PigButcher Credential Phish Landing Page Rules Error on Suricata 7

Hi All,

3 Rules from [Ruleset Update Summary - 2024/08/28 - v10676] are causing errors on suricata version 7 due to http_content_type misplacement.
sid:2055541
sid:2055542
sid:2055543

Current rule:
alert http $EXTERNAL_NET any → $HOME_NET any (msg:“ET CURRENT_EVENTS PigButcher Credential Phish Landing Page M2 2024-08-05”; flow:established,to_client; content:“200”; http_stat_code; content:“application/javascript”; http_content_type; file_data; content:“/home”; content:“/login”; distance:0; content:“/register”; distance:0; content:“/registrationAgreement”; fast_pattern; distance:0; content:“/customerServices”; distance:0; content:“backgroundImage”; distance:0; content:“logo”; distance:0; content:“popUpImage”; content:“copyright”; content:“currencyUnit”; content:“name”; classtype:trojan-activity; sid:2055541; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_08_28, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Phishing, updated_at 2024_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)

Proposed fix
alert http $EXTERNAL_NET any → $HOME_NET any (msg:“ET CURRENT_EVENTS PigButcher Credential Phish Landing Page M2 2024-08-05”; flow:established,to_client;
content:“200”; http_stat_code;
http_content_type; content:“application/javascript”;
file_data; content:“/home”; content:“/login”; distance:0; content:“/register”; distance:0; content:“/registrationAgreement”; fast_pattern; distance:0; content:“/customerServices”; distance:0; content:“backgroundImage”; distance:0; content:“logo”; distance:0; content:“popUpImage”; content:“copyright”; content:“currencyUnit”; content:“name”;
classtype:trojan-activity; sid:2055541; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_08_28, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Phishing, updated_at 2024_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)

Hi @ar3s, I’ll look into this and provide an update accordingly.

Hi @ar3s,

I’ve reviewed this query and here are my notes:

• The sids (2055541, 2055542, 2055543) were internally validated against suricata-7.0.3 and they did not cause Suricata 7 syntax errors.

• In your query, the provided rule (2055541) appears to use Suricata 4 syntax and not Suricata 7. For example, Suricata 4 and older uses sticky buffers with underscores (http_content_type). Suricata 5 and above uses dots (http.content_type).

If you try running Suricata 4 rules against a Suricata 7 engine, errors are expected for not only (2055541, 2055542, 2055543) but for all Suricata 4 rules provided.

As an initial troubleshooting step, could you please check which ruleset version was used against your Suricata 7 engine? If it’s Suricata 4, then the errors were caused by a ruleset mismatch. Else, we can dig into this a bit more.

Cheers,

Hi @bingohotdog,

Sorry I just got back on work today.

I am using Suricata 7.0.5 to test the rules.

Kind Regards,
ar3s

[290] Notice: suricata: This is Suricata version 7.0.5 RELEASE running in USER mode
[290] Error: detect: previous sticky buffer has no matches
[290] Error: detect: error parsing signature “alert http $EXTERNAL_NET any → $HOME_NET any (msg:“ET CURRENT_EVENTS PigButcher Credential Phish Landing Page M2 2024-08-05”; flow:established,to_client; content:“200”; http_stat_code; content:“application/javascript”; http_content_type; file_data; content:”/home"; content:“/login”; distance:0; content:“/register”; distance:0; content:“/registrationAgreement”; fast_pattern; distance:0; content:“/customerServices”; distance:0; content:“backgroundImage”; distance:0; content:“logo”; distance:0; content:“popUpImage”; content:“copyright”; content:“currencyUnit”; content:“name”; classtype:trojan-activity; sid:2055541; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_08_28, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Phishing, updated_at 2024_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)" from file /mnt/c/TW-Tools/Projects/CVE/CVE-2024-28987/cve-2024-28987.rules at line 1

Kind Regards,
ar3s

Just to add we are testing the signatures in 4 Suricata versions
9/9/2024 – 12:26:25 - - This is Suricata version 4.0.7 RELEASE
9/9/2024 – 12:27:30 - - This is Suricata version 5.0.3 RELEASE running in USER mode
9/9/2024 – 12:28:08 - - This is Suricata version 6.0.18 RELEASE running in USER mode
[290] Notice: suricata: This is Suricata version 7.0.5 RELEASE running in USER mode

Nice, so the engine used is Suricata 7.0.5.

The rule you shared appears to be a Suricata 4.0 formatted rule. This rule and other Suricata 4.0 rules are expected to error against Suricata 5+ engines.

Could you try downloading the suricata-7.0.3/ ruleset and see if your errors resolve?