<div dir="ltr"><div dir="ltr"><div>Hi,</div><div><br></div><div>So, I'm experimenting with the RPM installation from EPEL repository in CentOS. dnp3 is returned as an enabled protocol in the following output but I still get the error "protocol dnp3 is disabled" as shared in the previous output. </div><div><br></div><div>Should one expect for the suricata-update to not work straight out of official RPM installation?</div><div><br></div><div>=========Supported App Layer Protocols=========</div><div>http</div><div>ftp</div><div>smtp</div><div>tls</div><div>ssh</div><div>imap</div><div>msn</div><div>smb</div><div>dcerpc</div><div>dns</div><div>enip</div><div>dnp3</div><div><br></div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>------<br><b>Mustafa Qasim</b><br></div><div>PGP: <a href="http://pgp.mit.edu/pks/lookup?op=get&search=0x0A9C8A5EC57E0A7C" target="_blank">C57E0A7C</a></div></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 13, 2018 at 9:31 PM Michał Purzyński <<a href="mailto:michalpurzynski1@gmail.com">michalpurzynski1@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Most of the rules that fail expect protocol analyzers like NFS, NTP,<br>
etc enabled and you only get them when Suricata's build process<br>
detects and uses support for the Rust language.<br>
<br>
Do you have Rust enabled? That's --enable-rust during the "configure" step.<br>
<br>
You can also check what protocols you have enabled with<br>
<br>
suricata --list-app-layer-protos<br>
<br>
<br>
On Tue, Nov 13, 2018 at 2:10 AM Mustafa Qasim <<a href="mailto:alajal@gmail.com" target="_blank">alajal@gmail.com</a>> wrote:<br>
><br>
> Hi,<br>
><br>
> I'm trying the new rule management tool suricata-update. It's a clean 4.1.0 install on CentOS7 from epel repo.<br>
><br>
> Only the et/open repo is enabled and following is the output when attempting to execute suricata-update.<br>
><br>
> Any clues on troubleshooting?<br>
><br>
><br>
> 13/11/2018 -- 05:06:09 - <Info> -- Using data-directory /var/lib/suricata.<br>
> 13/11/2018 -- 05:06:09 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml<br>
> 13/11/2018 -- 05:06:09 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.<br>
> 13/11/2018 -- 05:06:09 - <Info> -- Found Suricata version 4.1.0 at /usr/bin/suricata.<br>
> 13/11/2018 -- 05:06:09 - <Info> -- Loading /etc/suricata/suricata.yaml<br>
> 13/11/2018 -- 05:06:09 - <Info> -- Disabling rules with proto modbus<br>
> 13/11/2018 -- 05:06:09 - <Info> -- Checking <a href="https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz.md5" rel="noreferrer" target="_blank">https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz.md5</a>.<br>
> 13/11/2018 -- 05:06:10 - <Info> -- Fetching <a href="https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz" rel="noreferrer" target="_blank">https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz</a>.<br>
> 100% - 2281744/2281744<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Done.<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules<br>
> 13/11/2018 -- 05:06:17 - <Info> -- Ignoring file rules/emerging-deleted.rules<br>
> 13/11/2018 -- 05:06:20 - <Info> -- Loaded 23946 rules.<br>
> 13/11/2018 -- 05:06:20 - <Info> -- Disabled 9 rules.<br>
> 13/11/2018 -- 05:06:20 - <Info> -- Enabled 0 rules.<br>
> 13/11/2018 -- 05:06:20 - <Info> -- Modified 0 rules.<br>
> 13/11/2018 -- 05:06:20 - <Info> -- Dropped 0 rules.<br>
> 13/11/2018 -- 05:06:20 - <Info> -- Enabled 36 rules for flowbit dependencies.<br>
> 13/11/2018 -- 05:06:20 - <Info> -- Backing up current rules.<br>
> 13/11/2018 -- 05:06:24 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 23946; enabled: 19003; added: 158; removed 4; modified: 922<br>
> 13/11/2018 -- 05:06:24 - <Info> -- Testing with suricata -T.<br>
> 13/11/2018 -- 05:06:24 - <Warning> -- [ERRCODE: SC_ERR_DEPRECATED_CONF(274)] - deprecated 'force-md5' option found. Please use 'force-hash: [md5]' instead<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ntp" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ntp.detection-enabled<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ntp any any -> any any (msg:"SURICATA NTP malformed request data"; flow:to_server; app-layer-event:ntp.malformed_data; classtype:protocol-command-decode; sid:2222000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 4411<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_DECODE_EVENT(186)] - unknown decode event "decoder.ipv4.frag_too_large"<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Packet size too large"; decode-event:ipv4.frag_too_large; sid:2200069; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 5870<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object"; app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 6501<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC"; app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 7176<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "nfs" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.nfs.detection-enabled<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert nfs any any -> any any (msg:"SURICATA NFS malformed response data"; flow:to_client; app-layer-event:nfs.malformed_data; classtype:protocol-command-decode; sid:2223001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 8816<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; app-layer-event:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 9774<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled<br>
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC"; app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 10993<br>
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "nfs" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.nfs.detection-enabled<br>
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert nfs any any -> any any (msg:"SURICATA NFS malformed request data"; flow:to_server; app-layer-event:nfs.malformed_data; classtype:protocol-command-decode; sid:2223000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 15022<br>
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_DECODE_EVENT(186)] - unknown decode event "decoder.ipv6.frag_too_large"<br>
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_too_large; sid:2200071; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 17423<br>
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ntp" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ntp.detection-enabled<br>
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ntp any any -> any any (msg:"SURICATA NTP malformed response data"; flow:to_client; app-layer-event:ntp.malformed_data; classtype:protocol-command-decode; sid:2222001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 22124<br>
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled<br>
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Length too small"; app-layer-event:dnp3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;)" from file /var/lib/suricata/rules/suricata.rules at line 23365<br>
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.<br>
> 13/11/2018 -- 05:06:25 - <Error> -- Suricata test failed, aborting.<br>
> 13/11/2018 -- 05:06:25 - <Error> -- Restoring previous rules.<br>
><br>
><br>
> ------<br>
> Mustafa Qasim<br>
> PGP: C57E0A7C<br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a><br>
</blockquote></div>