
<div dir="ltr"><div class="gmail_quote"><div dir="ltr">On Mon, Jul 23, 2018 at 5:46 AM C. L. Martinez <<a href="mailto:carlopmart@gmail.com">carlopmart@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>

<br>

 After updating my BSD sensors with latest Suricata 4.1-rc1, I see the following error when I try to setup some disabled rules via disable.conf file:<br>

<br>

23/7/2018 -- 11:41:15 - <Info> -- Using data-directory /var/lib/suricata.<br>

23/7/2018 -- 11:41:15 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml<br>

23/7/2018 -- 11:41:15 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.<br>

23/7/2018 -- 11:41:15 - <Info> -- Found Suricata version 4.1.0-rc1 at /usr/local/bin/suricata.<br>

23/7/2018 -- 11:41:15 - <Info> -- Loading /etc/suricata/disable.conf.<br>

Traceback (most recent call last):<br>

  File "/usr/local/bin/suricata-update", line 33, in <module><br>

    sys.exit(main.main())<br>

  File "/usr/local/bin/../lib/python3.6/site-packages/suricata/update/main.py", line 1441, in main<br>

    sys.exit(_main())<br>

  File "/usr/local/bin/../lib/python3.6/site-packages/suricata/update/main.py", line 1247, in _main<br>

    disable_matchers += load_matchers(disable_conf_filename)<br>

  File "/usr/local/bin/../lib/python3.6/site-packages/suricata/update/main.py", line 486, in load_matchers<br>

    return parse_matchers(fileobj)<br>

  File "/usr/local/bin/../lib/python3.6/site-packages/suricata/update/main.py", line 472, in parse_matchers<br>

    line = line.decode().strip()<br>

AttributeError: 'str' object has no attribute 'decode'<br>

<br>

 Content for disable.conf is:<br>

<br>

group:stream-events.rules<br>

<br>

 Removing disable.conf file, all it is working:<br>

<br>

23/7/2018 -- 11:41:37 - <Info> -- Using data-directory /var/lib/suricata.<br>

23/7/2018 -- 11:41:37 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml<br>

23/7/2018 -- 11:41:37 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.<br>

23/7/2018 -- 11:41:37 - <Info> -- Found Suricata version 4.1.0-rc1 at /usr/local/bin/suricata.<br>

23/7/2018 -- 11:41:37 - <Info> -- Loading /etc/suricata/suricata.yaml<br>

23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto nfs<br>

23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto tftp<br>

23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto modbus<br>

23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto dnp3<br>

23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto enip<br>

23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto ntp<br>

23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto dhcp<br>

23/7/2018 -- 11:41:37 - <Info> -- Checking <a href="https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules.md5.23/7/2018" rel="noreferrer" target="_blank">https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules.md5.<br>

23/7/2018</a> -- 11:41:37 - <Warning> -- Failed to check remote checksum: HTTP Error 404: Not Found<br>

23/7/2018 -- 11:41:37 - <Info> -- Fetching <a href="https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules" rel="noreferrer" target="_blank">https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules</a>.<br>

 100% - 9855/9855<br>

23/7/2018 -- 11:41:37 - <Info> -- Done.<br>

23/7/2018 -- 11:41:37 - <Info> -- Checking <a href="https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz.md5.23/7/2018" rel="noreferrer" target="_blank">https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz.md5.<br>

23/7/2018</a> -- 11:41:38 - <Info> -- Remote checksum has not changed. Not fetching.<br>

23/7/2018 -- 11:41:38 - <Info> -- Checking <a href="https://sslbl.abuse.ch/blacklist/sslblacklist.rules.md5.23/7/2018" rel="noreferrer" target="_blank">https://sslbl.abuse.ch/blacklist/sslblacklist.rules.md5.<br>

23/7/2018</a> -- 11:41:39 - <Warning> -- Failed to check remote checksum: HTTP Error 404: Not Found<br>

23/7/2018 -- 11:41:39 - <Info> -- Fetching <a href="https://sslbl.abuse.ch/blacklist/sslblacklist.rules" rel="noreferrer" target="_blank">https://sslbl.abuse.ch/blacklist/sslblacklist.rules</a>.<br>

 100% - 638816/638816<br>

23/7/2018 -- 11:41:40 - <Info> -- Done.<br>

23/7/2018 -- 11:41:40 - <Info> -- Checking <a href="https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz.md5.23/7/2018" rel="noreferrer" target="_blank">https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz.md5.<br>

23/7/2018</a> -- 11:41:41 - <Info> -- Remote checksum has not changed. Not fetching.<br>

23/7/2018 -- 11:41:41 - <Info> -- Ignoring file rules/emerging-deleted.rules<br>

23/7/2018 -- 11:41:44 - <Info> -- Loaded 25994 rules.<br>

23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002228] [PT OPEN] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5<br>

23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown source address var and will be disabled: DC_SERVERS: [1:10002557] [PT OPEN] DCShadow Replication Attempt<br>

23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002557] [PT OPEN] DCShadow Replication Attempt<br>

23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown source address var and will be disabled: DC_SERVERS: [1:10002558] [PT OPEN] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC<br>

23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002558] [PT OPEN] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC<br>

23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown source address var and will be disabled: DC_SERVERS: [1:10002559] [PT OPEN] DCShadow: Fake DC Creation<br>

23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002559] [PT OPEN] DCShadow: Fake DC Creation<br>

23/7/2018 -- 11:41:45 - <Info> -- Disabled 0 rules.<br>

23/7/2018 -- 11:41:45 - <Info> -- Enabled 0 rules.<br>

23/7/2018 -- 11:41:45 - <Info> -- Modified 0 rules.<br>

23/7/2018 -- 11:41:45 - <Info> -- Dropped 0 rules.<br>

23/7/2018 -- 11:41:45 - <Info> -- Enabled 36 rules for flowbit dependencies.<br>

23/7/2018 -- 11:41:45 - <Info> -- Backing up current rules.<br>

23/7/2018 -- 11:41:50 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 25994; enabled: 21151; added: 0; removed 302; modified: 0<br>

23/7/2018 -- 11:41:50 - <Info> -- Testing with suricata -T.<br>

23/7/2018 -- 11:42:07 - <Info> -- Done.<br>

<br>

 Any idea?<br></blockquote><div><br></div><div>Thanks for reporting this. I already have a fix ready and will be submitting it as a PR for review today.</div><div><br></div><div>Jason</div><div><br></div></div></div>