[Oisf-users] modbus and dnp3

Jason Ish jason.ish at oisf.net
Wed May 22 16:47:22 UTC 2019 

Hi Russel,

It looks like you are using suricata-update - it will pull these engine
provided rules from /etc/suricata/rules or /usr/share/suricata/rules and
include them in the output.

Suricata-Update does make an attempt to disable rules that don't have
their app-layer enabled in the suricata.yaml, but anything other than
standard install may trick that up. The easiest fix is to probably add
something to your suricata-update disable.conf to disable these.

ie) re:^alert dnp3

Hope that helps,
Jason

On 2019-05-20 6:22 p.m., Russell Fulton wrote:
> I am getting these errors from suricata on startup:
> 
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Unit Identifier"; app-layer-event:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:2250004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 22
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Request flood detected"; flow:to_server; app-layer-event:modbus.flooded; classtype:protocol-command-decode; sid:2250009; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 26
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC";        app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 36
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Exception code invalid"; flow:to_client; app-layer-event:modbus.invalid_exception_code; classtype:protocol-command-decode; sid:2250007; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 48
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus unsolicited response"; app-layer-event:modbus.unsolicited_response; classtype:protocol-command-decode; sid:2250002; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 77
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object";        app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 89
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Data mismatch"; flow:to_client; app-layer-event:modbus.value_mismatch; classtype:protocol-command-decode; sid:2250008; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 132
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC";        app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 142
> M
> 
> These are builtin rules (i.e. no rules from a rule file).   I have done a bit of googling but I can’t see how to suppress these rules.
> 
> This start with the upgrade from 4.0.4 to 4.1.4.
> 
> Russell
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>

More information about the Oisf-users mailing list