Giters

MISP / MISP

MISP (core software) - Open Source Threat Intelligence and Sharing Platform

Home Page:https://www.misp-project.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Bug: Suricata incorrect formating

gordnhoo opened this issue · comments

commented

Actual behavior

Output from suricata-update
{"timestamp":"2024-05-29T12:42:23.120873+0000","log_level":"Error","event_type":"engine","engine":{"message":"error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "MISP e223820 [] Outgoing URL http|3a|//notifyhubss.net/41a43b03au34a94c25la184a3dcl83e9e910.html__|3b|!!oepyz6q!kirtjw-n6i2mzefyogwusunh_tmn2ogzbodhlwjjk-ste4vlqnlbndy1smjqdlf35_mpu_dozg-reskw45mcpk39a$"; flow:to_server,established; http.header; content:"notifyhubss.net"; fast_pattern; nocase; http.uri; content:"/41a43b03au34a94c25la184a3dcl83e9e910.html_;!!oepyz6q!_kirtjw-n6i2mzefyogwusunh_tmn2ogzbodhlwjjk-ste4vlqnlbndy1smjqdlf35_mpu_dozg-reskw45mcpk39a$"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:359272196; rev:1; priority:2; reference:url,https://example.com/events/view/223820;)\" from file /var/lib/suricata/rules/suricata.rules at line 6945","thread_name":"Suricata-Main","module":"detect"}}

Expected behavior

Should have the correct parsing

Steps to reproduce

run suricata-update on the misp api example.com/attributes/restSearch/returnFormat:suricata/threat_level_id:2/publish_timestamp:168h

Version

2.4.171

Operating System

Debian

Operating System version

12

PHP version

/

Browser

/

Browser version

/

Relevant log output

{"timestamp":"2024-05-29T12:42:23.120873+0000","log_level":"Error","event_type":"engine","engine":{"message":"error parsing signature \"alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: \"MISP e223820 [] Outgoing URL http|3a|//notifyhubss.net/41a43b03au34a94c25la184a3dcl83e9e910.html__|3b|!!oepyz6q!_kirtjw-n6i2mzefyogwusunh_tmn2ogzbodhlwjjk-ste4vlqnlbndy1smjqdlf35_mpu_dozg-reskw45mcpk39a$\"; flow:to_server,established; http.header; content:\"notifyhubss.net\"; fast_pattern; nocase; http.uri; content:\"/41a43b03au34a94c25la184a3dcl83e9e910.html__;!!oepyz6q!_kirtjw-n6i2mzefyogwusunh_tmn2ogzbodhlwjjk-ste4vlqnlbndy1smjqdlf35_mpu_dozg-reskw45mcpk39a$\"; nocase; tag:session,600,seconds; classtype:trojan-activity; sid:359272196; rev:1; priority:2; reference:url,https://example.com/events/view/223820;)\" from file /var/lib/suricata/rules/suricata.rules at line 6945","thread_name":"Suricata-Main","module":"detect"}}

Extra attachments

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct