Project

General

Profile

Actions
Copy link

Support #4913

closed

[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled suricata version 6.0.3_3

Added by lingfu feng over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Shivani Bhardwaj
Affected Versions:
Label:

Description

16/12/2021 -- 08:56:55 - <Notice> -- This is Suricata version 6.0.3 RELEASE running in SYSTEM mode
16/12/2021 -- 08:56:55 - <Info> -- CPUs/cores online: 8
16/12/2021 -- 08:56:56 - <Info> -- HTTP memcap: 67108864
16/12/2021 -- 08:56:56 - <Info> -- fast output device (regular) initialized: alerts.log
16/12/2021 -- 08:56:56 - <Info> -- http-log output device (regular) initialized: http.log

16/12/2021 -- 08:56:56 - <Error> -- [ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled 

16/12/2021 -- 08:56:56 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbits:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid:2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_10_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)" from file /usr/local/etc/suricata/suricata_36290_igb2/rules/suricata.rules at line 4066
16/12/2021 -- 08:56:56 - <Error> -- [ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3(s) support is not enabled
16/12/2021 -- 08:56:56 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible RustyBuer Server Response"; flowbits:isset,ET.rustybuer; ja3s.hash; content:"f6dfdd25d1522e4e1c7cd09bd37ce619"; reference:md5,ea98a9d6ca6f5b2a0820303a1d327593; classtype:bad-unknown; sid:2032960; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category JA3, malware_family RustyBuer, performance_impact Low, signature_severity Major, updated_at 2021_05_13;)" from file /usr/local/etc/suricata/suricata_36290_igb2/rules/suricata.rules at line 4185
16/12/2021 -- 08:57:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_method" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.
16/12/2021 -- 08:57:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected"; flow:to_server,established; file_data; content:"POST"; http_method; content:"|00 09 00 00|"; depth:5; offset:1; fast_pattern; content:!"|00|"; depth:1; byte_test:1,<=,2,0; flowbits:set,file.wmf; flowbits:noalert; metadata:policy max-detect-ips alert, service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:43364; rev:5;)" from file /usr/local/etc/suricata/suricata_36290_igb2/rules/suricata.rules at line 27004
16/12/2021 -- 08:57:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - depth or urilen 11 smaller than content len 17
16/12/2021 -- 08:57:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scranos variant outbound connection"; flow:to_server,established; content:"/fb/apk/index.php"; fast_pattern:only; http_uri; urilen:<10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/url/02736e4c0b9fe923602cfe739f05d82c7141fd36581b3dc7cec65cf20f9cc1a0/detection; classtype:trojan-activity; sid:50525; rev:1;)" from file /usr/local/etc/suricata/suricata_36290_igb2/rules/suricata.rules at line 30402
16/12/2021 -- 08:57:01 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword seen with a sticky buffer still set.  Reset sticky buffer with pkt_data before using the modifier.

Files

Download all files
suricata.log (3.97 KB) suricata.log lingfu feng, 12/16/2021 01:31 AM
suricata.yaml (70.9 KB) suricata.yaml lingfu feng, 12/16/2021 10:08 AM
suricata3.yaml (11.7 KB) suricata3.yaml lingfu feng, 12/16/2021 10:10 AM
Actions
Copy link
 #1

Updated by Shivani Bhardwaj over 3 years ago

  • Tracker changed from Bug to Support
  • Status changed from New to Assigned

Could you please explain what is the issue?

Do you have JA3 fingerprinting enabled in your suricata.yaml?

And, how is this a suricata-update issue?

Please let me know these details so I can assist you further.

Actions
Copy link Download all files
 #2

Updated by lingfu feng over 3 years ago

Shivani Bhardwaj wrote in #note-1:

Could you please explain what is the issue?

Do you have JA3 fingerprinting enabled in your suricata.yaml?

And, how is this a suricata-update issue?

Please let me know these details so I can assist you further.

Alerts no new data.
thks

Actions
Copy link
 #3

Updated by Victor Julien over 3 years ago

  • Description updated (diff)
Actions
Copy link
 #4

Updated by Victor Julien over 3 years ago

  • Status changed from Assigned to Feedback

I think this needs more explanation of what the actual issue experience is. Right now the report is too cryptic.

Actions
Copy link
 #5

Updated by Shivani Bhardwaj over 3 years ago

  • Project changed from Suricata-Update to Suricata
Actions
Copy link
 #6

Updated by Shivani Bhardwaj over 3 years ago

  • Status changed from Feedback to Closed

Closing due to inactivity. If you think the issue needs further attention, please create a post on our forum forum.suricata.io for support. Thank you!

Actions
Copy link

Also available in: Atom PDF