[OISF/outreachy] Help needed in suricata setup

Shivani Bhardwaj sbhardwaj at openinfosecfoundation.org
Tue Mar 19 09:01:11 UTC 2019
Previous message (by thread): [OISF/outreachy] Help needed in suricata setup
Next message (by thread): [OISF/outreachy] Help needed in installing Suricata
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Megha!

On Tue, Mar 19, 2019 at 10:56 AM megha Varshney via Outreachy
<outreachy at lists.openinfosecfoundation.org> wrote:
>
>
> Greetings,
> Upon entering (sudo suricata -c /etc/suricata/suricata.yaml -i wlan0 --init-errors-fatal) command I am getting below error.
>
>
> [12772] 18/3/2019 -- 22:51:33 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [12772] 18/3/2019 -- 22:51:33 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [95.216.198.252,95.216.201.161,95.216.203.16,95.216.205.178,95.216.207.115,95.216.209.56,95.216.213.190,95.216.214.140,95.216.216.157,95.216.27.105] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 721"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523440; rev:3633; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2019_03_15;)" from file /etc/suricata/rules/tor.rules at line 850
> [12772] 18/3/2019 -- 22:51:33 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [12772] 18/3/2019 -- 22:51:33 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [95.216.3.166,95.216.3.171,95.216.33.30,95.216.33.58,95.216.54.12,95.216.56.195,95.216.61.110,95.216.61.98,95.216.98.55,95.216.99.156] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 722"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523442; rev:3633; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2019_03_15;)" from file /etc/suricata/rules/tor.rules at line 851
> [12772] 18/3/2019 -- 22:51:33 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [12772] 18/3/2019 -- 22:51:33 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [95.221.62.188,95.236.187.217,95.245.157.24,95.26.235.72,95.31.222.18,95.31.38.209,95.33.157.135,95.42.126.41,95.46.99.112,95.53.100.31] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 723"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523444; rev:3633; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2019_03_15;)" from file /etc/suricata/rules/tor.rules at line 852
> [12772] 18/3/2019 -- 22:51:33 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [12772] 18/3/2019 -- 22:51:33 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [95.53.8.186,95.71.125.74,95.79.97.219,95.80.10.222,95.84.154.208,95.85.19.85,95.85.20.73,95.85.2.103,95.85.32.10,95.85.8.226] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 724"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523446; rev:3633; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2019_03_15;)" from file /etc/suricata/rules/tor.rules at line 853
> [12772] 18/3/2019 -- 22:51:33 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [12772] 18/3/2019 -- 22:51:33 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [95.88.24.231,95.89.91.29,95.90.110.237,95.90.116.219,95.90.39.24,95.90.99.236,95.91.110.248,95.91.20.131,95.94.32.210,96.126.105.219] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 725"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523448; rev:3633; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2019_03_15;)" from file /etc/suricata/rules/tor.rules at line 854
> [12772] 18/3/2019 -- 22:51:33 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [12772] 18/3/2019 -- 22:51:33 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [96.126.125.187,96.126.96.9,96.231.241.201,96.232.86.12,96.233.74.108,96.233.76.139,96.238.19.30,96.242.251.57,96.244.94.245,96.245.54.251] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 726"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523450; rev:3633; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2019_03_15;)" from file /etc/suricata/rules/tor.rules at line 855
> [12772] 18/3/2019 -- 22:51:33 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [12772] 18/3/2019 -- 22:51:33 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [96.253.78.108,96.255.238.141,96.32.213.167,96.35.69.1,96.3.80.108,96.39.214.127,96.65.68.193,97.107.132.24,97.107.138.68,97.107.139.108] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 727"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523452; rev:3633; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2019_03_15;)" from file /etc/suricata/rules/tor.rules at line 856
> [12772] 18/3/2019 -- 22:51:33 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [12772] 18/3/2019 -- 22:51:33 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [97.107.139.28,97.107.142.234,97.119.208.241,97.122.230.236,97.127.21.199,97.99.143.196,98.113.127.124,98.114.237.82,98.116.200.172,98.148.135.114] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 728"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523454; rev:3633; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2019_03_15;)" from file /etc/suricata/rules/tor.rules at line 857
> [12772] 18/3/2019 -- 22:51:33 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file.

This should ideally not happen. Do you mind checking your
reference.config file? It should be in /etc/suricata. It should (does)
have a line like "config reference: url       http://".
I suspect there has been some issue with your installation process.
Maybe you could do a clean install and see if things are working out
for you?

make clean
make
sudo make install-full

> _______________________________________________
> Outreachy mailing list
> Outreachy at lists.openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/listinfo/outreachy



--
Shivani
Previous message (by thread): [OISF/outreachy] Help needed in suricata setup
Next message (by thread): [OISF/outreachy] Help needed in installing Suricata
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Outreachy mailing list