[Oisf-users] New Install Suricata with OinkMaster - No Rules Loaded

John Powell xq1xq1xq1 at yahoo.com
Sat Sep 20 14:14:32 UTC 2014 

Hi,

I blew away my suricata config, copied and reconfigured the default config from the source.

I had followed one post that told me to add the rules to the suricata.yaml file which caused no end of grief.


I now get these warnings:

20/9/2014 -- 08:04:21 - <Warning> - [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] - Eve-log support not compiled in. Reconfigure/recompile with libjansson and its development files installed to add eve-log support.
20/9/2014 -- 08:04:21 - <Warning> - [ERRCODE: SC_ERR_PCAP_CREATE(21)] - Using Pcap capture with GRO or LRO activated can lead to capture problems.


I could not find any instructions on compiling in eve-log support to suricata.  Any hints would be great!

What do I do about the PCAP error?  is there another way to capture?

Thanx,

John



On Friday, September 19, 2014 10:56 PM, John Powell <xq1xq1xq1 at yahoo.com> wrote:
 


Hi,

I followed these links to install Suricata and OinkMaster on CentOS 6.5:

http://pseudodeterminism.blogspot.ca/2013/11/suricata-on-centos-6.html


https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

The install appears to have went well but when I launch Suricata I get the following errors ad nausem:

suricata -c /etc/suricata/suricata.yaml -i eth0

19/9/2014 -- 22:42:06 - <Notice> - This is Suricata version 2.0.3 RELEASE
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/botcc.rules
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/BSD-License.txt
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/ciarmy.rules
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/classification.config
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules
 loaded from /etc/suricata/rules/compromised-ips.txt
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/compromised.rules
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/decoder-events.rules
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/drop.rules
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/dshield.rules
19/9/2014 -- 22:42:11 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/emerging-activex.rules

.
.
.

19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - opening rule file /etc/suricata/rules/dns-events.rules: No such file or directory.
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert ip $HOME_NET any -> [103.13.232.232,103.228.81.118,106.186.115.99,106.187.42.91,106.187.48.236,106.187.99.92,107.150.14.190,107.161.19.71,107.161.23.66,107.170.156.130,107.170.190.209,107.170.20.26,107.170.210.12] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404000; rev:3584;)"
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any ->
 [103.13.232.232,103.228.81.118,106.186.115.99,106.187.42.91,106.187.48.236,106.187.99.92,107.150.14.190,107.161.19.71,107.161.23.66,107.170.156.130,107.170.190.209,107.170.20.26,107.170.210.12] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404000; rev:3584;)" from file /etc/suricata/rules/botcc.rules at line 43
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert ip $HOME_NET any -> [107.170.20.26,107.170.210.12,107.20.73.183,107.6.89.242,108.170.56.211,108.61.240.240,109.109.228.187,109.111.79.4,109.196.130.50,109.234.106.53,109.235.253.194,109.235.253.241,109.235.51.206,109.74.194.110] any (msg:"ET CNC Shadowserver Reported CnC
 Server IP group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404001; rev:3584;)"
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> [107.170.20.26,107.170.210.12,107.20.73.183,107.6.89.242,108.170.56.211,108.61.240.240,109.109.228.187,109.111.79.4,109.196.130.50,109.234.106.53,109.235.253.194,109.235.253.241,109.235.51.206,109.74.194.110] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404001; rev:3584;)" from file
 /etc/suricata/rules/botcc.rules at line 44
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert ip $HOME_NET any -> [109.235.51.206,109.74.194.110,118.219.232.134,124.0.206.2,128.194.112.48,128.39.65.226,130.185.104.60,130.237.188.216,130.239.18.157,130.240.22.202,137.117.201.143,139.0.4.98,140.211.166.64,142.4.222.129] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404002; rev:3584;)"
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any ->
 [109.235.51.206,109.74.194.110,118.219.232.134,124.0.206.2,128.194.112.48,128.39.65.226,130.185.104.60,130.237.188.216,130.239.18.157,130.240.22.202,137.117.201.143,139.0.4.98,140.211.166.64,142.4.222.129] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404002; rev:3584;)" from file /etc/suricata/rules/botcc.rules at line 45
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_DUPLICATE_SIG(176)] - Duplicate signature "alert ip $HOME_NET any -> [140.211.166.64,142.4.222.129,144.76.100.56,144.76.71.210,145.89.150.59,148.251.129.163,148.251.84.209,148.81.111.111,149.156.124.222,149.210.154.149,149.255.109.200,149.47.133.128,150.254.110.15,151.13.184.200] any (msg:"ET CNC Shadowserver
 Reported CnC Server IP group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404003; rev:3584;)"
19/9/2014 -- 22:42:11 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> [140.211.166.64,142.4.222.129,144.76.100.56,144.76.71.210,145.89.150.59,148.251.129.163,148.251.84.209,148.81.111.111,149.156.124.222,149.210.154.149,149.255.109.200,149.47.133.128,150.254.110.15,151.13.184.200] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404003;
 rev:3584;)" from file /etc/suricata/rules/botcc.rules at line 46
.
.
.

With the sheer mass of logs I am kind of overwhelmed.

Any guidance to narrow down the problem would be greatly appreciated!

-John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140920/c949e71d/attachment-0002.html>

More information about the Oisf-users mailing list