[Oisf-users] assistance with suricata-update and no rules found

Jeff Dyke jeff.dyke at gmail.com
Thu Feb 21 16:26:23 UTC 2019 

I've been using oinkmaster to update suricata rules for the last few years
(before suricata-update).  I'm going through the process of migrating and
am almost there, but get these warnings on start up:

21/2/2019 -- 16:10:36 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No
rule files match the pattern /var/lib/suricata/rules/suricata.rules
21/2/2019 -- 16:10:36 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] -
1 rule files specified, but no rule was loaded at all!

$> wc -l /var/lib/suricata/rules/suricata.rules
27012 /var/lib/suricata/rules/suricata.rules

These rules seem properly configured and my modified.conf, enable.conf and
drop/disable.conf are all respected, it seems.

I can find where that error happens in code, but am unsure about the
(obvious) thing i am missing.  I am using the base suricata.yaml with an
include file, that i'm happy to display here.  I noticed there is no
merging, so when i replaced a node i grabbed all of the required bits.

Thanks for any assistance you can provide.

Jeff

%YAML 1.1
---
vars:
  address-groups:
    HOME_NET: "[172.16.0.0/16, 96.XX.XX.NN, 10.0.0.118]"
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DC_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"
  port-groups:
    HTTP_PORTS: "[80, 81]"
    SHELLCODE_PORTS: "!$HTTP_PORTS"
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21



outputs:
  - stats:
      enabled: yes
      interval: 8
      filename: stats.log
      append: yes       # append to file (yes) or overwrite it (no)
      totals: yes       # stats for all threads merged together
      threads: no       # per thread stats
  - fast:
      enabled: yes
      filename: fast.log
      append: yes
  - eve-log:
      enabled: yes
      filename: eve-ips.json
      pcap-file: false
      community-id: false
      community-id-seed: 0
      xff:
        enabled: no
        # Two operation modes are available, "extra-data" and "overwrite".
        mode: extra-data
        # Two proxy deployments are supported, "reverse" and "forward". In
        # a "reverse" deployment the IP address used is the last one, in a
        # "forward" deployment the first IP address is used.
        deployment: reverse
        # Header name where the actual IP address will be reported, if more
        # than one IP address is present, the last IP address will be the
        # one taken into consideration.
        header: X-Forwarded-For
    types:
      - alert:
          payload: yes
          payload-printable: yes
          http-body: yes
          http-body-printable: yes
          tagged-packets: yes
          metadata: yes
      - dns:
          enabled: no
      - nfs:
          enabled: no
      - smb:
          enabled: no
      - ssh:
          enabled: yes
      - drop:
          enabled: yes
      - tftp:
          enabled: no
      - ikev2:
          enabled: no
      - krb5:
          enabled: no
      - dhcp:
          enabled: no
      - stats:
          enabled: no
      - flow:
          enabled: no
      - http:
          enabled: yes
          extended: yes
      - tls:
          enabled: yes
          extended: yes

host-os-policy:
  linux: [172.16.0.0/16]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190221/4763013d/attachment.html>

More information about the Oisf-users mailing list