suricata-update failure on new rule

Question

suricata-update failure on new rule

chrislujan opened this issue 6 years ago · 3 comments

The rule:
https://github.com/ptresearch/AttackDetection/blob/master/CVE-2019-0232/cve-2019-0232.rules

The Error:
9/7/2019 -- 19:24:31 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Unable to parse "reference" keyword argument - "wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232". Invalid argument.
9/7/2019 -- 19:24:31 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Tomcat RCE on Windows (CVE-2019-0232)"; flow: established, to_server; content: "?&"; http_raw_uri; pcre: "/.(?:bat|cmd)?&/I"; reference: cve, 2019-0232; reference: wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; classtype: attempted-admin; sid: 10004953; rev: 1;)" from file /var/lib/suricata/rules/suricata.rules at line 2738

Answer 1 · 2019-07-09T23:10:39.000Z

There seem to be a missing keyword in the new rule. This can be fixed by adding "url" after "reference". So:

alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Tomcat RCE on Windows (CVE-2019-0232)"; flow: established, to_server; content: "?&"; http_raw_uri; pcre: "/.(?:bat|cmd)?&/I"; reference: cve, 2019-0232; reference: url, wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; classtype: attempted-admin; sid: 10004953; rev: 1;)

Answer 2 · 2019-07-10T01:02:42.000Z

@ptresearch could you update for this?

Answer 3 · 2019-07-10T12:21:48.000Z

@chrislujan thank you for your report. Fixed.