[Oisf-users] Errors after manipulating threshold.config
Nick Price
nick at spun.io
Mon Dec 18 16:34:50 UTC 2017
I ran into a similar issue today and was wondering - are you using the
new suricata-update script?
I had some duplicate SIDs in a custom file which I was using to
"enable" rules that were commented out by default in rulesets I was
pulling down from the Internet, rather than modifying those files
themselves. Where I ran into an issue is that suricata-update also
reads in commented-out rules so it can enable them if the user has
configured it to do so. When it encountered the duplicate SIDs, with
one enabled and one disabled, its behavior seemed non-deterministic and
I had similar issues to what you're describing.
Nick
On Thu, 2017-12-14 at 08:12 +0000, C. L. Martinez wrote:
> Hi all,
>
> I have added some rules to threshold.config file and I am seeing the
> following errors when I reload suricata:
>
> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2015633, gid 1:
> unknown
> rule
> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2016778, gid 1:
> unknown
> rule
> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2014169, gid 1:
> unknown
> rule
> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025105, gid 1:
> unknown
> rule
> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025107, gid 1:
> unknown
> rule
> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025106, gid 1:
> unknown
> rule
> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025104, gid 1:
> unknown
> rule
>
> My threshold.config's fiel contains:
>
> # ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
> suppress gen_id 1, sig_id 2015633, track by_src, ip 172.31.25.3
>
> # ET DNS Query to a *.pw domain
> suppress gen_id 1, sig_id 2016778, track by_src, ip 172.31.25.3
>
> # ET DNS Query for .su TLD (Soviet Union) Often Malware Related
> suppress gen_id 1, sig_id 2014169, track by_src, ip 172.31.25.3
>
> # ET INFO DNS Query for Suspicious .ga Domain
> suppress gen_id 1, sig_id 2025105, track by_src, ip 172.31.25.3
>
> # ET INFO DNS Query for Suspicious .cf Domain
> suppress gen_id 1, sig_id 2025107, track by_src, ip 172.31.25.3
>
> # ET INFO DNS Query for Suspicious .ml Domain
> suppress gen_id 1, sig_id 2025106, track by_src, ip 172.31.25.3
>
> # ET INFO DNS Query for Suspicious .gq Domain
> suppress gen_id 1, sig_id 2025104, track by_src, ip 172.31.25.3
>
> SIDs are ok ... then, why these errors?
>
> Thanks,
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
> ort/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> sers
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list