[Oisf-users] Errors after manipulating threshold.config
C. L. Martinez
carlopmart at gmail.com
Tue Dec 19 14:31:17 UTC 2017
Yes, these signatures are enabled for all internal hosts, except for those
indicated.
On Tue, Dec 19, 2017 at 2:04 PM, Nick Price <nick at spun.io> wrote:
> Stupid question, but have you gripped the rules file that pulled pork
> output to confirm the signatures are there?
>
> > On Dec 19, 2017, at 2:46 AM, C. L. Martinez <carlopmart at gmail.com>
> wrote:
> >
> > No, in my case I am using pulledpork because this server runs under
> > FreeBSD. But it is strange because rules configured under
> > threshold.conf are not triggered (that on the other hand was the
> > target)...
> >
> > On Mon, Dec 18, 2017 at 4:34 PM, Nick Price <nick at spun.io> wrote:
> >> I ran into a similar issue today and was wondering - are you using the
> >> new suricata-update script?
> >>
> >> I had some duplicate SIDs in a custom file which I was using to
> >> "enable" rules that were commented out by default in rulesets I was
> >> pulling down from the Internet, rather than modifying those files
> >> themselves. Where I ran into an issue is that suricata-update also
> >> reads in commented-out rules so it can enable them if the user has
> >> configured it to do so. When it encountered the duplicate SIDs, with
> >> one enabled and one disabled, its behavior seemed non-deterministic and
> >> I had similar issues to what you're describing.
> >>
> >> Nick
> >>
> >>
> >> On Thu, 2017-12-14 at 08:12 +0000, C. L. Martinez wrote:
> >>> Hi all,
> >>>
> >>> I have added some rules to threshold.config file and I am seeing the
> >>> following errors when I reload suricata:
> >>>
> >>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> >>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2015633, gid 1:
> >>> unknown
> >>> rule
> >>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> >>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2016778, gid 1:
> >>> unknown
> >>> rule
> >>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> >>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2014169, gid 1:
> >>> unknown
> >>> rule
> >>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> >>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025105, gid 1:
> >>> unknown
> >>> rule
> >>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> >>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025107, gid 1:
> >>> unknown
> >>> rule
> >>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> >>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025106, gid 1:
> >>> unknown
> >>> rule
> >>> 14/12/2017 -- 09:05:18 - <Warning> - [ERRCODE:
> >>> SC_ERR_EVENT_ENGINE(210)] - can't suppress sid 2025104, gid 1:
> >>> unknown
> >>> rule
> >>>
> >>> My threshold.config's fiel contains:
> >>>
> >>> # ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
> >>> suppress gen_id 1, sig_id 2015633, track by_src, ip 172.31.25.3
> >>>
> >>> # ET DNS Query to a *.pw domain
> >>> suppress gen_id 1, sig_id 2016778, track by_src, ip 172.31.25.3
> >>>
> >>> # ET DNS Query for .su TLD (Soviet Union) Often Malware Related
> >>> suppress gen_id 1, sig_id 2014169, track by_src, ip 172.31.25.3
> >>>
> >>> # ET INFO DNS Query for Suspicious .ga Domain
> >>> suppress gen_id 1, sig_id 2025105, track by_src, ip 172.31.25.3
> >>>
> >>> # ET INFO DNS Query for Suspicious .cf Domain
> >>> suppress gen_id 1, sig_id 2025107, track by_src, ip 172.31.25.3
> >>>
> >>> # ET INFO DNS Query for Suspicious .ml Domain
> >>> suppress gen_id 1, sig_id 2025106, track by_src, ip 172.31.25.3
> >>>
> >>> # ET INFO DNS Query for Suspicious .gq Domain
> >>> suppress gen_id 1, sig_id 2025104, track by_src, ip 172.31.25.3
> >>>
> >>> SIDs are ok ... then, why these errors?
> >>>
> >>> Thanks,
> >>> _______________________________________________
> >>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/supp
> >>> ort/
> >>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-u
> >>> sers
> >>>
> >>> Conference: https://suricon.net
> >>> Trainings: https://suricata-ids.org/training/
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171219/e857c449/attachment-0002.html>
More information about the Oisf-users
mailing list