[Oisf-users] Suricata 4.1 reference config errors

Jeremy A. Grove jgrove at quadrantsec.com
Tue Feb 27 20:52:17 UTC 2018

Apologies I found the error and all is well.

Jeremy Grove, SSCP 
Senior Information Security Analyst 
Quadrant Information Security 
o: [ callto:(904)296-9100 | (904)296-9100 ] x100 
t: [ callto:(800) 538-9357 | (800) 538-9357 ] x100 
e: [ mailto:soc at quadrantsec.com | soc at quadrantsec.com ] 

Learn more= about our managed SIEM [ https://a.quadrantsec.com/3D%22https://quadrantsec.com/SaganMSSP%22 | people + product ]

----- Original Message -----
From: "Jeremy A. Grove" <jgrove at quadrantsec.com>
To: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Tuesday, February 27, 2018 3:16:35 PM
Subject: Re: Suricata 4.1 reference config errors

Thank you Jason.

I went ahead and moved to Suricata 4.1 but upon starting it I received the below error for every rule with a reference. I have also pasted in a copy of my reference config to verify that it is correct but it is the same config that came with 4.1 and no changes on my part. 

Also issues with the class types and I have placed the relevant information towards the end.

Am I at loss of what I can change to fix this issue. Any help? Or is this an issue in the code?

[7221] 27/2/2018 -- 19:19:13 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file.  Please have a look at the conf param "reference-config-file"

[7221] 27/2/2018 -- 19:19:13 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CYME Power Engineering ChartFX.ClientServer ActiveX clsid access"; flow:established,to_client; file_data; content:"E9DF30CA-4B30-4235-BF0C-7150F646606C"; fast_pattern:only; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9DF30CA-4B30-4235-BF0C-7150F646606C\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,osvdb.org/show/osvdb/85894; classtype:attempted-user; sid:29059; rev:6;)" from file /etc/suricata/rules/suricata-vrt.rules at line 4155

The above example is for url but a complete list is below for all the errors I saw.



# config reference: system URL

config reference: bugtraq   http://www.securityfocus.com/bid/
config reference: bid       http://www.securityfocus.com/bid/
config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
#config reference: cve       http://cvedetails.com/cve/
config reference: secunia   http://www.secunia.com/advisories/

#whitehats is unfortunately gone
config reference: arachNIDS http://www.whitehats.com/info/IDS

config reference: McAfee    http://vil.nai.com/vil/content/v_
config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url       http://
config reference: et        http://doc.emergingthreats.net/
config reference: etpro     http://doc.emergingthreatspro.com/
config reference: telus     http://
config reference: osvdb     http://osvdb.org/show/osvdb/
config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
config reference: md5       http://www.threatexpert.com/report.aspx?md5=
config reference: exploitdb http://www.exploit-db.com/exploits/
config reference: openpacket https://www.openpacket.org/capture/grab/
config reference: securitytracker http://securitytracker.com/id?
config reference: secunia   http://secunia.com/advisories/
config reference: xforce    http://xforce.iss.net/xforce/xfdb/
config reference: msft      http://technet.microsoft.com/security/bulletin/

Second error is with classification config.

[7221] 27/2/2018 -- 19:19:16 - (detect-classtype.c:120) <Error> (DetectClasstypeSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - Unknown Classtype: "trojan-activity".  Invalidating the Signature

[7221] 27/2/2018 -- 19:19:16 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Smokeloader getproxy Command"; flow:established,to_server; content:"cmd=getproxy&login="; http_uri; classtype:trojan-activity; sid:2014010; rev:3; metadata:created_at 2011_12_08, updated_at 2011_12_08;)" from file /etc/suricata/rules/suricata-vrt.rules at line 39105

Full list of affected classtypes:


copy of classification config:

config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1

config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2


Jeremy Grove, SSCP 
Senior Information Security Analyst 
Quadrant Information Security 

----- Original Message -----
From: "oisf-users-request" <oisf-users-request at lists.openinfosecfoundation.org>
To: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Tuesday, February 27, 2018 12:00:01 PM
Subject: Oisf-users Digest, Vol 99, Issue 26

Send Oisf-users mailing list submissions to
	oisf-users at lists.openinfosecfoundation.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	oisf-users-request at lists.openinfosecfoundation.org

You can reach the person managing the list at
	oisf-users-owner at lists.openinfosecfoundation.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Oisf-users digest..."

Today's Topics:

   1. Re: File-store Version 2 (Jason Ish)


Message: 1
Date: Tue, 27 Feb 2018 10:25:47 -0600
From: Jason Ish <lists at ish.cx>
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] File-store Version 2
Message-ID: <6ed7d7f3-a222-c439-984a-6cc115131ef3 at ish.cx>
Content-Type: text/plain; charset=utf-8; format=flowed

Hello Jeremy,

On 2018-02-27 09:39 AM, Jeremy A. Grove wrote:
> Hi There,
> I am using Suricata 4.0..3 and I am trying to convert file-store to 
> version but it does not seem to be recognizing the change. Secondly, I 
> am attempting to begin using the waldo file feature and it isnt being 
> used. I have pasted that section below for reference.

Version 2 of the file-store will be available in 4.1, and is also 
currently available in git-master, but not in 4.0.x.

If you are seeing the documentation for it, it is because 
suricata.readthedocs.io shows the documentation for git-master unless 
you pick a specific version. Sorry for the confusion.



Subject: Digest Footer

Oisf-users mailing list
Oisf-users at lists.openinfosecfoundation.org


End of Oisf-users Digest, Vol 99, Issue 26
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2204 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180227/8e4d84cf/attachment-0002.bin>

More information about the Oisf-users mailing list