[Oisf-users] Some errors with suricata-update (4.1-rc1)

Jason Ish ish at unx.ca
Mon Jul 23 22:12:52 UTC 2018


On Mon, Jul 23, 2018 at 5:46 AM C. L. Martinez <carlopmart at gmail.com> wrote:

> Hi all,
>
>  After updating my BSD sensors with latest Suricata 4.1-rc1, I see the
> following error when I try to setup some disabled rules via disable.conf
> file:
>
> 23/7/2018 -- 11:41:15 - <Info> -- Using data-directory /var/lib/suricata.
> 23/7/2018 -- 11:41:15 - <Info> -- Using Suricata configuration
> /etc/suricata/suricata.yaml
> 23/7/2018 -- 11:41:15 - <Info> -- Using /etc/suricata/rules for Suricata
> provided rules.
> 23/7/2018 -- 11:41:15 - <Info> -- Found Suricata version 4.1.0-rc1 at
> /usr/local/bin/suricata.
> 23/7/2018 -- 11:41:15 - <Info> -- Loading /etc/suricata/disable.conf.
> Traceback (most recent call last):
>   File "/usr/local/bin/suricata-update", line 33, in <module>
>     sys.exit(main.main())
>   File
> "/usr/local/bin/../lib/python3.6/site-packages/suricata/update/main.py",
> line 1441, in main
>     sys.exit(_main())
>   File
> "/usr/local/bin/../lib/python3.6/site-packages/suricata/update/main.py",
> line 1247, in _main
>     disable_matchers += load_matchers(disable_conf_filename)
>   File
> "/usr/local/bin/../lib/python3.6/site-packages/suricata/update/main.py",
> line 486, in load_matchers
>     return parse_matchers(fileobj)
>   File
> "/usr/local/bin/../lib/python3.6/site-packages/suricata/update/main.py",
> line 472, in parse_matchers
>     line = line.decode().strip()
> AttributeError: 'str' object has no attribute 'decode'
>
>  Content for disable.conf is:
>
> group:stream-events.rules
>
>  Removing disable.conf file, all it is working:
>
> 23/7/2018 -- 11:41:37 - <Info> -- Using data-directory /var/lib/suricata.
> 23/7/2018 -- 11:41:37 - <Info> -- Using Suricata configuration
> /etc/suricata/suricata.yaml
> 23/7/2018 -- 11:41:37 - <Info> -- Using /etc/suricata/rules for Suricata
> provided rules.
> 23/7/2018 -- 11:41:37 - <Info> -- Found Suricata version 4.1.0-rc1 at
> /usr/local/bin/suricata.
> 23/7/2018 -- 11:41:37 - <Info> -- Loading /etc/suricata/suricata.yaml
> 23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto nfs
> 23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto tftp
> 23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto modbus
> 23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto dnp3
> 23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto enip
> 23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto ntp
> 23/7/2018 -- 11:41:37 - <Info> -- Disabling rules with proto dhcp
> 23/7/2018 -- 11:41:37 - <Info> -- Checking
> https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules.md5.
> 23/7/2018
> <https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules.md5.23/7/2018>
> -- 11:41:37 - <Warning> -- Failed to check remote checksum: HTTP Error 404:
> Not Found
> 23/7/2018 -- 11:41:37 - <Info> -- Fetching
> https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules
> .
>  100% - 9855/9855
> 23/7/2018 -- 11:41:37 - <Info> -- Done.
> 23/7/2018 -- 11:41:37 - <Info> -- Checking
> https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz.md5.
> 23/7/2018
> <https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz.md5.23/7/2018>
> -- 11:41:38 - <Info> -- Remote checksum has not changed. Not fetching.
> 23/7/2018 -- 11:41:38 - <Info> -- Checking
> https://sslbl.abuse.ch/blacklist/sslblacklist.rules.md5.
> 23/7/2018
> <https://sslbl.abuse.ch/blacklist/sslblacklist.rules.md5.23/7/2018> --
> 11:41:39 - <Warning> -- Failed to check remote checksum: HTTP Error 404:
> Not Found
> 23/7/2018 -- 11:41:39 - <Info> -- Fetching
> https://sslbl.abuse.ch/blacklist/sslblacklist.rules.
>  100% - 638816/638816
> 23/7/2018 -- 11:41:40 - <Info> -- Done.
> 23/7/2018 -- 11:41:40 - <Info> -- Checking
> https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz.md5.
> 23/7/2018
> <https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz.md5.23/7/2018>
> -- 11:41:41 - <Info> -- Remote checksum has not changed. Not fetching.
> 23/7/2018 -- 11:41:41 - <Info> -- Ignoring file
> rules/emerging-deleted.rules
> 23/7/2018 -- 11:41:44 - <Info> -- Loaded 25994 rules.
> 23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown dest address var and
> will be disabled: DC_SERVERS: [1:10002228] [PT OPEN] Overpass the hash.
> Encryption downgrade activity to ARCFOUR-HMAC-MD5
> 23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown source address var
> and will be disabled: DC_SERVERS: [1:10002557] [PT OPEN] DCShadow
> Replication Attempt
> 23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown dest address var and
> will be disabled: DC_SERVERS: [1:10002557] [PT OPEN] DCShadow Replication
> Attempt
> 23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown source address var
> and will be disabled: DC_SERVERS: [1:10002558] [PT OPEN] DCShadow
> Replication Attempt - DRSUAPI_REPLICA_ADD from non-DC
> 23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown dest address var and
> will be disabled: DC_SERVERS: [1:10002558] [PT OPEN] DCShadow Replication
> Attempt - DRSUAPI_REPLICA_ADD from non-DC
> 23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown source address var
> and will be disabled: DC_SERVERS: [1:10002559] [PT OPEN] DCShadow: Fake DC
> Creation
> 23/7/2018 -- 11:41:45 - <Warning> -- Rule has unknown dest address var and
> will be disabled: DC_SERVERS: [1:10002559] [PT OPEN] DCShadow: Fake DC
> Creation
> 23/7/2018 -- 11:41:45 - <Info> -- Disabled 0 rules.
> 23/7/2018 -- 11:41:45 - <Info> -- Enabled 0 rules.
> 23/7/2018 -- 11:41:45 - <Info> -- Modified 0 rules.
> 23/7/2018 -- 11:41:45 - <Info> -- Dropped 0 rules.
> 23/7/2018 -- 11:41:45 - <Info> -- Enabled 36 rules for flowbit
> dependencies.
> 23/7/2018 -- 11:41:45 - <Info> -- Backing up current rules.
> 23/7/2018 -- 11:41:50 - <Info> -- Writing rules to
> /var/lib/suricata/rules/suricata.rules: total: 25994; enabled: 21151;
> added: 0; removed 302; modified: 0
> 23/7/2018 -- 11:41:50 - <Info> -- Testing with suricata -T.
> 23/7/2018 -- 11:42:07 - <Info> -- Done.
>
>  Any idea?
>

Thanks for reporting this. I already have a fix ready and will be
submitting it as a PR for review today.

Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180723/b666d569/attachment-0001.html>


More information about the Oisf-users mailing list