[Oisf-users] Errors after manipulating threshold.config
C. L. Martinez
carlopmart at gmail.com
Tue Dec 19 07:46:50 UTC 2017
No, in my case I am using pulledpork because this server runs under
FreeBSD. But it is strange because rules configured under
threshold.conf are not triggered (that on the other hand was the
target)...
On Mon, Dec 18, 2017 at 4:34 PM, Nick Price <nick at spun.io> wrote:
> I ran into a similar issue today and was wondering - are you using the
> new suricata-update script?
>
> I had some duplicate SIDs in a custom file which I was using to
> "enable" rules that were commented out by default in rulesets I was
> pulling down from the Internet, rather than modifying those files
> themselves. Where I ran into an issue is that suricata-update also
> reads in commented-out rules so it can enable them if the user has
> configured it to do so. When it encountered the duplicate SIDs, with
> one enabled and one disabled, its behavior seemed non-deterministic and
> I had similar issues to what you're describing.
>
> Nick
>
>
> On Thu, 2017-12-14 at 08:12 +0000, C. L. Martinez wrote:
>> Hi all,
>>
>> I have added some rules to threshold.config file and I am seeing the
>> following errors when I reload suricata:
>>
>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2015633, gid 1:
>> unknown
>> rule
>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2016778, gid 1:
>> unknown
>> rule
>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2014169, gid 1:
>> unknown
>> rule
>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025105, gid 1:
>> unknown
>> rule
>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025107, gid 1:
>> unknown
>> rule
>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025106, gid 1:
>> unknown
>> rule
>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025104, gid 1:
>> unknown
>> rule
>>
>> My threshold.config's fiel contains:
>>
>> # ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
>> suppress gen_id 1, sig_id 2015633, track by_src, ip 172.31.25.3
>>
>> # ET DNS Query to a *.pw domain
>> suppress gen_id 1, sig_id 2016778, track by_src, ip 172.31.25.3
>>
>> # ET DNS Query for .su TLD (Soviet Union) Often Malware Related
>> suppress gen_id 1, sig_id 2014169, track by_src, ip 172.31.25.3
>>
>> # ET INFO DNS Query for Suspicious .ga Domain
>> suppress gen_id 1, sig_id 2025105, track by_src, ip 172.31.25.3
>>
>> # ET INFO DNS Query for Suspicious .cf Domain
>> suppress gen_id 1, sig_id 2025107, track by_src, ip 172.31.25.3
>>
>> # ET INFO DNS Query for Suspicious .ml Domain
>> suppress gen_id 1, sig_id 2025106, track by_src, ip 172.31.25.3
>>
>> # ET INFO DNS Query for Suspicious .gq Domain
>> suppress gen_id 1, sig_id 2025104, track by_src, ip 172.31.25.3
>>
>> SIDs are ok ... then, why these errors?
>>
>> Thanks,
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
>> ort/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
>> sers
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list