[Oisf-users] suricata-update unable to load et/open rules

Michał Purzyński michalpurzynski1 at gmail.com
Tue Nov 13 10:30:28 UTC 2018


Most of the rules that fail expect protocol analyzers like NFS, NTP,
etc enabled and you only get them when Suricata's build process
detects and uses support for the Rust language.

Do you have Rust enabled? That's --enable-rust during the "configure" step.

You can also check what protocols you have enabled with

suricata --list-app-layer-protos


On Tue, Nov 13, 2018 at 2:10 AM Mustafa Qasim <alajal at gmail.com> wrote:
>
> Hi,
>
> I'm trying the new rule management tool suricata-update. It's a clean 4.1.0 install on CentOS7 from epel repo.
>
> Only the et/open repo is enabled and following is the output when attempting to execute suricata-update.
>
> Any clues on troubleshooting?
>
>
> 13/11/2018 -- 05:06:09 - <Info> -- Using data-directory /var/lib/suricata.
> 13/11/2018 -- 05:06:09 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
> 13/11/2018 -- 05:06:09 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
> 13/11/2018 -- 05:06:09 - <Info> -- Found Suricata version 4.1.0 at /usr/bin/suricata.
> 13/11/2018 -- 05:06:09 - <Info> -- Loading /etc/suricata/suricata.yaml
> 13/11/2018 -- 05:06:09 - <Info> -- Disabling rules with proto modbus
> 13/11/2018 -- 05:06:09 - <Info> -- Checking https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz.md5.
> 13/11/2018 -- 05:06:10 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz.
>  100% - 2281744/2281744
> 13/11/2018 -- 05:06:17 - <Info> -- Done.
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/files.rules
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/http-events.rules
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
> 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
> 13/11/2018 -- 05:06:17 - <Info> -- Ignoring file rules/emerging-deleted.rules
> 13/11/2018 -- 05:06:20 - <Info> -- Loaded 23946 rules.
> 13/11/2018 -- 05:06:20 - <Info> -- Disabled 9 rules.
> 13/11/2018 -- 05:06:20 - <Info> -- Enabled 0 rules.
> 13/11/2018 -- 05:06:20 - <Info> -- Modified 0 rules.
> 13/11/2018 -- 05:06:20 - <Info> -- Dropped 0 rules.
> 13/11/2018 -- 05:06:20 - <Info> -- Enabled 36 rules for flowbit dependencies.
> 13/11/2018 -- 05:06:20 - <Info> -- Backing up current rules.
> 13/11/2018 -- 05:06:24 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 23946; enabled: 19003; added: 158; removed 4; modified: 922
> 13/11/2018 -- 05:06:24 - <Info> -- Testing with suricata -T.
> 13/11/2018 -- 05:06:24 - <Warning> -- [ERRCODE: SC_ERR_DEPRECATED_CONF(274)] - deprecated 'force-md5' option found. Please use 'force-hash: [md5]' instead
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ntp" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ntp.detection-enabled
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ntp any any -> any any (msg:"SURICATA NTP malformed request data"; flow:to_server; app-layer-event:ntp.malformed_data; classtype:protocol-command-decode; sid:2222000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 4411
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_DECODE_EVENT(186)] - unknown decode event "decoder.ipv4.frag_too_large"
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Packet size too large"; decode-event:ipv4.frag_too_large; sid:2200069; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 5870
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object";        app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 6501
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC";        app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 7176
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "nfs" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.nfs.detection-enabled
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert nfs any any -> any any (msg:"SURICATA NFS malformed response data"; flow:to_client; app-layer-event:nfs.malformed_data; classtype:protocol-command-decode; sid:2223001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 8816
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected";        app-layer-event:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 9774
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC";        app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 10993
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "nfs" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.nfs.detection-enabled
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert nfs any any -> any any (msg:"SURICATA NFS malformed request data"; flow:to_server; app-layer-event:nfs.malformed_data; classtype:protocol-command-decode; sid:2223000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 15022
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_DECODE_EVENT(186)] - unknown decode event "decoder.ipv6.frag_too_large"
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_too_large; sid:2200071; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 17423
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ntp" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ntp.detection-enabled
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ntp any any -> any any (msg:"SURICATA NTP malformed response data"; flow:to_client; app-layer-event:ntp.malformed_data; classtype:protocol-command-decode; sid:2222001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 22124
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Length too small";        app-layer-event:dnp3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;)" from file /var/lib/suricata/rules/suricata.rules at line 23365
> 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
> 13/11/2018 -- 05:06:25 - <Error> -- Suricata test failed, aborting.
> 13/11/2018 -- 05:06:25 - <Error> -- Restoring previous rules.
>
>
> ------
> Mustafa Qasim
> PGP: C57E0A7C
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/


More information about the Oisf-users mailing list