[Oisf-users] suricata-update unable to load et/open rules

Mustafa Qasim alajal at gmail.com
Tue Nov 13 10:09:33 UTC 2018 

Hi,

I'm trying the new rule management tool suricata-update. It's a clean 4.1.0
install on CentOS7 from epel repo.

Only the et/open repo is enabled and following is the output when
attempting to execute suricata-update.

Any clues on troubleshooting?


13/11/2018 -- 05:06:09 - <Info> -- Using data-directory /var/lib/suricata.
13/11/2018 -- 05:06:09 - <Info> -- Using Suricata configuration
/etc/suricata/suricata.yaml
13/11/2018 -- 05:06:09 - <Info> -- Using /etc/suricata/rules for Suricata
provided rules.
13/11/2018 -- 05:06:09 - <Info> -- Found Suricata version 4.1.0 at
/usr/bin/suricata.
13/11/2018 -- 05:06:09 - <Info> -- Loading /etc/suricata/suricata.yaml
13/11/2018 -- 05:06:09 - <Info> -- Disabling rules with proto modbus
13/11/2018 -- 05:06:09 - <Info> -- Checking
https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz.md5
.
13/11/2018 -- 05:06:10 - <Info> -- Fetching
https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz.
 100% - 2281744/2281744
13/11/2018 -- 05:06:17 - <Info> -- Done.
13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
/etc/suricata/rules/app-layer-events.rules
13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
/etc/suricata/rules/decoder-events.rules
13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
/etc/suricata/rules/dnp3-events.rules
13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
/etc/suricata/rules/dns-events.rules
13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
/etc/suricata/rules/files.rules
13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
/etc/suricata/rules/http-events.rules
13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
/etc/suricata/rules/modbus-events.rules
13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
/etc/suricata/rules/nfs-events.rules
13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
/etc/suricata/rules/ntp-events.rules
13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
/etc/suricata/rules/smtp-events.rules
13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
/etc/suricata/rules/stream-events.rules
13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
/etc/suricata/rules/tls-events.rules
13/11/2018 -- 05:06:17 - <Info> -- Ignoring file
rules/emerging-deleted.rules
13/11/2018 -- 05:06:20 - <Info> -- Loaded 23946 rules.
13/11/2018 -- 05:06:20 - <Info> -- Disabled 9 rules.
13/11/2018 -- 05:06:20 - <Info> -- Enabled 0 rules.
13/11/2018 -- 05:06:20 - <Info> -- Modified 0 rules.
13/11/2018 -- 05:06:20 - <Info> -- Dropped 0 rules.
13/11/2018 -- 05:06:20 - <Info> -- Enabled 36 rules for flowbit
dependencies.
13/11/2018 -- 05:06:20 - <Info> -- Backing up current rules.
13/11/2018 -- 05:06:24 - <Info> -- Writing rules to
/var/lib/suricata/rules/suricata.rules: total: 23946; enabled: 19003;
added: 158; removed 4; modified: 922
13/11/2018 -- 05:06:24 - <Info> -- Testing with suricata -T.
13/11/2018 -- 05:06:24 - <Warning> -- [ERRCODE:
SC_ERR_DEPRECATED_CONF(274)] - deprecated 'force-md5' option found. Please
use 'force-hash: [md5]' instead
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)]
- protocol "ntp" cannot be used in a signature.  Either detection for this
protocol supported yet OR detection has been disabled for protocol through
the yaml option app-layer.protocols.ntp.detection-enabled
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "alert ntp any any -> any any (msg:"SURICATA NTP
malformed request data"; flow:to_server;
app-layer-event:ntp.malformed_data; classtype:protocol-command-decode;
sid:2222000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at
line 4411
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
SC_ERR_UNKNOWN_DECODE_EVENT(186)] - unknown decode event
"decoder.ipv4.frag_too_large"
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA
FRAG IPv4 Packet size too large"; decode-event:ipv4.frag_too_large;
sid:2200069; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at
line 5870
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- protocol dnp3 is disabled
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA
DNP3 Unknown object";        app-layer-event:dnp3.unknown_object;
classtype:protocol-command-decode; sid:2270004; rev:2;)" from file
/var/lib/suricata/rules/suricata.rules at line 6501
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- protocol dnp3 is disabled
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA
DNP3 Bad link CRC";        app-layer-event:dnp3.bad_link_crc;
classtype:protocol-command-decode; sid:2270002; rev:2;)" from file
/var/lib/suricata/rules/suricata.rules at line 7176
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)]
- protocol "nfs" cannot be used in a signature.  Either detection for this
protocol supported yet OR detection has been disabled for protocol through
the yaml option app-layer.protocols.nfs.detection-enabled
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "alert nfs any any -> any any (msg:"SURICATA NFS
malformed response data"; flow:to_client;
app-layer-event:nfs.malformed_data; classtype:protocol-command-decode;
sid:2223001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at
line 8816
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- protocol dnp3 is disabled
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA
DNP3 Request flood detected";        app-layer-event:dnp3.flooded;
classtype:protocol-command-decode; sid:2270000; rev:2;)" from file
/var/lib/suricata/rules/suricata.rules at line 9774
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- protocol dnp3 is disabled
13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA
DNP3 Bad transport CRC";        app-layer-event:dnp3.bad_transport_crc;
classtype:protocol-command-decode; sid:2270003; rev:2;)" from file
/var/lib/suricata/rules/suricata.rules at line 10993
13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)]
- protocol "nfs" cannot be used in a signature.  Either detection for this
protocol supported yet OR detection has been disabled for protocol through
the yaml option app-layer.protocols.nfs.detection-enabled
13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "alert nfs any any -> any any (msg:"SURICATA NFS
malformed request data"; flow:to_server;
app-layer-event:nfs.malformed_data; classtype:protocol-command-decode;
sid:2223000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at
line 15022
13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE:
SC_ERR_UNKNOWN_DECODE_EVENT(186)] - unknown decode event
"decoder.ipv6.frag_too_large"
13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA
FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_too_large;
sid:2200071; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at
line 17423
13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)]
- protocol "ntp" cannot be used in a signature.  Either detection for this
protocol supported yet OR detection has been disabled for protocol through
the yaml option app-layer.protocols.ntp.detection-enabled
13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "alert ntp any any -> any any (msg:"SURICATA NTP
malformed response data"; flow:to_client;
app-layer-event:ntp.malformed_data; classtype:protocol-command-decode;
sid:2222001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at
line 22124
13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- protocol dnp3 is disabled
13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)]
- error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA
DNP3 Length too small";        app-layer-event:dnp3.len_too_small;
classtype:protocol-command-decode; sid:2270001; rev:3;)" from file
/var/lib/suricata/rules/suricata.rules at line 23365
13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] -
Loading signatures failed.
13/11/2018 -- 05:06:25 - <Error> -- Suricata test failed, aborting.
13/11/2018 -- 05:06:25 - <Error> -- Restoring previous rules.


------
*Mustafa Qasim*
PGP: C57E0A7C
<http://pgp.mit.edu/pks/lookup?op=get&search=0x0A9C8A5EC57E0A7C>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181113/9d56408b/attachment.html>

More information about the Oisf-users mailing list