[Oisf-users] [FORGED] modbus and dnp3

Russell Fulton r.fulton at auckland.ac.nz
Mon May 27 21:36:33 UTC 2019



> On 23/05/2019, at 4:47 AM, Jason Ish <jason.ish at oisf.net> wrote:
> 
> Hi Russel,
> 
> It looks like you are using suricata-update - it will pull these engine
> provided rules from /etc/suricata/rules or /usr/share/suricata/rules and
> include them in the output.

This is exactly what was happening — it took me quite a while (and considerable help from Travis Green) to figure out this is what was going on.  

The problem was I was building the exclusion list from the list of rule files in the tarball.
> 
> Suricata-Update does make an attempt to disable rules that don't have
> their app-layer enabled in the suricata.yaml, but anything other than
> standard install may trick that up. The easiest fix is to probably add
> something to your suricata-update disable.conf to disable these.

In the short term I simply deleted /usr/local/share/suricata ;).  I will work out a better fix next time it bites me ;)

> 
> ie) re:^alert dnp3
> 
> Hope that helps,
> Jason
> 
> On 2019-05-20 6:22 p.m., Russell Fulton wrote:
>> I am getting these errors from suricata on startup:
>> 
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Unit Identifier"; app-layer-event:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:2250004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 22
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Request flood detected"; flow:to_server; app-layer-event:modbus.flooded; classtype:protocol-command-decode; sid:2250009; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 26
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC";        app-layer-event:dnp3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 36
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Exception code invalid"; flow:to_client; app-layer-event:modbus.invalid_exception_code; classtype:protocol-command-decode; sid:2250007; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 48
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus unsolicited response"; app-layer-event:modbus.unsolicited_response; classtype:protocol-command-decode; sid:2250002; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 77
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object";        app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 89
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol modbus is disabled
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Data mismatch"; flow:to_client; app-layer-event:modbus.value_mismatch; classtype:protocol-command-decode; sid:2250008; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 132
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - protocol dnp3 is disabled
>> May 20 11:39:04 secmonprd10 suricata: [22253] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC";        app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 142
>> M
>> 
>> These are builtin rules (i.e. no rules from a rule file).   I have done a bit of googling but I can’t see how to suppress these rules.
>> 
>> This start with the upgrade from 4.0.4 to 4.1.4.
>> 
>> Russell
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> 
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



More information about the Oisf-users mailing list