[Oisf-users] suricata-update unable to load et/open rules

Mustafa Qasim alajal at gmail.com
Tue Nov 13 10:42:28 UTC 2018


Hi,

So, I'm experimenting with the RPM installation from EPEL repository in
CentOS. dnp3 is returned as an enabled protocol in the following output but
I still get the error "protocol dnp3 is disabled" as shared in the previous
output.

Should one expect for the suricata-update to not work straight out of
official RPM installation?

=========Supported App Layer Protocols=========
http
ftp
smtp
tls
ssh
imap
msn
smb
dcerpc
dns
enip
dnp3

------
*Mustafa Qasim*
PGP: C57E0A7C
<http://pgp.mit.edu/pks/lookup?op=get&search=0x0A9C8A5EC57E0A7C>


On Tue, Nov 13, 2018 at 9:31 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> Most of the rules that fail expect protocol analyzers like NFS, NTP,
> etc enabled and you only get them when Suricata's build process
> detects and uses support for the Rust language.
>
> Do you have Rust enabled? That's --enable-rust during the "configure" step.
>
> You can also check what protocols you have enabled with
>
> suricata --list-app-layer-protos
>
>
> On Tue, Nov 13, 2018 at 2:10 AM Mustafa Qasim <alajal at gmail.com> wrote:
> >
> > Hi,
> >
> > I'm trying the new rule management tool suricata-update. It's a clean
> 4.1.0 install on CentOS7 from epel repo.
> >
> > Only the et/open repo is enabled and following is the output when
> attempting to execute suricata-update.
> >
> > Any clues on troubleshooting?
> >
> >
> > 13/11/2018 -- 05:06:09 - <Info> -- Using data-directory
> /var/lib/suricata.
> > 13/11/2018 -- 05:06:09 - <Info> -- Using Suricata configuration
> /etc/suricata/suricata.yaml
> > 13/11/2018 -- 05:06:09 - <Info> -- Using /etc/suricata/rules for
> Suricata provided rules.
> > 13/11/2018 -- 05:06:09 - <Info> -- Found Suricata version 4.1.0 at
> /usr/bin/suricata.
> > 13/11/2018 -- 05:06:09 - <Info> -- Loading /etc/suricata/suricata.yaml
> > 13/11/2018 -- 05:06:09 - <Info> -- Disabling rules with proto modbus
> > 13/11/2018 -- 05:06:09 - <Info> -- Checking
> https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz.md5
> .
> > 13/11/2018 -- 05:06:10 - <Info> -- Fetching
> https://rules.emergingthreats.net/open/suricata-4.1.0/emerging.rules.tar.gz
> .
> >  100% - 2281744/2281744
> > 13/11/2018 -- 05:06:17 - <Info> -- Done.
> > 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
> /etc/suricata/rules/app-layer-events.rules
> > 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
> /etc/suricata/rules/decoder-events.rules
> > 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
> /etc/suricata/rules/dnp3-events.rules
> > 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
> /etc/suricata/rules/dns-events.rules
> > 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
> /etc/suricata/rules/files.rules
> > 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
> /etc/suricata/rules/http-events.rules
> > 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
> /etc/suricata/rules/modbus-events.rules
> > 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
> /etc/suricata/rules/nfs-events.rules
> > 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
> /etc/suricata/rules/ntp-events.rules
> > 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
> /etc/suricata/rules/smtp-events.rules
> > 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
> /etc/suricata/rules/stream-events.rules
> > 13/11/2018 -- 05:06:17 - <Info> -- Loading distribution rule file
> /etc/suricata/rules/tls-events.rules
> > 13/11/2018 -- 05:06:17 - <Info> -- Ignoring file
> rules/emerging-deleted.rules
> > 13/11/2018 -- 05:06:20 - <Info> -- Loaded 23946 rules.
> > 13/11/2018 -- 05:06:20 - <Info> -- Disabled 9 rules.
> > 13/11/2018 -- 05:06:20 - <Info> -- Enabled 0 rules.
> > 13/11/2018 -- 05:06:20 - <Info> -- Modified 0 rules.
> > 13/11/2018 -- 05:06:20 - <Info> -- Dropped 0 rules.
> > 13/11/2018 -- 05:06:20 - <Info> -- Enabled 36 rules for flowbit
> dependencies.
> > 13/11/2018 -- 05:06:20 - <Info> -- Backing up current rules.
> > 13/11/2018 -- 05:06:24 - <Info> -- Writing rules to
> /var/lib/suricata/rules/suricata.rules: total: 23946; enabled: 19003;
> added: 158; removed 4; modified: 922
> > 13/11/2018 -- 05:06:24 - <Info> -- Testing with suricata -T.
> > 13/11/2018 -- 05:06:24 - <Warning> -- [ERRCODE:
> SC_ERR_DEPRECATED_CONF(274)] - deprecated 'force-md5' option found. Please
> use 'force-hash: [md5]' instead
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ntp" cannot be used in a
> signature.  Either detection for this protocol supported yet OR detection
> has been disabled for protocol through the yaml option
> app-layer.protocols.ntp.detection-enabled
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ntp any any
> -> any any (msg:"SURICATA NTP malformed request data"; flow:to_server;
> app-layer-event:ntp.malformed_data; classtype:protocol-command-decode;
> sid:2222000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at
> line 4411
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_UNKNOWN_DECODE_EVENT(186)] - unknown decode event
> "decoder.ipv4.frag_too_large"
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr any
> any -> any any (msg:"SURICATA FRAG IPv4 Packet size too large";
> decode-event:ipv4.frag_too_large; sid:2200069; rev:1;)" from file
> /var/lib/suricata/rules/suricata.rules at line 5870
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any
> -> any any (msg:"SURICATA DNP3 Unknown object";
> app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode;
> sid:2270004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at
> line 6501
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any
> -> any any (msg:"SURICATA DNP3 Bad link CRC";
> app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode;
> sid:2270002; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at
> line 7176
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "nfs" cannot be used in a
> signature.  Either detection for this protocol supported yet OR detection
> has been disabled for protocol through the yaml option
> app-layer.protocols.nfs.detection-enabled
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert nfs any any
> -> any any (msg:"SURICATA NFS malformed response data"; flow:to_client;
> app-layer-event:nfs.malformed_data; classtype:protocol-command-decode;
> sid:2223001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at
> line 8816
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any
> -> any any (msg:"SURICATA DNP3 Request flood detected";
> app-layer-event:dnp3.flooded; classtype:protocol-command-decode;
> sid:2270000; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at
> line 9774
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> > 13/11/2018 -- 05:06:24 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any
> -> any any (msg:"SURICATA DNP3 Bad transport CRC";
> app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode;
> sid:2270003; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at
> line 10993
> > 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE:
> SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "nfs" cannot be used in a
> signature.  Either detection for this protocol supported yet OR detection
> has been disabled for protocol through the yaml option
> app-layer.protocols.nfs.detection-enabled
> > 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert nfs any any
> -> any any (msg:"SURICATA NFS malformed request data"; flow:to_server;
> app-layer-event:nfs.malformed_data; classtype:protocol-command-decode;
> sid:2223000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at
> line 15022
> > 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE:
> SC_ERR_UNKNOWN_DECODE_EVENT(186)] - unknown decode event
> "decoder.ipv6.frag_too_large"
> > 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert pkthdr any
> any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large";
> decode-event:ipv6.frag_too_large; sid:2200071; rev:1;)" from file
> /var/lib/suricata/rules/suricata.rules at line 17423
> > 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE:
> SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ntp" cannot be used in a
> signature.  Either detection for this protocol supported yet OR detection
> has been disabled for protocol through the yaml option
> app-layer.protocols.ntp.detection-enabled
> > 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ntp any any
> -> any any (msg:"SURICATA NTP malformed response data"; flow:to_client;
> app-layer-event:ntp.malformed_data; classtype:protocol-command-decode;
> sid:2222001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at
> line 22124
> > 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> > 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any
> -> any any (msg:"SURICATA DNP3 Length too small";
> app-layer-event:dnp3.len_too_small; classtype:protocol-command-decode;
> sid:2270001; rev:3;)" from file /var/lib/suricata/rules/suricata.rules at
> line 23365
> > 13/11/2018 -- 05:06:25 - <Error> -- [ERRCODE:
> SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
> > 13/11/2018 -- 05:06:25 - <Error> -- Suricata test failed, aborting.
> > 13/11/2018 -- 05:06:25 - <Error> -- Restoring previous rules.
> >
> >
> > ------
> > Mustafa Qasim
> > PGP: C57E0A7C
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181113/c46be63b/attachment-0001.html>


More information about the Oisf-users mailing list