Can't get Suricata to work, been researching and messing with the conf file for two days. I have been wanting to get experience with network forensics using the NETRESEC tutorials and running pcaps through Suricata using -r option.
suricata -r /opt/samples/zeus-sample-1.pcap -c /etc/nsm/sans-virtual-machine-eth1/suricata.yaml
Here are the multiple errors I am getting. Googling just leads me to dead ends. I tried using --list-runmodes and that didnt work either.
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_patternnly; http_uri; content:"pingAddr="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]pingAddr=[&]*?%26/Ii"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,nvd.nist.gov/vuln/detail/CVE-2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44006; rev:2"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_patternnly; http_uri; content:"pingAddr="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]pingAddr=[&]*?%26/Ii"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,nvd.nist.gov/vuln/detail/CVE-2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44006; rev:2" from file /etc/nsm/rules/downloaded.rules at line
35748 18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_patternnly; http_uri; content:"pingAddr="; nocase; http_client_body; pcre:"/(|&)pingAddr=[&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,nvd.nist.gov/vuln/detail/CVE-2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44007; rev:2"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_patternnly; http_uri; content:"pingAddr="; nocase; http_client_body; pcre:"/(|&)pingAddr=[&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,nvd.nist.gov/vuln/detail/CVE-2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44007; rev:2" from file /etc/nsm/rules/downloaded.rules at line 35749
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_patternnly; http_uri; content:"pingAddr"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s=\s[\x22\x27]?pingAddr((?!--).)?[\r\n]{2,}((?!--).)?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44008; rev:2"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_patternnly; http_uri; content:"pingAddr"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s=\s[\x22\x27]?pingAddr((?!--).)?[\r\n]{2,}((?!--).)?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44008; rev:2" from file /etc/nsm/rules/downloaded.rules at line 35750
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Asus RT-AC88U deleteOfflineClients memory corruption attempt"; flow:to_server,established; urilen:>64; content:"/deleteOfflineClient.cgi"; fast_patternnly; http_uri; content:"delete_offline_client="; http_uri; pcre:"/[?&]delete_offline_client=[&]{14}/Ui"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-12754; classtype:attempted-admin; sid:45412; rev:3"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Asus RT-AC88U deleteOfflineClients memory corruption attempt"; flow:to_server,established; urilen:>64; content:"/deleteOfflineClient.cgi"; fast_patternnly; http_uri; content:"delete_offline_client="; http_uri; pcre:"/[?&]delete_offline_client=[&]{14}/Ui"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-12754; classtype:attempted-admin; sid:45412; rev:3" from file /etc/nsm/rules/downloaded.rules at line 35950
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_patternnly; set. Can't have relative keywords around a fast_pattern only content
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_patternnly; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadataolicy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2" from file /etc/nsm/rules/downloaded.rules at line 35952
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic convert injection attempt - GET parameter"; flow:to_server,established; content:"convert|28|"; fast_patternnly; http_uri; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:26925; rev:2"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic convert injection attempt - GET parameter"; flow:to_server,established; content:"convert|28|"; fast_patternnly; http_uri; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:26925; rev:2" from file /etc/nsm/rules/downloaded.rules at line 36143
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp any any -> any $HTTP_PORTS (msg:"SQL use of sleep function in HTTP header - likely SQL injection attempt"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"sleep("; within:200; fast_pattern; http_header; pcre:"/User-Agent\x3A\x20[\r\n]*sleep\x28/H"; metadataolicy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:web-application-attack; sid:38993; rev:8"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SQL use of sleep function in HTTP header - likely SQL injection attempt"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"sleep("; within:200; fast_pattern; http_header; pcre:"/User-Agent\x3A\x20[\r\n]*sleep\x28/H"; metadataolicy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:web-application-attack; sid:38993; rev:8" from file /etc/nsm/rules/downloaded.rules at line 36161
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'"; fast_patternnly; metadataolicy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:16"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'"; fast_patternnly; metadataolicy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:16" from file /etc/nsm/rules/downloaded.rules at line 36177
18/2/2018 -- 13:20:06 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - failed to open /var/log/nsm//snort.unified2.1518960006: Permission denied
18/2/2018 -- 13:20:06 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed
18/2/2018 -- 13:20:06 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/nsm//stats.log": Permission denied 18/2/2018 -- 13:20:06 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed
18/2/2018 -- 13:20:06 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
18/2/2018 -- 13:20:06 - <Error> - [ERRCODE: SC_ERR_RUNMODE(187)] - The custom type "workers" doesn't exist for this runmode type "PCAP_FILE". Please use --list-runmodes to see available custom types for this runmode
suricata -r /opt/samples/zeus-sample-1.pcap -c /etc/nsm/sans-virtual-machine-eth1/suricata.yaml
Here are the multiple errors I am getting. Googling just leads me to dead ends. I tried using --list-runmodes and that didnt work either.
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_patternnly; http_uri; content:"pingAddr="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]pingAddr=[&]*?%26/Ii"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,nvd.nist.gov/vuln/detail/CVE-2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44006; rev:2"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_patternnly; http_uri; content:"pingAddr="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]pingAddr=[&]*?%26/Ii"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,nvd.nist.gov/vuln/detail/CVE-2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44006; rev:2" from file /etc/nsm/rules/downloaded.rules at line
35748 18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_patternnly; http_uri; content:"pingAddr="; nocase; http_client_body; pcre:"/(|&)pingAddr=[&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,nvd.nist.gov/vuln/detail/CVE-2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44007; rev:2"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_patternnly; http_uri; content:"pingAddr="; nocase; http_client_body; pcre:"/(|&)pingAddr=[&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,nvd.nist.gov/vuln/detail/CVE-2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44007; rev:2" from file /etc/nsm/rules/downloaded.rules at line 35749
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_patternnly; http_uri; content:"pingAddr"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s=\s[\x22\x27]?pingAddr((?!--).)?[\r\n]{2,}((?!--).)?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44008; rev:2"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_patternnly; http_uri; content:"pingAddr"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s=\s[\x22\x27]?pingAddr((?!--).)?[\r\n]{2,}((?!--).)?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44008; rev:2" from file /etc/nsm/rules/downloaded.rules at line 35750
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Asus RT-AC88U deleteOfflineClients memory corruption attempt"; flow:to_server,established; urilen:>64; content:"/deleteOfflineClient.cgi"; fast_patternnly; http_uri; content:"delete_offline_client="; http_uri; pcre:"/[?&]delete_offline_client=[&]{14}/Ui"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-12754; classtype:attempted-admin; sid:45412; rev:3"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Asus RT-AC88U deleteOfflineClients memory corruption attempt"; flow:to_server,established; urilen:>64; content:"/deleteOfflineClient.cgi"; fast_patternnly; http_uri; content:"delete_offline_client="; http_uri; pcre:"/[?&]delete_offline_client=[&]{14}/Ui"; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-12754; classtype:attempted-admin; sid:45412; rev:3" from file /etc/nsm/rules/downloaded.rules at line 35950
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_patternnly; set. Can't have relative keywords around a fast_pattern only content
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DNNPersonalization remote code execution attempt"; flow:to_server,established; content:"DNNPersonalization"; fast_patternnly; content:"DNNPersonalization"; http_cookie; content:"System.Data.Services.Internal.ExpandedWrapper"; within:100; http_cookie; content:"System.Windows.Data.ObjectDataProvider"; within:200; http_cookie; metadataolicy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-9822; reference:url,www.dnnsoftware.com/community/security/security-center; classtype:attempted-admin; sid:45414; rev:2" from file /etc/nsm/rules/downloaded.rules at line 35952
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic convert injection attempt - GET parameter"; flow:to_server,established; content:"convert|28|"; fast_patternnly; http_uri; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:26925; rev:2"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic convert injection attempt - GET parameter"; flow:to_server,established; content:"convert|28|"; fast_patternnly; http_uri; metadataolicy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:26925; rev:2" from file /etc/nsm/rules/downloaded.rules at line 36143
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp any any -> any $HTTP_PORTS (msg:"SQL use of sleep function in HTTP header - likely SQL injection attempt"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"sleep("; within:200; fast_pattern; http_header; pcre:"/User-Agent\x3A\x20[\r\n]*sleep\x28/H"; metadataolicy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:web-application-attack; sid:38993; rev:8"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> any $HTTP_PORTS (msg:"SQL use of sleep function in HTTP header - likely SQL injection attempt"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"sleep("; within:200; fast_pattern; http_header; pcre:"/User-Agent\x3A\x20[\r\n]*sleep\x28/H"; metadataolicy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:web-application-attack; sid:38993; rev:8" from file /etc/nsm/rules/downloaded.rules at line 36161
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'"; fast_patternnly; metadataolicy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:16"
18/2/2018 -- 13:20:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'"; fast_patternnly; metadataolicy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:16" from file /etc/nsm/rules/downloaded.rules at line 36177
18/2/2018 -- 13:20:06 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - failed to open /var/log/nsm//snort.unified2.1518960006: Permission denied
18/2/2018 -- 13:20:06 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed
18/2/2018 -- 13:20:06 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/nsm//stats.log": Permission denied 18/2/2018 -- 13:20:06 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed
18/2/2018 -- 13:20:06 - <Warning> - [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
18/2/2018 -- 13:20:06 - <Error> - [ERRCODE: SC_ERR_RUNMODE(187)] - The custom type "workers" doesn't exist for this runmode type "PCAP_FILE". Please use --list-runmodes to see available custom types for this runmode