[OISF/outreachy] help needed in Suricata setup.

megha Varshney varshney.megha070 at gmail.com
Thu Mar 21 15:48:45 UTC 2019
Previous message (by thread): [OISF/outreachy] help needed in Suricata setup.
Next message (by thread): [OISF/outreachy] help needed in Suricata setup.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Greetings,
tail: cannot open 'http.log' for reading: No such file or directory
Do I need to install anything else?
Regards
Megha

On Thu, 21 Mar 2019 at 17:26, megha Varshney <varshney.megha070 at gmail.com>
wrote:

> Greetings,
> After changing the path I am getting below error.
> [32646] 21/3/2019 -- 17:24:42 - (suricata.c:1058) <Notice> (LogVersion) --
> This is Suricata version 5.0.0-dev (rev a69afd5cf)
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
> 'HTTP.UncompressedFlash' is checked but not set. Checked in 2016396 and 3
> other sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
> 'ET.pdf.in.http' is checked but not set. Checked in 2017150 and 5 other sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
> 'ET.JS.Obfus.Func' is checked but not set. Checked in 2017246 and 1 other
> sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit '
> et.http.PK' is checked but not set. Checked in 2019835 and 3 other sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
> 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017756 and 15
> other sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
> 'et.WinHttpRequest' is checked but not set. Checked in 2019822 and 1 other
> sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit '
> ET.wininet.UA' is checked but not set. Checked in 2021312 and 0 other sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
> 'et.MS.XMLHTTP.ip.request' is checked but not set. Checked in 2022050 and 1
> other sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
> 'et.MS.XMLHTTP.no.exe.request' is checked but not set. Checked in 2022053
> and 0 other sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
> 'et.MS.WinHttpRequest.no.exe.request' is checked but not set. Checked in
> 2022653 and 0 other sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
> 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 11
> other sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
> 'et.MCOFF' is checked but not set. Checked in 2019837 and 1 other sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
> 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
> [32646] 21/3/2019 -- 17:24:43 - (detect-flowbits.c:480) <Warning>
> (DetectFlowbitsAnalyze) -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit
> 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
> [32646] 21/3/2019 -- 17:24:46 - (source-af-packet.c:1671) <Error>
> (AFPGetDevLinktype) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find
> type for iface "wlan0": No such device
> [32646] 21/3/2019 -- 17:24:46 - (tm-threads.c:2157) <Notice>
> (TmThreadWaitOnThreadInit) -- all 4 packet processing threads, 4 management
> threads initialized, engine started.
> [32650] 21/3/2019 -- 17:24:46 - (source-af-packet.c:1655) <Error>
> (AFPGetIfnumByDev) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find
> iface wlan0: No such device
> [32650] 21/3/2019 -- 17:24:46 - (source-af-packet.c:1497) <Error>
> (ReceiveAFPLoop) -- [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init
> AF_PACKET socket, fatal error
> [32646] 21/3/2019 -- 17:24:46 - (tm-threads.c:2074) <Error>
> (TmThreadCheckThreadState) -- [ERRCODE: SC_ERR_FATAL(171)] - thread
> W#01-wlan0 failed
> megha at megha-Inspiron-3542:~/suricata/oisf$
>
> Regards,
> Megha
>
>
> On Thu, 21 Mar 2019 at 15:39, Shivani Bhardwaj <
> sbhardwaj at openinfosecfoundation.org> wrote:
>
>> On Thu, Mar 21, 2019 at 2:14 PM megha Varshney
>> <varshney.megha070 at gmail.com> wrote:
>> >
>> > Greetings,
>> > Still the same error.
>> >
>> Hmm. Could you check your `reference-config-file` value in your
>> suricata.yaml file?
>> Does it have the same path to reference.config file that you're
>> looking at? If not, you should change that.
>>
>> > On Thu, 21 Mar 2019 at 14:00, Shivani Bhardwaj <
>> sbhardwaj at openinfosecfoundation.org> wrote:
>> >>
>> >> On Wed, Mar 20, 2019 at 8:05 PM megha Varshney
>> >> <varshney.megha070 at gmail.com> wrote:
>> >> >
>> >> > Greetings,
>> >> > Sorry for the inconvenience caused. Thank You so much Himanshi.
>> >> > I did as Himanshi said but the error still persists. I checked
>> reference.config file too.
>> >>
>> >> Nope. You probably failed at a step and continued from there.
>> >> Do a clean install again. I see from your earlier message that you
>> >> perhaps did a sudo make sometime so make clean should be showing you
>> >> some errors about permissions.
>> >>
>> >> Please do
>> >> sudo make clean
>> >> make -j4
>> >> sudo make install
>> >>
>> >> Remember, you fail at any step, repeat it from clean.
>> >>
>> >> > [16823] 20/3/2019 -- 20:01:34 - (detect-reference.c:139) <Error>
>> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] -
>> unknown reference key "url". Supported keys are defined in reference.config
>> file.  Please have a look at the conf param "reference-config-file"
>> >> > [16823] 20/3/2019 -- 20:01:34 - (detect-engine-loader.c:184) <Error>
>> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
>> parsing signature "alert tcp
>> [97.99.143.196,98.113.127.124,98.114.237.82,98.116.200.172,98.148.135.114,98.165.46.62,98.167.110.55,98.170.209.2,98.176.203.2,98.200.166.221]
>> any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node
>> Traffic group 745"; reference:url,
>> doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit,
>> track by_src, seconds 60, count 1; classtype:misc-attack;
>> flowbits:set,ET.TorIP; sid:2523488; rev:3637; metadata:affected_product
>> Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity
>> Audit, created_at 2008_12_01, updated_at 2019_03_19;)" from file
>> /etc/suricata/rules/tor.rules at line 877
>> >> > [16823] 20/3/2019 -- 20:01:34 - (detect-reference.c:139) <Error>
>> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] -
>> unknown reference key "url". Supported keys are defined in reference.config
>> file.  Please have a look at the conf param "reference-config-file"
>> >> > [16823] 20/3/2019 -- 20:01:34 - (detect-engine-loader.c:184) <Error>
>> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
>> parsing signature "alert tcp
>> [98.207.153.184,98.212.194.147,98.217.124.239,98.222.176.26,98.222.218.185,98.225.157.78,98.229.125.160,98.235.185.167,98.248.47.74,98.248.49.3]
>> any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node
>> Traffic group 746"; reference:url,
>> doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit,
>> track by_src, seconds 60, count 1; classtype:misc-attack;
>> flowbits:set,ET.TorIP; sid:2523490; rev:3637; metadata:affected_product
>> Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity
>> Audit, created_at 2008_12_01, updated_at 2019_03_19;)" from file
>> /etc/suricata/rules/tor.rules at line 878
>> >> > [16823] 20/3/2019 -- 20:01:34 - (detect-reference.c:139) <Error>
>> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] -
>> unknown reference key "cve". Supported keys are defined in reference.config
>> file.  Please have a look at the conf param "reference-config-file"
>> >> > [16823] 20/3/2019 -- 20:01:34 - (detect-engine-loader.c:184) <Error>
>> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
>> parsing signature "alert tls any any -> any any (msg:"SURICATA TLS overflow
>> heartbeat encountered, possible exploit attempt (heartbleed)";
>> flow:established; app-layer-event:tls.overflow_heartbeat_message;
>> flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode;
>> reference:cve,2014-0160; sid:2230012; rev:1;)" from file
>> /etc/suricata/rules/tls-events.rules at line 22
>> >> > [16823] 20/3/2019 -- 20:01:34 - (detect-reference.c:139) <Error>
>> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] -
>> unknown reference key "cve". Supported keys are defined in reference.config
>> file.  Please have a look at the conf param "reference-config-file"
>> >> > [16823] 20/3/2019 -- 20:01:34 - (detect-engine-loader.c:184) <Error>
>> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
>> parsing signature "alert tls any any -> any any (msg:"SURICATA TLS invalid
>> heartbeat encountered, possible exploit attempt (heartbleed)";
>> flow:established; app-layer-event:tls.invalid_heartbeat_message;
>> flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode;
>> reference:cve,2014-0160; sid:2230013; rev:1;)" from file
>> /etc/suricata/rules/tls-events.rules at line 23
>> >> > [16823] 20/3/2019 -- 20:01:34 - (detect-reference.c:139) <Error>
>> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] -
>> unknown reference key "cve". Supported keys are defined in reference.config
>> file.  Please have a look at the conf param "reference-config-file"
>> >> > [16823] 20/3/2019 -- 20:01:34 - (detect-engine-loader.c:184) <Error>
>> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
>> parsing signature "alert tls any any -> any any (msg:"SURICATA TLS invalid
>> encrypted heartbeat encountered, possible exploit attempt (heartbleed)";
>> flow:established; app-layer-event:tls.dataleak_heartbeat_mismatch;
>> flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode;
>> reference:cve,2014-0160; sid:2230014; rev:1;)" from file
>> /etc/suricata/rules/tls-events.rules at line 24
>> >> > [16823] 20/3/2019 -- 20:01:34 - (suricata.c:2394) <Error>
>> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading
>> signatures failed.
>> >> >
>> >> >
>> >> > On Wed, 20 Mar 2019 at 19:39, Shivani Bhardwaj <
>> sbhardwaj at openinfosecfoundation.org> wrote:
>> >> >>
>> >> >> On Wed, Mar 20, 2019 at 7:13 PM Himanshi Mathur via Outreachy
>> >> >> <outreachy at lists.openinfosecfoundation.org> wrote:
>> >> >> >
>> >> >> > Hey Megha
>> >> >> > Please try running the command with writing sudo  in front since
>> it says permission error and then send if you encounter further errors.
>> >> >> >
>> >> >> On a side note, Megha, please do not start a new thread for every
>> >> >> message of the same nature. Let the thread go on so that it becomes
>> >> >> easy to easy what have you done so far.
>> >> >>
>> >> >> > On Wed, Mar 20, 2019 at 2:51 PM megha Varshney via Outreachy <
>> outreachy at lists.openinfosecfoundation.org> wrote:
>> >> >> >>
>> >> >> >> Greetings,
>> >> >> >> I am getting the below upon entering the commands
>> >> >> >> make-install
>> >> >> >>  /bin/bash ../libtool   --mode=install /usr/bin/install -c
>> libhtp.la '/usr/lib'
>> >> >> >> libtool: install: /usr/bin/install -c .libs/libhtp.so.2.0.0
>> /usr/lib/libhtp.so.2.0.0
>> >> >> >> /usr/bin/install: cannot create regular file
>> '/usr/lib/libhtp.so.2.0.0': Permission denied
>> >> >> >> Makefile:419: recipe for target 'install-libLTLIBRARIES' failed
>> >> >> >> make[3]: *** [install-libLTLIBRARIES] Error 1
>> >> >> >> make[3]: Leaving directory '/home/megha/suricata/oisf/libhtp/htp'
>> >> >> >> Makefile:648: recipe for target 'install-am' failed
>> >> >> >> make[2]: *** [install-am] Error 2
>> >> >> >> make[2]: Leaving directory '/home/megha/suricata/oisf/libhtp/htp'
>> >> >> >> Makefile:472: recipe for target 'install-recursive' failed
>> >> >> >> make[1]: *** [install-recursive] Error 1
>> >> >> >> make[1]: Leaving directory '/home/megha/suricata/oisf/libhtp'
>> >> >> >> Makefile:499: recipe for target 'install-recursive' failed
>> >> >> >> make: *** [install-recursive] Error 1
>> >> >> >>
>> >> >> >> Please help.
>> >> >> >> Regards
>> >> >> >> Megha
>> >> >> >> _______________________________________________
>> >> >> >> Outreachy mailing list
>> >> >> >> Outreachy at lists.openinfosecfoundation.org
>> >> >> >> https://lists.openinfosecfoundation.org/listinfo/outreachy
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > Thanks and regards
>> >> >> > Himanshi Mathur
>> >> >> > CSE undergrad 2022
>> >> >> > IIIT DELHI
>> >> >> > _______________________________________________
>> >> >> > Outreachy mailing list
>> >> >> > Outreachy at lists.openinfosecfoundation.org
>> >> >> > https://lists.openinfosecfoundation.org/listinfo/outreachy
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Shivani
>> >>
>> >>
>> >>
>> >> --
>> >> Shivani
>>
>>
>>
>> --
>> Shivani
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/outreachy/attachments/20190321/55426a1f/attachment-0001.html>
Previous message (by thread): [OISF/outreachy] help needed in Suricata setup.
Next message (by thread): [OISF/outreachy] help needed in Suricata setup.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Outreachy mailing list