[OISF/outreachy] help needed in Suricata setup.

Shivani Bhardwaj sbhardwaj at openinfosecfoundation.org
Thu Mar 21 08:31:13 UTC 2019 

On Wed, Mar 20, 2019 at 8:05 PM megha Varshney
<varshney.megha070 at gmail.com> wrote:
>
> Greetings,
> Sorry for the inconvenience caused. Thank You so much Himanshi.
> I did as Himanshi said but the error still persists. I checked reference.config file too.

Nope. You probably failed at a step and continued from there.
Do a clean install again. I see from your earlier message that you
perhaps did a sudo make sometime so make clean should be showing you
some errors about permissions.

Please do
sudo make clean
make -j4
sudo make install

Remember, you fail at any step, repeat it from clean.

> [16823] 20/3/2019 -- 20:01:34 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [16823] 20/3/2019 -- 20:01:34 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [97.99.143.196,98.113.127.124,98.114.237.82,98.116.200.172,98.148.135.114,98.165.46.62,98.167.110.55,98.170.209.2,98.176.203.2,98.200.166.221] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 745"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523488; rev:3637; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2019_03_19;)" from file /etc/suricata/rules/tor.rules at line 877
> [16823] 20/3/2019 -- 20:01:34 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [16823] 20/3/2019 -- 20:01:34 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [98.207.153.184,98.212.194.147,98.217.124.239,98.222.176.26,98.222.218.185,98.225.157.78,98.229.125.160,98.235.185.167,98.248.47.74,98.248.49.3] any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 746"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2523490; rev:3637; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2019_03_19;)" from file /etc/suricata/rules/tor.rules at line 878
> [16823] 20/3/2019 -- 20:01:34 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "cve". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [16823] 20/3/2019 -- 20:01:34 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls any any -> any any (msg:"SURICATA TLS overflow heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.overflow_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230012; rev:1;)" from file /etc/suricata/rules/tls-events.rules at line 22
> [16823] 20/3/2019 -- 20:01:34 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "cve". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [16823] 20/3/2019 -- 20:01:34 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls any any -> any any (msg:"SURICATA TLS invalid heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.invalid_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230013; rev:1;)" from file /etc/suricata/rules/tls-events.rules at line 23
> [16823] 20/3/2019 -- 20:01:34 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "cve". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"
> [16823] 20/3/2019 -- 20:01:34 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls any any -> any any (msg:"SURICATA TLS invalid encrypted heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.dataleak_heartbeat_mismatch; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230014; rev:1;)" from file /etc/suricata/rules/tls-events.rules at line 24
> [16823] 20/3/2019 -- 20:01:34 - (suricata.c:2394) <Error> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
>
>
> On Wed, 20 Mar 2019 at 19:39, Shivani Bhardwaj <sbhardwaj at openinfosecfoundation.org> wrote:
>>
>> On Wed, Mar 20, 2019 at 7:13 PM Himanshi Mathur via Outreachy
>> <outreachy at lists.openinfosecfoundation.org> wrote:
>> >
>> > Hey Megha
>> > Please try running the command with writing sudo  in front since it says permission error and then send if you encounter further errors.
>> >
>> On a side note, Megha, please do not start a new thread for every
>> message of the same nature. Let the thread go on so that it becomes
>> easy to easy what have you done so far.
>>
>> > On Wed, Mar 20, 2019 at 2:51 PM megha Varshney via Outreachy <outreachy at lists.openinfosecfoundation.org> wrote:
>> >>
>> >> Greetings,
>> >> I am getting the below upon entering the commands
>> >> make-install
>> >>  /bin/bash ../libtool   --mode=install /usr/bin/install -c   libhtp.la '/usr/lib'
>> >> libtool: install: /usr/bin/install -c .libs/libhtp.so.2.0.0 /usr/lib/libhtp.so.2.0.0
>> >> /usr/bin/install: cannot create regular file '/usr/lib/libhtp.so.2.0.0': Permission denied
>> >> Makefile:419: recipe for target 'install-libLTLIBRARIES' failed
>> >> make[3]: *** [install-libLTLIBRARIES] Error 1
>> >> make[3]: Leaving directory '/home/megha/suricata/oisf/libhtp/htp'
>> >> Makefile:648: recipe for target 'install-am' failed
>> >> make[2]: *** [install-am] Error 2
>> >> make[2]: Leaving directory '/home/megha/suricata/oisf/libhtp/htp'
>> >> Makefile:472: recipe for target 'install-recursive' failed
>> >> make[1]: *** [install-recursive] Error 1
>> >> make[1]: Leaving directory '/home/megha/suricata/oisf/libhtp'
>> >> Makefile:499: recipe for target 'install-recursive' failed
>> >> make: *** [install-recursive] Error 1
>> >>
>> >> Please help.
>> >> Regards
>> >> Megha
>> >> _______________________________________________
>> >> Outreachy mailing list
>> >> Outreachy at lists.openinfosecfoundation.org
>> >> https://lists.openinfosecfoundation.org/listinfo/outreachy
>> >
>> >
>> >
>> > --
>> > Thanks and regards
>> > Himanshi Mathur
>> > CSE undergrad 2022
>> > IIIT DELHI
>> > _______________________________________________
>> > Outreachy mailing list
>> > Outreachy at lists.openinfosecfoundation.org
>> > https://lists.openinfosecfoundation.org/listinfo/outreachy
>>
>>
>>
>> --
>> Shivani



-- 
Shivani

More information about the Outreachy mailing list