pfSense - Suricata Logging 'trojan' Messages Immediately After CRON Lists Update Job

G’day Tom and fellow pfSensers

I’ve been running a new fairly vanilla pfSense 2.4.4-RELEASE-p3 VM under Hyper-V for a few days now for testing of home suitability. I noted just over an hour ago after the CRON job ran to update Suricata’s daily update check, there are a bunch of entries in /var/log/suricata/suricata_hn061107/suricata.log that have me scratching my head and wondering if I should be worried.

17-odd entries that refer to MALWARE-CNC, etc. with a few different trojan names. Apologies in advance for the tl;dr - just wanted to be sure there’s sufficient info for completeness:

19/2/2020 – 00:31:16 - – This is Suricata version 4.1.6 RELEASE
19/2/2020 – 00:31:16 - – CPUs/cores online: 1
19/2/2020 – 00:31:16 - – HTTP memcap: 67108864
19/2/2020 – 00:31:16 - – using flow hash instead of active packets
19/2/2020 – 00:31:16 - – alert-pf -> Creating automatic firewall interface IP address Pass List.
19/2/2020 – 00:31:16 - – alert-pf -> adding firewall interface lo0 IPv6 address…
19/2/2020 – 00:31:16 - – alert-pf output device (regular) initialized: block.log
19/2/2020 – 00:31:16 - – alert-pf -> Pass List /usr/local/etc/suricata/suricata_61107_hn0/passlist parsed: 12 IP addresses loaded.
19/2/2020 – 00:31:16 - – alert-pf -> Created firewall interface IP change monitor thread for auto-whitelisting of firewall interface IP addresses.
19/2/2020 – 00:31:16 - – alert-pf -> Firewall interface IP address change notification monitoring thread started.
19/2/2020 – 00:31:16 - – alert-pf output initialized, pf-table=snort2c block-ip=both kill-state=on block-drops-only=off
19/2/2020 – 00:31:16 - – fast output device (regular) initialized: alerts.log
19/2/2020 – 00:31:16 - – http-log output device (regular) initialized: http.log
19/2/2020 – 00:31:16 - – tls-log output device (regular) initialized: tls.log
19/2/2020 – 00:31:16 - – stats output device (regular) initialized: stats.log
19/2/2020 – 00:31:16 - – Syslog output initialized

19/2/2020 – 00:31:17 - – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
19/2/2020 – 00:31:17 - – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:”

MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection

“; flow:to_server,established; dsize:267<>276; content:“User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|”; fast_pattern:only; http_header; urilen:159; pcre:”/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)" from file /usr/local/etc/suricata/suricata_61107_hn0/rules/suricata.rules at line 182
19/2/2020 – 00:31:17 - – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can’t have relative keywords around a fast_pattern only content
19/2/2020 – 00:31:17 - – [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”

MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download

“; flow:to_client,established; content:”-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)" from file /usr/local/etc/suricata/suricata_61107_hn0/rules/suricata.rules at line 206

My Google-fu has come up short and I am struggling to find anything on these messages. Has anyone seen any of this before, do I need to panic?

Greatly appreciate any feedback!

Thanks
HJ

Might be a malware, might be a false positive. This is what SOC Engineers spend a lot of time figuring out. Take a close look at the machine the issues originated from and determine if there is really an issue.

A shame I’m not a SOC engineer! Thanks, Tom - appreciate your thoughts. Will pore over them quite a bit more then, and hope I can find a semblence of an answer!

Loving your YouTube vides - keep 'em coming!

Cheers
HJ

1 Like