[Oisf-users] Warnings reported by suricata v5.x
Jason Ish
jason.ish at oisf.net
Wed Apr 15 14:55:04 UTC 2020
Hi James,
On 2020-04-14 12:27 p.m., James Moe wrote:
> Suricata v5.0.2
> suricata-update version 1.1.1
>
> Since v5.0.0 warnings typical of those below are emitted whenever the ruleset is
> loaded; there are 10 tota. Also listed is a bonus set of warnings about
> duplicate IDs.
>
> What do I do to correct the SC_ERR_UNKNOWN_VALUE cause?
You have some rules using classifications that Suricata does not know
about. You'll have to find out where they are defined and rebuild your
classification.config.
In this case it looks like you can just grab the latest one from ET and
copy it in place:
https://rules.emergingthreats.net/open/suricata-5.0/classification.config
Suricata-Update does handle updating the classification.config, but will
in the future.
Hope that helps,
Jason
>
>
> 14/4/2020 -- 07:19:17 - <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] -
> signature at /usr/local/var/lib/suricata/rules/suricata.rules:5895 uses unknown
> classtype: "external-ip-check", using default priority 3. This message won't be
> shown again for this classtype
> 14/4/2020 -- 07:19:18 - <Warning> -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] -
> signature at /usr/local/var/lib/suricata/rules/suricata.rules:11361 uses unknown
> classtype: "domain-c2", using default priority 3. This message won't be shown
> again for this classtype
>
> 14/4/2020 -- 07:19:08 - <Warning> -- Found duplicate rule SID 2200067, keeping
> the rule with greater revision.
> 14/4/2020 -- 07:19:08 - <Warning> -- Found duplicate rule SID 2200074, keeping
> the rule with greater revision.
> 14/4/2020 -- 07:19:08 - <Warning> -- Found duplicate rule SID 2012887 with same
> revision, keeping the first rule seen.
> 14/4/2020 -- 07:19:08 - <Warning> -- Found duplicate rule SID 2006380 with same
> revision, keeping the first rule seen.
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
More information about the Oisf-users
mailing list