[Oisf-users] Suricata 4.1 reference config errors
Jeremy A. Grove
jgrove at quadrantsec.com
Tue Feb 27 20:52:17 UTC 2018
Apologies I found the error and all is well.
Jeremy Grove, SSCP
Senior Information Security Analyst
Quadrant Information Security
o: [ callto:(904)296-9100 | (904)296-9100 ] x100
t: [ callto:(800) 538-9357 | (800) 538-9357 ] x100
e: [ mailto:soc at quadrantsec.com | soc at quadrantsec.com ]
Learn more= about our managed SIEM [ https://a.quadrantsec.com/3D%22https://quadrantsec.com/SaganMSSP%22 | people + product ]
----- Original Message -----
From: "Jeremy A. Grove" <jgrove at quadrantsec.com>
To: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Tuesday, February 27, 2018 3:16:35 PM
Subject: Re: Suricata 4.1 reference config errors
Thank you Jason.
I went ahead and moved to Suricata 4.1 but upon starting it I received the below error for every rule with a reference. I have also pasted in a copy of my reference config to verify that it is correct but it is the same config that came with 4.1 and no changes on my part.
Also issues with the class types and I have placed the relevant information towards the end.
Am I at loss of what I can change to fix this issue. Any help? Or is this an issue in the code?
[7221] 27/2/2018 -- 19:19:13 - (detect-reference.c:139) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_REFERENCE_UNKNOWN(150)] - unknown reference key "url". Supported keys are defined in reference.config file. Please have a look at the conf param "reference-config-file"
[7221] 27/2/2018 -- 19:19:13 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS CYME Power Engineering ChartFX.ClientServer ActiveX clsid access"; flow:established,to_client; file_data; content:"E9DF30CA-4B30-4235-BF0C-7150F646606C"; fast_pattern:only; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*E9DF30CA-4B30-4235-BF0C-7150F646606C\s*}?\s*(?P=q1)(\s|>|\x2F)/siO"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,osvdb.org/show/osvdb/85894; classtype:attempted-user; sid:29059; rev:6;)" from file /etc/suricata/rules/suricata-vrt.rules at line 4155
The above example is for url but a complete list is below for all the errors I saw.
arachnids
bugtraq
cve
mcafee
md5
nessus
url
reference.config:
# config reference: system URL
config reference: bugtraq http://www.securityfocus.com/bid/
config reference: bid http://www.securityfocus.com/bid/
config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
#config reference: cve http://cvedetails.com/cve/
config reference: secunia http://www.secunia.com/advisories/
#whitehats is unfortunately gone
config reference: arachNIDS http://www.whitehats.com/info/IDS
config reference: McAfee http://vil.nai.com/vil/content/v_
config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url http://
config reference: et http://doc.emergingthreats.net/
config reference: etpro http://doc.emergingthreatspro.com/
config reference: telus http://
config reference: osvdb http://osvdb.org/show/osvdb/
config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
config reference: md5 http://www.threatexpert.com/report.aspx?md5=
config reference: exploitdb http://www.exploit-db.com/exploits/
config reference: openpacket https://www.openpacket.org/capture/grab/
config reference: securitytracker http://securitytracker.com/id?
config reference: secunia http://secunia.com/advisories/
config reference: xforce http://xforce.iss.net/xforce/xfdb/
config reference: msft http://technet.microsoft.com/security/bulletin/
Second error is with classification config.
[7221] 27/2/2018 -- 19:19:16 - (detect-classtype.c:120) <Error> (DetectClasstypeSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - Unknown Classtype: "trojan-activity". Invalidating the Signature
[7221] 27/2/2018 -- 19:19:16 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Smokeloader getproxy Command"; flow:established,to_server; content:"cmd=getproxy&login="; http_uri; classtype:trojan-activity; sid:2014010; rev:3; metadata:created_at 2011_12_08, updated_at 2011_12_08;)" from file /etc/suricata/rules/suricata-vrt.rules at line 39105
Full list of affected classtypes:
attempted-admin
attempted-dos
attempted-recon
attempted-user
bad-unknown
misc-activity
misc-attack
non-standard-protocol
not-suspicious
policy-violation
protocol-command-decode
shellcode-detect
string-detect
successful-admin
successful-recon-limited
successful-user
suspicious-filename-detect
suspicious-login
trojan-activity
web-application-activity
web-application-attack
copy of classification config:
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2
Regards,
Jeremy Grove, SSCP
Senior Information Security Analyst
Quadrant Information Security
----- Original Message -----
From: "oisf-users-request" <oisf-users-request at lists.openinfosecfoundation.org>
To: "oisf-users" <oisf-users at lists.openinfosecfoundation.org>
Sent: Tuesday, February 27, 2018 12:00:01 PM
Subject: Oisf-users Digest, Vol 99, Issue 26
Send Oisf-users mailing list submissions to
oisf-users at lists.openinfosecfoundation.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
or, via email, send a message with subject or body 'help' to
oisf-users-request at lists.openinfosecfoundation.org
You can reach the person managing the list at
oisf-users-owner at lists.openinfosecfoundation.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Oisf-users digest..."
Today's Topics:
1. Re: File-store Version 2 (Jason Ish)
----------------------------------------------------------------------
Message: 1
Date: Tue, 27 Feb 2018 10:25:47 -0600
From: Jason Ish <lists at ish.cx>
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] File-store Version 2
Message-ID: <6ed7d7f3-a222-c439-984a-6cc115131ef3 at ish.cx>
Content-Type: text/plain; charset=utf-8; format=flowed
Hello Jeremy,
On 2018-02-27 09:39 AM, Jeremy A. Grove wrote:
> Hi There,
>
> I am using Suricata 4.0..3 and I am trying to convert file-store to
> version but it does not seem to be recognizing the change. Secondly, I
> am attempting to begin using the waldo file feature and it isnt being
> used. I have pasted that section below for reference.
Version 2 of the file-store will be available in 4.1, and is also
currently available in git-master, but not in 4.0.x.
If you are seeing the documentation for it, it is because
suricata.readthedocs.io shows the documentation for git-master unless
you pick a specific version. Sorry for the confusion.
Jason
------------------------------
Subject: Digest Footer
_______________________________________________
Oisf-users mailing list
Oisf-users at lists.openinfosecfoundation.org
https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
------------------------------
End of Oisf-users Digest, Vol 99, Issue 26
******************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2204 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180227/8e4d84cf/attachment-0002.bin>
More information about the Oisf-users
mailing list