search

StamusNetworks / SELKS

A Suricata based IDS/IPS/NSM distro
https://www.stamus-networks.com/open-source/#selks
GNU General Public License v3.0
1.43k stars 284 forks source link

Suricata crash #168

Open markeur opened 5 years ago

markeur commented 5 years ago

Hello, I am running selks since few weeks and after few days the RAM is growing high and regulary suricata crash with erros in log like rules' "error parsing signature".

My server has the following configuration :

Please can you help me.

pevma commented 5 years ago

Hi, Can you give an example of the err parsing ?

Thank you

-- Regards, Peter Manev

On 25 Mar 2019, at 11:56, markeur notifications@github.com wrote:

Hello, I am running selks since few weeks and after few days the RAM is growing high and regulary suricata crash with erros in log like rules' "error parsing signature".

My server has the following configuration :

10Gb of Ram 2 VCPU Run on hyper-V hypervisor Please can you help me.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

markeur commented 5 years ago

Hi, please find bellow a part of my suricata.log

23/3/2019 -- 02:00:30 - (detect-engine-address. c:1151) (DetectAddressMergeNot) -- [ERRCODE: SC _ERR_INVALID_SIGNATURE(39)] - Complete IP space negated . Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range [27517] 23/3/2019 -- 02:00:30 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 5 3 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; co ntent:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offs et:2; content:"|09|localhost"; fast_pattern; nocase; cl asstype:bad-unknown; sid:2011802; rev:3; metadata:creat ed_at 2010_10_12, updated_at 2010_10_12;)" from file /e tc/suricata/rules/scirius.rules at line 24028 [27517] 23/3/2019 -- 02:00:30 - (detect-engine-address. c:1151) (DetectAddressMergeNot) -- [ERRCODE: SC _ERR_INVALID_SIGNATURE(39)] - Complete IP space negated . Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range [27517] 23/3/2019 -- 02:00:30 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:establ ished; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; refere nce:url,doc.emergingthreats.net/2000328; classtype:misc -activity; sid:2000328; rev:12; metadata:created_at 201 0_07_30, updated_at 2010_07_30;)" from file /etc/surica ta/rules/scirius.rules at line 25662 [27517] 23/3/2019 -- 02:00:30 - (detect-engine-address. c:1151) (DetectAddressMergeNot) -- [ERRCODE: SC _ERR_INVALID_SIGNATURE(39)] - Complete IP space negated . Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range [27517] 23/3/2019 -- 02:00:30 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbo und Frequent Emails - Possible Spambot Inbound"; flow:e stablished; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; re ference:url,doc.emergingthreats.net/2002087; classtype: misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/su ricata/rules/scirius.rules at line 25682 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2520000" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET any (msg:"ET TOR Known Tor Exi t Node Traffic"; reference:url,doc.emergingthreats.net/ bin/view/Main/TorRules; threshold: type limit, track by _src, seconds 60, count 1; classtype:misc-attack; flowb its:set,ET.TorIP; sid:2520000; rev:3543; metadata:affec ted_product Any, attack_target Any, deployment Perimete r, tag TOR, signature_severity Audit, created_at 2008_1 2_01, updated_at 2018_12_14; iprep:src,2520000,>,1;)" f rom file /etc/suricata/rules/scirius.rules at line 3164 4 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2522000" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET any (msg:"ET TOR Known Tor Rel ay/Router (Not Exit) Node Traffic"; reference:url,doc.e mergingthreats.net/bin/view/Main/TorRules; threshold: t ype limit, track by_src, seconds 60, count 1; classtype :misc-attack; flowbits:set,ET.TorIP; sid:2522000; rev:3 543; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit , created_at 2008_12_01, updated_at 2018_12_14; iprep:s rc,2522000,>,1;)" from file /etc/suricata/rules/scirius .rules at line 31645 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2403300" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP"; reference:url,www.ci nsscore.com; threshold: type limit, track by_src, secon ds 3600, count 1; classtype:misc-attack; sid:2403300; r ev:45659; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_14; i prep:src,2403300,>,1;)" from file /etc/suricata/rules/s cirius.rules at line 31646 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2500000" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic"; reference:url,doc .emergingthreats.net/bin/view/Main/CompromisedHosts; th reshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500000; rev:4917; metadata :affected_product Any, attack_target Any, deployment Pe rimeter, tag COMPROMISED, signature_severity Major, cre ated_at 2011_04_28, updated_at 2018_12_14; iprep:src,25 00000,>,1;)" from file /etc/suricata/rules/scirius.rule s at line 31647 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2402000" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source"; reference:url,feeds.dshield.org/block. txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:5030; metad ata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, crea ted_at 2010_12_30, updated_at 2018_12_14; iprep:src,240 2000,>,1;)" from file /etc/suricata/rules/scirius.rules at line 32750 [27517] 23/3/2019 -- 02:00:31 - (detect-parse.c:1925) < Info> (SigInit) -- Rule with ID 2001259 is bidirectiona l, but source and destination are the same, treating th e rule as unidirectional [27517] 23/3/2019 -- 02:00:31 - (detect-parse.c:1925) < Info> (SigInit) -- Rule with ID 2001805 is bidirectiona l, but source and destination are the same, treating th e rule as unidirectional [27517] 23/3/2019 -- 02:00:31 - (detect-parse.c:1925) < Info> (SigInit) -- Rule with ID 2009375 is bidirectiona l, but source and destination are the same, treating th e rule as unidirectional [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :351) (SigLoadSignatures) -- 1 rule files proces sed. 18190 rules successfully loaded, 14 rules failed [27517] 23/3/2019 -- 02:00:31 - (util-threshold-config. c:1126) (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found [27517] 23/3/2019 -- 02:00:31 - (detect-engine-build.c: 1427) (SigAddressPrepareStage1) -- 18192 signatu res processed. 3 are IP-only rules, 6274 are inspecting packet payload, 14167 inspect application layer, 0 are decoder event only [27517] 23/3/2019 -- 02:00:31 - (detect-engine-build.c: 1170) (RulesGroupByPorts) -- [ERRCODE: SC_WAR N_POOR_RULE(276)] - rule 3700003: SYN-only to port(s) 2 2:22 w/o direction specified, disabling for toclient di rection [27517] 23/3/2019 -- 02:00:41 - (util-runmodes.c:297) < Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 3 thread(s) [27517] 23/3/2019 -- 02:00:41 - (util-conf.c:115) (ConfUnixSocketIsEnable) -- Running in live mode, act ivating unix socket [27517] 23/3/2019 -- 02:00:41 - (unix-manager.c:131) (UnixNew) -- Using unix socket file '/var/run/suri cata/suricata-command.socket' [27517] 23/3/2019 -- 02:00:41 - (tm-threads.c:2172) (TmThreadWaitOnThreadInit) -- all 3 packet proces sing threads, 4 management threads initialized, engine started. [27526] 23/3/2019 -- 02:00:41 - (source-af-packet.c:509 ) (AFPPeersListReachedInc) -- All AFP capture th reads are running. [164333] 24/3/2019 -- 02:00:40 - (suricata.c:1085) (LogVersion) -- This is Suricata version 4.1.0-dev (rev 3eec088d) [164333] 24/3/2019 -- 02:00:40 - (util-cpu.c:171) (UtilCpuPrintSummary) -- CPUs/cores online: 3 [164333] 24/3/2019 -- 02:00:40 - (util-pidfile.c:133) < Error> (SCPidfileTestRunning) -- [ERRCODE: SC_ERR_INITI ALIZATION(45)] - pid file '/var/run/suricata.pid' exist s but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting!

thank you for your help

pevma commented 5 years ago

What is the definition of HONE_NET / EXTERNAL_NET in your /etc/suricata/selks5-addins yaml ?

-- Regards, Peter Manev

On 26 Mar 2019, at 02:25, markeur notifications@github.com wrote:

Hi, please find bellow a part of my suricata.log

23/3/2019 -- 02:00:30 - (detect-engine-address. c:1151) (DetectAddressMergeNot) -- [ERRCODE: SC _ERR_INVALID_SIGNATURE(39)] - Complete IP space negated . Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range [27517] 23/3/2019 -- 02:00:30 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 5 3 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; co ntent:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offs et:2; content:"|09|localhost"; fast_pattern; nocase; cl asstype:bad-unknown; sid:2011802; rev:3; metadata:creat ed_at 2010_10_12, updated_at 2010_10_12;)" from file /e tc/suricata/rules/scirius.rules at line 24028 [27517] 23/3/2019 -- 02:00:30 - (detect-engine-address. c:1151) (DetectAddressMergeNot) -- [ERRCODE: SC _ERR_INVALID_SIGNATURE(39)] - Complete IP space negated . Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range [27517] 23/3/2019 -- 02:00:30 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:establ ished; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; refere nce:url,doc.emergingthreats.net/2000328; classtype:misc -activity; sid:2000328; rev:12; metadata:created_at 201 0_07_30, updated_at 2010_07_30;)" from file /etc/surica ta/rules/scirius.rules at line 25662 [27517] 23/3/2019 -- 02:00:30 - (detect-engine-address. c:1151) (DetectAddressMergeNot) -- [ERRCODE: SC _ERR_INVALID_SIGNATURE(39)] - Complete IP space negated . Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range [27517] 23/3/2019 -- 02:00:30 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbo und Frequent Emails - Possible Spambot Inbound"; flow:e stablished; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; re ference:url,doc.emergingthreats.net/2002087; classtype: misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/su ricata/rules/scirius.rules at line 25682 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2520000" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET any (msg:"ET TOR Known Tor Exi t Node Traffic"; reference:url,doc.emergingthreats.net/ bin/view/Main/TorRules; threshold: type limit, track by _src, seconds 60, count 1; classtype:misc-attack; flowb its:set,ET.TorIP; sid:2520000; rev:3543; metadata:affec ted_product Any, attack_target Any, deployment Perimete r, tag TOR, signature_severity Audit, created_at 2008_1 2_01, updated_at 2018_12_14; iprep:src,2520000,>,1;)" f rom file /etc/suricata/rules/scirius.rules at line 3164 4 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2522000" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET any (msg:"ET TOR Known Tor Rel ay/Router (Not Exit) Node Traffic"; reference:url,doc.e mergingthreats.net/bin/view/Main/TorRules; threshold: t ype limit, track by_src, seconds 60, count 1; classtype :misc-attack; flowbits:set,ET.TorIP; sid:2522000; rev:3 543; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit , created_at 2008_12_01, updated_at 2018_12_14; iprep:s rc,2522000,>,1;)" from file /etc/suricata/rules/scirius .rules at line 31645 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2403300" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP"; reference:url,www.ci nsscore.com; threshold: type limit, track by_src, secon ds 3600, count 1; classtype:misc-attack; sid:2403300; r ev:45659; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_14; i prep:src,2403300,>,1;)" from file /etc/suricata/rules/s cirius.rules at line 31646 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2500000" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic"; reference:url,doc .emergingthreats.net/bin/view/Main/CompromisedHosts; th reshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500000; rev:4917; metadata :affected_product Any, attack_target Any, deployment Pe rimeter, tag COMPROMISED, signature_severity Major, cre ated_at 2011_04_28, updated_at 2018_12_14; iprep:src,25 00000,>,1;)" from file /etc/suricata/rules/scirius.rule s at line 31647 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2402000" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source"; reference:url,feeds.dshield.org/block. txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:5030; metad ata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, crea ted_at 2010_12_30, updated_at 2018_12_14; iprep:src,240 2000,>,1;)" from file /etc/suricata/rules/scirius.rules at line 32750 [27517] 23/3/2019 -- 02:00:31 - (detect-parse.c:1925) < Info> (SigInit) -- Rule with ID 2001259 is bidirectiona l, but source and destination are the same, treating th e rule as unidirectional [27517] 23/3/2019 -- 02:00:31 - (detect-parse.c:1925) < Info> (SigInit) -- Rule with ID 2001805 is bidirectiona l, but source and destination are the same, treating th e rule as unidirectional [27517] 23/3/2019 -- 02:00:31 - (detect-parse.c:1925) < Info> (SigInit) -- Rule with ID 2009375 is bidirectiona l, but source and destination are the same, treating th e rule as unidirectional [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :351) (SigLoadSignatures) -- 1 rule files proces sed. 18190 rules successfully loaded, 14 rules failed [27517] 23/3/2019 -- 02:00:31 - (util-threshold-config. c:1126) (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found [27517] 23/3/2019 -- 02:00:31 - (detect-engine-build.c: 1427) (SigAddressPrepareStage1) -- 18192 signatu res processed. 3 are IP-only rules, 6274 are inspecting packet payload, 14167 inspect application layer, 0 are decoder event only [27517] 23/3/2019 -- 02:00:31 - (detect-engine-build.c: 1170) (RulesGroupByPorts) -- [ERRCODE: SC_WAR N_POOR_RULE(276)] - rule 3700003: SYN-only to port(s) 2 2:22 w/o direction specified, disabling for toclient di rection [27517] 23/3/2019 -- 02:00:41 - (util-runmodes.c:297) < Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 3 thread(s) [27517] 23/3/2019 -- 02:00:41 - (util-conf.c:115) (ConfUnixSocketIsEnable) -- Running in live mode, act ivating unix socket [27517] 23/3/2019 -- 02:00:41 - (unix-manager.c:131) (UnixNew) -- Using unix socket file '/var/run/suri cata/suricata-command.socket' [27517] 23/3/2019 -- 02:00:41 - (tm-threads.c:2172) (TmThreadWaitOnThreadInit) -- all 3 packet proces sing threads, 4 management threads initialized, engine started. [27526] 23/3/2019 -- 02:00:41 - (source-af-packet.c:509 ) (AFPPeersListReachedInc) -- All AFP capture th reads are running. [164333] 24/3/2019 -- 02:00:40 - (suricata.c:1085) (LogVersion) -- This is Suricata version 4.1.0-dev (rev 3eec088d) [164333] 24/3/2019 -- 02:00:40 - (util-cpu.c:171) (UtilCpuPrintSummary) -- CPUs/cores online: 3 [164333] 24/3/2019 -- 02:00:40 - (util-pidfile.c:133) < Error> (SCPidfileTestRunning) -- [ERRCODE: SC_ERR_INITI ALIZATION(45)] - pid file '/var/run/suricata.pid' exist s but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting!

thank you for your help

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

markeur commented 5 years ago

Hello, I don't find any HOME_NET / EXTERNAL_NET in my /etc/suricata/selks5-addins.yaml so I give those I define in /etc/suricata/suricata.yaml HOME_NET: "any" EXTERNAL_NET: "any"

pevma commented 5 years ago

That can account for some of the errors as you have rules basically saying - “alert !$HOME_NET” which translates to an impossible condition -> !any (not any). HOME_NET should be defined to what your internal/home network range is.

-- Regards, Peter Manev

On 26 Mar 2019, at 07:04, markeur notifications@github.com wrote:

Hello, I don't find any HOME_NET / EXTERNAL_NET in my /etc/suricata/selks5-addins.yaml so I give those I define in /etc/suricata/suricata.yaml HOME_NET: "any" EXTERNAL_NET: "any"

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

markeur commented 5 years ago

Hello, thank you for your answer I tried and I have less error on rules but some like :

(DetectLoa dSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature " alert ip $HOME_NET any -> any any (msg:"ET CNC Shadowserver Reported CnC Server" ; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.s hadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; cla sstype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:24040 26; rev:5311; metadata:affected_product Any, attack_target Any, deployment Perim eter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated _at 2019_03_19; iprep:dst,2404026,>,1;)" from file /etc/suricata/rules/scirius.r ules at line 1807
pevma commented 5 years ago

What is the full ERR log ?

markeur commented 5 years ago

this is: [119797] 28/3/2019 -- 02:00:30 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown iprep category "2404000" [119797] 28/3/2019 -- 02:00:30 - (detect-engine-loader.c:184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> any any (msg:"ET CNC Shadowserver Reported CnC Server IP"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404000; rev:5213; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_14; iprep:dst,2404000,>,1;)" from file /etc/suricata/rules/scirius.rules at line 1806 [119797] 28/3/2019 -- 02:00:30 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown iprep category "2404026" [119797] 28/3/2019 -- 02:00:30 - (detect-engine-loader.c:184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> any any (msg:"ET CNC Shadowserver Reported CnC Server"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404026; rev:5311; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2019_03_19; iprep:dst,2404026,>,1;)" from file /etc/suricata/rules/scirius.rules at line 1807 [119797] 28/3/2019 -- 02:00:30 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown iprep category "2404150" [119797] 28/3/2019 -- 02:00:30 - (detect-engine-loader.c:184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> any any (msg:"ET CNC Zeus Tracker Reported CnC Server"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404150; rev:5213; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_14; iprep:dst,2404150,>,1;)" from file /etc/suricata/rules/scirius.rules at line 1808 [119797] 28/3/2019 -- 02:00:30 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown iprep category "2404300" [119797] 28/3/2019 -- 02:00:30 - (detect-engine-loader.c:184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> any any (msg:"ET CNC Feodo Tracker Reported CnC Server"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,feodotracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404300; rev:5279; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2014_11_04, updated_at 2019_02_18; iprep:dst,2404300,>,1;)" from file /etc/suricata/rules/scirius.rules at line 1809 [119797] 28/3/2019 -- 02:00:30 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown iprep category "2404400" [119797] 28/3/2019 -- 02:00:30 - (detect-engine-loader.c:184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip $HOME_NET any -> any any (msg:"ET CNC Ransomware Tracker Reported CnC Server"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404400; rev:5213;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_14; iprep:dst,2404400,>,1;)" from file /etc/suricata/rules/scirius.rules at line 1810 [119797] 28/3/2019 -- 02:00:30 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown iprep category "2400000" [119797] 28/3/2019 -- 02:00:30 - (detect-engine-loader.c:184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400000; rev:2684; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_09; iprep:src,2400000,>,1;)" from file /etc/suricata/rules/scirius.rules at line 1829 [119797] 28/3/2019 -- 02:00:34 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown iprep category "2520000" [119797] 28/3/2019 -- 02:00:34 - (detect-engine-loader.c:184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node Traffic"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2520000; rev:3543; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2018_12_14; iprep:src,2520000,>,1;)" from file /etc/suricata/rules/scirius.rules at line 31662 [119797] 28/3/2019 -- 02:00:34 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown iprep category "2522000" [119797] 28/3/2019 -- 02:00:34 - (detect-engine-loader.c:184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522000; rev:3543; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2018_12_14; iprep:src,2522000,>,1;)" from file /etc/suricata/rules/scirius.rules at line 31663 [119797] 28/3/2019 -- 02:00:34 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown iprep category "2403300" [119797] 28/3/2019 -- 02:00:34 - (detect-engine-loader.c:184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403300; rev:45659; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_14; iprep:src,2403300,>,1;)" from file /etc/suricata/rules/scirius.rules at line 31664 [119797] 28/3/2019 -- 02:00:34 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown iprep category "2500000" [119797] 28/3/2019 -- 02:00:34 - (detect-engine-loader.c:184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500000; rev:4917; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_14; iprep:src,2500000,>,1;)" from file /etc/suricata/rules/scirius.rules at line 31665 [119797] 28/3/2019 -- 02:00:34 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - unknown iprep category "2402000" [119797] 28/3/2019 -- 02:00:34 - (detect-engine-loader.c:184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:5030; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2018_12_14; iprep:src,2402000,>,1;)" from file /etc/suricata/rules/scirius.rules at line 32768 [119797] 28/3/2019 -- 02:00:34 - (detect-engine-loader.c:351) (SigLoadSignatures) -- 1 rule files processed. 18199 rules successfully loaded, 11 rules failed [119797] 28/3/2019 -- 02:00:34 - (util-threshold-config.c:1126) (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found

thank you for your help

pevma commented 5 years ago

I think you need to upgrade to the latest suricata configs on SELKS5 - that would take care of the iprep warnings/errs.

ProfessorManhattan commented 4 years ago

@markeur -- any chance you can post your hyper-v config for SELKS here? I'm getting an error that says GRUB can not be installed during the installation when using hyper-v.