[Oisf-users] Errors after manipulating threshold.config

Tue Dec 19 14:04:52 UTC 2017

Stupid question, but have you gripped the rules file that pulled pork output to confirm the signatures are there?

> On Dec 19, 2017, at 2:46 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
> 
> No, in my case I am using pulledpork because this server runs under
> FreeBSD. But it is strange because rules configured under
> threshold.conf are not triggered (that on the other hand was the
> target)...
> 
> On Mon, Dec 18, 2017 at 4:34 PM, Nick Price <nick at spun.io> wrote:
>> I ran into a similar issue today and was wondering - are you using the
>> new suricata-update script?
>> 
>> I had some duplicate SIDs in a custom file which I was using to
>> "enable" rules that were commented out by default in rulesets I was
>> pulling down from the Internet, rather than modifying those files
>> themselves.  Where I ran into an issue is that suricata-update also
>> reads in commented-out rules so it can enable them if the user has
>> configured it to do so. When it encountered the duplicate SIDs, with
>> one enabled and one disabled, its behavior seemed non-deterministic and
>> I had similar issues to what you're describing.
>> 
>> Nick
>> 
>> 
>> On Thu, 2017-12-14 at 08:12 +0000, C. L. Martinez wrote:
>>> Hi all,
>>> 
>>> I have added some rules to threshold.config file and I am seeing the
>>> following errors when I reload suricata:
>>> 
>>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2015633, gid 1:
>>> unknown
>>> rule
>>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2016778, gid 1:
>>> unknown
>>> rule
>>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2014169, gid 1:
>>> unknown
>>> rule
>>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025105, gid 1:
>>> unknown
>>> rule
>>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025107, gid 1:
>>> unknown
>>> rule
>>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025106, gid 1:
>>> unknown
>>> rule
>>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
>>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025104, gid 1:
>>> unknown
>>> rule
>>> 
>>> My threshold.config's fiel contains:
>>> 
>>> # ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
>>> suppress gen_id 1, sig_id 2015633, track by_src, ip 172.31.25.3
>>> 
>>> # ET DNS Query to a *.pw domain
>>> suppress gen_id 1, sig_id 2016778, track by_src, ip 172.31.25.3
>>> 
>>> # ET DNS Query for .su TLD (Soviet Union) Often Malware Related
>>> suppress gen_id 1, sig_id 2014169, track by_src, ip 172.31.25.3
>>> 
>>> # ET INFO DNS Query for Suspicious .ga Domain
>>> suppress gen_id 1, sig_id 2025105, track by_src, ip 172.31.25.3
>>> 
>>> # ET INFO DNS Query for Suspicious .cf Domain
>>> suppress gen_id 1, sig_id 2025107, track by_src, ip 172.31.25.3
>>> 
>>> # ET INFO DNS Query for Suspicious .ml Domain
>>> suppress gen_id 1, sig_id 2025106, track by_src, ip 172.31.25.3
>>> 
>>> # ET INFO DNS Query for Suspicious .gq Domain
>>> suppress gen_id 1, sig_id 2025104, track by_src, ip 172.31.25.3
>>> 
>>> SIDs are ok ... then, why these errors?
>>> 
>>> Thanks,
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
>>> ort/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
>>> sers
>>> 
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/