad option value formatting (possible missing semicolon) for keyword content: '!\".mozilla.net'","thread_name":"Suricata-Main","module":"detect-parse"}}
{"timestamp":"2024-11-28T22:38:20.876935+0100","log_level":"Error","event_type":"engine","engine":{"message":"error parsing signature \"alert tls $HOME_NET any -> any any (msg:\"🐾 - 🚨 Possible Windows Installer or Bitsadmin TLSv1.2 connection to FQDN - T1105\"; flow:to_server, stateless; ja3.hash; content:\"bd0bf25947d4a37404f0424edf4db9ad\"; fast_pattern; tls_sni; content:!\"microsoft.com\"; endswith; nocase; content:!\"live.com\"; endswith; nocase; content:!\"google.com\"; endswith; nocase; content:!\".ms\"; endswith; nocase; content:!\"libreoffice.org\"; endswith; nocase; content:!\"skype.com\"; endswith; nocase; content:!\"windows.net\"; endswith; nocase; content:!\"googleapis.com\"; endswith; nocase; content:!\"office.com\"; endswith; nocase; content:!\"azureedge.net\"; endswith; nocase; content:!\"sophosupd.com\"; endswith; nocase; content:!\"sophosxl.net\"; endswith; nocase; content:!\"sophos.com\"; endswith; nocase; content:!\"office.net\"; endswith; nocase; content:!\"jive.com\"; endswith; nocase; content:!\"adobe.com\"; endswith; nocase; content:!\"avast.com\"; endswith; nocase; content:!\"mozilla.org\"; endswith; nocase; content:!\".microsoft\"; nocase; endswith; content:!\".gvt1.com\"; nocase; endswith; content:!\".msedge.net\"; nocase; endswith; content:!\".msn.com\"; nocase; endswith; content:!\".microsoftonline.com\"; nocase; endswith; content:!\".windows.com\"; nocase; endswith; content:!\".bing.com\"; nocase; endswith; content:!\".mozilla.net; nocase; endswith; reference:url,https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/#download; reference:url,https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/#download; reference:url,https://www.senseon.io/resource/resurgent-usb-malware-battling-raspberry-robin/; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Trans
{"timestamp":"2024-11-28T22:38:20.877090+0100","log_level":"Warning","event_type":"engine","engine":{"message":"1 rule files specified, but no rules were loaded!","thread_name":"Suricata-Main","module":"detect"}}
{"timestamp":"2024-11-28T22:38:20.877192+0100","log_level":"Error","event_type":"engine","engine":{"message":"Loading signatures failed.","thread_name":"Suricata-Main","module":"suricata"}}
jufajardini
The rule below will fail parsing by Suricata update with error (portion with the parsing issue highlighted by me):
bad option value formatting (possible missing semicolon) for keyword content: '!".mozilla.net'"alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Possible Windows Installer or Bitsadmin TLSv1.2 connection to FQDN - T1105"; flow:to_server, stateless; ja3.hash; content:"bd0bf25947d4a37404f0424edf4db9ad"; fast_pattern; tls_sni; content:!"microsoft.com"; endswith; nocase; content:!"live.com"; endswith; nocase; content:!"google.com"; endswith; nocase; content:!".ms"; endswith; nocase; content:!"libreoffice.org"; endswith; nocase; content:!"skype.com"; endswith; nocase; content:!"windows.net"; endswith; nocase; content:!"googleapis.com"; endswith; nocase; content:!"office.com"; endswith; nocase; content:!"azureedge.net"; endswith; nocase; content:!"sophosupd.com"; endswith; nocase; content:!"sophosxl.net"; endswith; nocase; content:!"sophos.com"; endswith; nocase; content:!"office.net"; endswith; nocase; content:!"jive.com"; endswith; nocase; content:!"adobe.com"; endswith; nocase; content:!"avast.com"; endswith; nocase; content:!"mozilla.org"; endswith; nocase; content:!".microsoft"; nocase; endswith; content:!".gvt1.com"; nocase; endswith; content:!".msedge.net"; nocase; endswith; content:!".msn.com"; nocase; endswith; content:!".microsoftonline.com"; nocase; endswith; content:!".windows.com"; nocase; endswith; content:!".bing.com"; nocase; endswith; content:!".mozilla.net; nocase; endswith; reference:url,https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/#download; reference:url,https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/#download; reference:url,https://www.senseon.io/resource/resurgent-usb-malware-battling-raspberry-robin/; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer, created_at 2023_05_18, updated_at 2024_09_05; sid:3300209; rev:18; classtype:policy-violation;)"
I was made aware of this through https://forum.suricata.io/t/bad-option-value-formatting-possible-missing-semicolon-for-keyword-content/4865 and when I reached out to the Paw Patrules maintainer, they mentioned that probably the Suricata language server didn't catch those, so decided to register this issue.
Is it possible that in some cases the language server is failing to catch the unclosed semicolon?
Related issue with the Paw Patrules rules set: https://github.com/woundride/pawpatrules/issues/2