[Oisf-users] Errors after manipulating threshold.config
C. L. Martinez
carlopmart at gmail.com
Thu Dec 14 08:12:39 UTC 2017
Hi all,
I have added some rules to threshold.config file and I am seeing the
following errors when I reload suricata:
14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2015633, gid 1: unknown
rule
14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2016778, gid 1: unknown
rule
14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2014169, gid 1: unknown
rule
14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025105, gid 1: unknown
rule
14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025107, gid 1: unknown
rule
14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025106, gid 1: unknown
rule
14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025104, gid 1: unknown
rule
My threshold.config's fiel contains:
# ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
suppress gen_id 1, sig_id 2015633, track by_src, ip 172.31.25.3
# ET DNS Query to a *.pw domain
suppress gen_id 1, sig_id 2016778, track by_src, ip 172.31.25.3
# ET DNS Query for .su TLD (Soviet Union) Often Malware Related
suppress gen_id 1, sig_id 2014169, track by_src, ip 172.31.25.3
# ET INFO DNS Query for Suspicious .ga Domain
suppress gen_id 1, sig_id 2025105, track by_src, ip 172.31.25.3
# ET INFO DNS Query for Suspicious .cf Domain
suppress gen_id 1, sig_id 2025107, track by_src, ip 172.31.25.3
# ET INFO DNS Query for Suspicious .ml Domain
suppress gen_id 1, sig_id 2025106, track by_src, ip 172.31.25.3
# ET INFO DNS Query for Suspicious .gq Domain
suppress gen_id 1, sig_id 2025104, track by_src, ip 172.31.25.3
SIDs are ok ... then, why these errors?
Thanks,
More information about the Oisf-users
mailing list