[Oisf-users] New Install Suricata with OinkMaster - No Rules Loaded

Sat Sep 20 04:56:41 UTC 2014

Hi,

I followed these links to install Suricata and OinkMaster on CentOS 6.5:

http://pseudodeterminism.blogspot.ca/2013/11/suricata-on-centos-6.html

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

The install appears to have went well but when I launch Suricata I get the following errors ad nausem:

suricata -c /etc/suricata/suricata.yaml -i eth0

19/9/2014 -- 22:42:06 - <Notice> - This is Suricata version 2.0.3 RELEASE
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/botcc.rules
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/BSD-License.txt
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/ciarmy.rules
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/classification.config
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/compromised-ips.txt
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/compromised.rules
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/decoder-events.rules
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/drop.rules
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/dshield.rules
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-activex.rules

.
.
.

19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /etc/suricata/rules/dns-events.rules: No such file or directory.
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert ip $HOME_NET any -> [103.13.232.232,103.228.81.118,106.186.115.99,106.187.42.91,106.187.48.236,106.187.99.92,107.150.14.190,107.161.19.71,107.161.23.66,107.170.156.130,107.170.190.209,107.170.20.26,107.170.210.12] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404000; rev:3584;)"
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> [103.13.232.232,103.228.81.118,106.186.115.99,106.187.42.91,106.187.48.236,106.187.99.92,107.150.14.190,107.161.19.71,107.161.23.66,107.170.156.130,107.170.190.209,107.170.20.26,107.170.210.12] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404000; rev:3584;)" from file /etc/suricata/rules/botcc.rules at line 43
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert ip $HOME_NET any -> [107.170.20.26,107.170.210.12,107.20.73.183,107.6.89.242,108.170.56.211,108.61.240.240,109.109.228.187,109.111.79.4,109.196.130.50,109.234.106.53,109.235.253.194,109.235.253.241,109.235.51.206,109.74.194.110] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404001; rev:3584;)"
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> [107.170.20.26,107.170.210.12,107.20.73.183,107.6.89.242,108.170.56.211,108.61.240.240,109.109.228.187,109.111.79.4,109.196.130.50,109.234.106.53,109.235.253.194,109.235.253.241,109.235.51.206,109.74.194.110] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404001; rev:3584;)" from file /etc/suricata/rules/botcc.rules at line 44
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert ip $HOME_NET any -> [109.235.51.206,109.74.194.110,118.219.232.134,124.0.206.2,128.194.112.48,128.39.65.226,130.185.104.60,130.237.188.216,130.239.18.157,130.240.22.202,137.117.201.143,139.0.4.98,140.211.166.64,142.4.222.129] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404002; rev:3584;)"
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> [109.235.51.206,109.74.194.110,118.219.232.134,124.0.206.2,128.194.112.48,128.39.65.226,130.185.104.60,130.237.188.216,130.239.18.157,130.240.22.202,137.117.201.143,139.0.4.98,140.211.166.64,142.4.222.129] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404002; rev:3584;)" from file /etc/suricata/rules/botcc.rules at line 45
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert ip $HOME_NET any -> [140.211.166.64,142.4.222.129,144.76.100.56,144.76.71.210,145.89.150.59,148.251.129.163,148.251.84.209,148.81.111.111,149.156.124.222,149.210.154.149,149.255.109.200,149.47.133.128,150.254.110.15,151.13.184.200] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404003; rev:3584;)"
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> [140.211.166.64,142.4.222.129,144.76.100.56,144.76.71.210,145.89.150.59,148.251.129.163,148.251.84.209,148.81.111.111,149.156.124.222,149.210.154.149,149.255.109.200,149.47.133.128,150.254.110.15,151.13.184.200] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404003; rev:3584;)" from file /etc/suricata/rules/botcc.rules at line 46
.
.
.

With the sheer mass of logs I am kind of overwhelmed.

Any guidance to narrow down the problem would be greatly appreciated!

-John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140919/170042f8/attachment.html>