Suricata

Verified the rule file has the msg field set as follows:

alert tcp $HOME_NET any -> any any (msg: "CrowdStrike MiniRandRAT Command error (TCP)"; classtype: trojan-activity; sid: 181510203; rev: 20160513;)

The output from Suricata into the eve.json shows the msg field content but with leading " which is very unexpected as shown here:

"signature":"\"CrowdStrike MiniRandRAT Command error (TCP)"

The extra \" at the beginning of the signature is the problem we are seeing. Not sure where the \" is coming from and this has blown alerts and filtering out of the water as we would expect. FYI: We have purchased this rule from a vendor so some of the logic in the rule has been removed but doesn't seem to impact the issue here as the signature is the incorrectly reported value at current.