IPS: Suricata Threatfox Feed - Malformed Hostname

[projectforums3]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

I enabled the abuse.ch/ThreatFox feed used by Suricata 6.0.14 in OPNsense 23.7.5-amd64. As of 2023/10/09 0:00, after enabling and downloading the ruleset, Suricata threw an invalid signature error due to a malformed hostname.

To Reproduce

1. Enable and download the abuse.ch/ThreatFox ruleset. Save.
2. Click on Log File
3. Filter the log on Error. See the error in log file.

Expected behavior

Only Notice, Informational, and Debug level outputs should be visible in the log.

Describe alternatives you considered

Manually editing the /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules file to correct the hostname resolves the issue (changing anakhaled20.noظ€ip.biz to anakhaled20.no-ip.biz). However, it will be overwritten when the next update takes place.

Relevant log files

2023-10-10T00:02:08-04:00 | Error | suricata | [100134] -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anakhaled20.noظ€ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1172062/; target:src_ip; metadata: confidence_level 100, first_seen 2023_09_27; classtype:trojan-activity; sid:91172062; rev:1;)" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 11335

2023-10-10T00:02:08-04:00 | Error | suricata | [100134] -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - depth:22 smaller than content of len 25.

Additional context

As of this writing, I have observed that there is more than one reference to this host in the abuse.ch.threatfox.rules file and in the other cases the hostname is correct.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 23.7.5-amd64 FreeBSD 13.2-RELEASE-p3 OpenSSL 1.1.1w 11 Sep 2023 Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz

[AdSchellevis]

Usually these errors only mean the specific rule is discarded if I'm not mistaken, we ship these rules as-is without modifications.

[projectforums3]

Understood. Thanks for the follow up.

[doktornotor]

Suricata (unlike Snort) simply skips broken/incompatible rules and logs the error. Really nothing to be done here, any broken rule needs to be fixed upstream, any incompatible rule (and there are loads of them with Snort VRT ruleset) will simply be discarded (and there is no point in reporting those upstream, they are not necessarily made to be compatible with Suricate per se.)

[projectforums3]

Thank you for the clarification. Closing.