[Oisf-users] suricata-update: missing module(s)

Jason Ish jason.ish at oisf.net
Fri Nov 9 23:22:31 UTC 2018 

On 2018-11-09 1:43 p.m., James Moe wrote:
> On 08/11/2018 6.03 PM, Jason Ish wrote:
> 
>> I see that suricata-update is in /usr/bin, but your suricata is in
>> /usr/local. Could you may have an old suricata-update install? If you
>> did install suricata in /usr/local, try:
>>
>> /usr/local/bin/suricata-update
>>
>    Ah, quite. That was the main issue with the invocation. And it worked
> as expected without the additional arguments.
>    The next step: There are 14 errors reported by suricata-update, all of
> them related to SMB, all with the error SC_ERR_INVALID_SIGNATURE.
> 
> ...info...
> 8/11/2018 -- 18:57:16 - <Info> -- Writing rules to
> /usr/local/var/lib/suricata/rules/suricata.rules: total: 23817; enabled:
> 18858; added: 23817; removed 0; modified: 0
> 8/11/2018 -- 18:57:17 - <Info> -- Testing with suricata -T.
> 
> 8/11/2018 -- 18:57:17 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any
> any -> any any (msg:"SURICATA SMB malformed request data";
> flow:to_server; app-layer-event:smb.malformed_data;
> classtype:protocol-command-decode; sid:2225002; rev:1;)" from file
> /usr/local/var/lib/suricata/rules/suricata.rules at line 1089
> 
> ...more...
> 
> 8/11/2018 -- 18:57:18 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)]
> - Loading signatures failed.
> 8/11/2018 -- 18:57:18 - <Error> -- Suricata test failed, aborting.
> 8/11/2018 -- 18:57:18 - <Error> -- Restoring previous rules.

I think you've hit a case that I'm not sure if we can handle right now. 
You compiled Suricata without Rust, but some of the rules appear to 
depend on the Rust SMB support. The issue here is that there is SMB 
support with and without Rust, but they are not equivalent.

If the errors are only related to SMB, you'd be pretty safe to rerun 
with --no-test, and then restart Suricata. You'll see Suricata give 
those same errors but it should continue to startup.

Alternatively, disable those rules in your suricata-update disable.conf 
(for you this will likely default to 
/usr/local/etc/suricata/disable.conf), or or rebuilt with Rust support 
to get the much more complete SMB parser.

-- Jason

More information about the Oisf-users mailing list