[Oisf-users] Some errors with suricata-update (4.1-rc1)

C. L. Martinez carlopmart at gmail.com
Mon Jul 23 11:46:10 UTC 2018 

Hi all,

 After updating my BSD sensors with latest Suricata 4.1-rc1, I see the following error when I try to setup some disabled rules via disable.conf file:

23/7/2018 -- 11:41:15 - <Info> -- Using data-directory /var/lib/suricata.
23/7/2018 -- 11:41:15 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
23/7/2018 -- 11:41:15 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
23/7/2018 -- 11:41:15 - <Info> -- Found Suricata version 4.1.0-rc1 at /usr/local/bin/suricata.
23/7/2018 -- 11:41:15 - <Info> -- Loading /etc/suricata/disable.conf.
Traceback (most recent call last):
  File "/usr/local/bin/suricata-update", line 33, in <module>
    sys.exit(main.main())
  File "/usr/local/bin/../lib/python3.6/site-packages/suricata/update/main.py", line 1441, in main
    sys.exit(_main())
  File "/usr/local/bin/../lib/python3.6/site-packages/suricata/update/main.py", line 1247, in _main
    disable_matchers += load_matchers(disable_conf_filename)
  File "/usr/local/bin/../lib/python3.6/site-packages/suricata/update/main.py", line 486, in load_matchers
    return parse_matchers(fileobj)
  File "/usr/local/bin/../lib/python3.6/site-packages/suricata/update/main.py", line 472, in parse_matchers
    line = line.decode().strip()
AttributeError: 'str' object has no attribute 'decode'

 Content for disable.conf is:

group:stream-events.rules

 Removing disable.conf file, all it is working:

23/7/2018 -- 11:41:37 - <Info> -- Using data-directory /var/lib/suricata.
23/7/2018 -- 11:41:37 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
23/7/2018 -- 11:41:37 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
23/7/2018 -- 11:41:37 - <Info> -- Found Suricata version 4.1.0-rc1 at /usr/local/bin/suricata.
23/7/2018 -- 11:41:37 - <Info> -- Loading /etc/suricata/suricata.yaml
23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto nfs
23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto tftp
23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto modbus
23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto dnp3
23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto enip
23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto ntp
23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto dhcp
23/7/2018 -- 11:41:37 - <Info> -- Checking https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules.md5.
23/7/2018 -- 11:41:37 - <Warning> -- Failed to check remote checksum: HTTP Error 404: Not Found
23/7/2018 -- 11:41:37 - <Info> -- Fetching https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules.
 100% - 9855/9855
23/7/2018 -- 11:41:37 - <Info> -- Done.
23/7/2018 -- 11:41:37 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz.md5.
23/7/2018 -- 11:41:38 - <Info> -- Remote checksum has not changed. Not fetching.
23/7/2018 -- 11:41:38 - <Info> -- Checking https://sslbl.abuse.ch/blacklist/sslblacklist.rules.md5.
23/7/2018 -- 11:41:39 - <Warning> -- Failed to check remote checksum: HTTP Error 404: Not Found
23/7/2018 -- 11:41:39 - <Info> -- Fetching https://sslbl.abuse.ch/blacklist/sslblacklist.rules.
 100% - 638816/638816
23/7/2018 -- 11:41:40 - <Info> -- Done.
23/7/2018 -- 11:41:40 - <Info> -- Checking https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz.md5.
23/7/2018 -- 11:41:41 - <Info> -- Remote checksum has not changed. Not fetching.
23/7/2018 -- 11:41:41 - <Info> -- Ignoring file rules/emerging-deleted.rules
23/7/2018 -- 11:41:44 - <Info> -- Loaded 25994 rules.
23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002228] [PT OPEN] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5
23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown source address var and will be disabled: DC_SERVERS: [1:10002557] [PT OPEN] DCShadow Replication Attempt
23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002557] [PT OPEN] DCShadow Replication Attempt
23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown source address var and will be disabled: DC_SERVERS: [1:10002558] [PT OPEN] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC
23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002558] [PT OPEN] DCShadow Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC
23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown source address var and will be disabled: DC_SERVERS: [1:10002559] [PT OPEN] DCShadow: Fake DC Creation
23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown dest address var and will be disabled: DC_SERVERS: [1:10002559] [PT OPEN] DCShadow: Fake DC Creation
23/7/2018 -- 11:41:45 - <Info> -- Disabled 0 rules.
23/7/2018 -- 11:41:45 - <Info> -- Enabled 0 rules.
23/7/2018 -- 11:41:45 - <Info> -- Modified 0 rules.
23/7/2018 -- 11:41:45 - <Info> -- Dropped 0 rules.
23/7/2018 -- 11:41:45 - <Info> -- Enabled 36 rules for flowbit dependencies.
23/7/2018 -- 11:41:45 - <Info> -- Backing up current rules.
23/7/2018 -- 11:41:50 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 25994; enabled: 21151; added: 0; removed 302; modified: 0
23/7/2018 -- 11:41:50 - <Info> -- Testing with suricata -T.
23/7/2018 -- 11:42:07 - <Info> -- Done.

 Any idea?

Thanks.

-- 
Greetings,
C. L. Martinez

More information about the Oisf-users mailing list