Open markeur opened 5 years ago
Hi, Can you give an example of the err parsing ?
Thank you
-- Regards, Peter Manev
On 25 Mar 2019, at 11:56, markeur notifications@github.com wrote:
Hello, I am running selks since few weeks and after few days the RAM is growing high and regulary suricata crash with erros in log like rules' "error parsing signature".
My server has the following configuration :
10Gb of Ram 2 VCPU Run on hyper-V hypervisor Please can you help me.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
Hi, please find bellow a part of my suricata.log
23/3/2019 -- 02:00:30 - (detect-engine-address. c:1151)
thank you for your help
What is the definition of HONE_NET / EXTERNAL_NET in your /etc/suricata/selks5-addins yaml ?
-- Regards, Peter Manev
On 26 Mar 2019, at 02:25, markeur notifications@github.com wrote:
Hi, please find bellow a part of my suricata.log
23/3/2019 -- 02:00:30 - (detect-engine-address. c:1151) (DetectAddressMergeNot) -- [ERRCODE: SC _ERR_INVALID_SIGNATURE(39)] - Complete IP space negated . Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range [27517] 23/3/2019 -- 02:00:30 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 5 3 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; co ntent:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offs et:2; content:"|09|localhost"; fast_pattern; nocase; cl asstype:bad-unknown; sid:2011802; rev:3; metadata:creat ed_at 2010_10_12, updated_at 2010_10_12;)" from file /e tc/suricata/rules/scirius.rules at line 24028 [27517] 23/3/2019 -- 02:00:30 - (detect-engine-address. c:1151) (DetectAddressMergeNot) -- [ERRCODE: SC _ERR_INVALID_SIGNATURE(39)] - Complete IP space negated . Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range [27517] 23/3/2019 -- 02:00:30 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:establ ished; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; refere nce:url,doc.emergingthreats.net/2000328; classtype:misc -activity; sid:2000328; rev:12; metadata:created_at 201 0_07_30, updated_at 2010_07_30;)" from file /etc/surica ta/rules/scirius.rules at line 25662 [27517] 23/3/2019 -- 02:00:30 - (detect-engine-address. c:1151) (DetectAddressMergeNot) -- [ERRCODE: SC _ERR_INVALID_SIGNATURE(39)] - Complete IP space negated . Rule address range is NIL. Probably have a !any or an address range that supplies a NULL address range [27517] 23/3/2019 -- 02:00:30 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbo und Frequent Emails - Possible Spambot Inbound"; flow:e stablished; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; re ference:url,doc.emergingthreats.net/2002087; classtype: misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)" from file /etc/su ricata/rules/scirius.rules at line 25682 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2520000" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET any (msg:"ET TOR Known Tor Exi t Node Traffic"; reference:url,doc.emergingthreats.net/ bin/view/Main/TorRules; threshold: type limit, track by _src, seconds 60, count 1; classtype:misc-attack; flowb its:set,ET.TorIP; sid:2520000; rev:3543; metadata:affec ted_product Any, attack_target Any, deployment Perimete r, tag TOR, signature_severity Audit, created_at 2008_1 2_01, updated_at 2018_12_14; iprep:src,2520000,>,1;)" f rom file /etc/suricata/rules/scirius.rules at line 3164 4 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2522000" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> $HOME_NET any (msg:"ET TOR Known Tor Rel ay/Router (Not Exit) Node Traffic"; reference:url,doc.e mergingthreats.net/bin/view/Main/TorRules; threshold: t ype limit, track by_src, seconds 60, count 1; classtype :misc-attack; flowbits:set,ET.TorIP; sid:2522000; rev:3 543; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit , created_at 2008_12_01, updated_at 2018_12_14; iprep:s rc,2522000,>,1;)" from file /etc/suricata/rules/scirius .rules at line 31645 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2403300" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP"; reference:url,www.ci nsscore.com; threshold: type limit, track by_src, secon ds 3600, count 1; classtype:misc-attack; sid:2403300; r ev:45659; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_14; i prep:src,2403300,>,1;)" from file /etc/suricata/rules/s cirius.rules at line 31646 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2500000" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic"; reference:url,doc .emergingthreats.net/bin/view/Main/CompromisedHosts; th reshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500000; rev:4917; metadata :affected_product Any, attack_target Any, deployment Pe rimeter, tag COMPROMISED, signature_severity Major, cre ated_at 2011_04_28, updated_at 2018_12_14; iprep:src,25 00000,>,1;)" from file /etc/suricata/rules/scirius.rule s at line 31647 [27517] 23/3/2019 -- 02:00:31 - (detect-iprep.c:297) (DetectIPRepSetup) -- [ERRCODE: SC_ERR_UNKNOWN_VA LUE(129)] - unknown iprep category "2402000" [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :184) (DetectLoadSigFile) -- [ERRCODE: SC_ERR_I NVALID_SIGNATURE(39)] - error parsing signature "alert ip any any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source"; reference:url,feeds.dshield.org/block. txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:5030; metad ata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, crea ted_at 2010_12_30, updated_at 2018_12_14; iprep:src,240 2000,>,1;)" from file /etc/suricata/rules/scirius.rules at line 32750 [27517] 23/3/2019 -- 02:00:31 - (detect-parse.c:1925) < Info> (SigInit) -- Rule with ID 2001259 is bidirectiona l, but source and destination are the same, treating th e rule as unidirectional [27517] 23/3/2019 -- 02:00:31 - (detect-parse.c:1925) < Info> (SigInit) -- Rule with ID 2001805 is bidirectiona l, but source and destination are the same, treating th e rule as unidirectional [27517] 23/3/2019 -- 02:00:31 - (detect-parse.c:1925) < Info> (SigInit) -- Rule with ID 2009375 is bidirectiona l, but source and destination are the same, treating th e rule as unidirectional [27517] 23/3/2019 -- 02:00:31 - (detect-engine-loader.c :351) (SigLoadSignatures) -- 1 rule files proces sed. 18190 rules successfully loaded, 14 rules failed [27517] 23/3/2019 -- 02:00:31 - (util-threshold-config. c:1126) (SCThresholdConfParseFile) -- Threshold config parsed: 0 rule(s) found [27517] 23/3/2019 -- 02:00:31 - (detect-engine-build.c: 1427) (SigAddressPrepareStage1) -- 18192 signatu res processed. 3 are IP-only rules, 6274 are inspecting packet payload, 14167 inspect application layer, 0 are decoder event only [27517] 23/3/2019 -- 02:00:31 - (detect-engine-build.c: 1170) (RulesGroupByPorts) -- [ERRCODE: SC_WAR N_POOR_RULE(276)] - rule 3700003: SYN-only to port(s) 2 2:22 w/o direction specified, disabling for toclient di rection [27517] 23/3/2019 -- 02:00:41 - (util-runmodes.c:297) < Info> (RunModeSetLiveCaptureWorkersForDevice) -- Going to use 3 thread(s) [27517] 23/3/2019 -- 02:00:41 - (util-conf.c:115) (ConfUnixSocketIsEnable) -- Running in live mode, act ivating unix socket [27517] 23/3/2019 -- 02:00:41 - (unix-manager.c:131) (UnixNew) -- Using unix socket file '/var/run/suri cata/suricata-command.socket' [27517] 23/3/2019 -- 02:00:41 - (tm-threads.c:2172) (TmThreadWaitOnThreadInit) -- all 3 packet proces sing threads, 4 management threads initialized, engine started. [27526] 23/3/2019 -- 02:00:41 - (source-af-packet.c:509 ) (AFPPeersListReachedInc) -- All AFP capture th reads are running. [164333] 24/3/2019 -- 02:00:40 - (suricata.c:1085) (LogVersion) -- This is Suricata version 4.1.0-dev (rev 3eec088d) [164333] 24/3/2019 -- 02:00:40 - (util-cpu.c:171) (UtilCpuPrintSummary) -- CPUs/cores online: 3 [164333] 24/3/2019 -- 02:00:40 - (util-pidfile.c:133) < Error> (SCPidfileTestRunning) -- [ERRCODE: SC_ERR_INITI ALIZATION(45)] - pid file '/var/run/suricata.pid' exist s but appears stale. Make sure Suricata is not running and then remove /var/run/suricata.pid. Aborting!
thank you for your help
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Hello, I don't find any HOME_NET / EXTERNAL_NET in my /etc/suricata/selks5-addins.yaml so I give those I define in /etc/suricata/suricata.yaml HOME_NET: "any" EXTERNAL_NET: "any"
That can account for some of the errors as you have rules basically saying - “alert !$HOME_NET” which translates to an impossible condition -> !any (not any). HOME_NET should be defined to what your internal/home network range is.
-- Regards, Peter Manev
On 26 Mar 2019, at 07:04, markeur notifications@github.com wrote:
Hello, I don't find any HOME_NET / EXTERNAL_NET in my /etc/suricata/selks5-addins.yaml so I give those I define in /etc/suricata/suricata.yaml HOME_NET: "any" EXTERNAL_NET: "any"
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Hello, thank you for your answer I tried and I have less error on rules but some like :
What is the full ERR log ?
this is:
[119797] 28/3/2019 -- 02:00:30 - (detect-iprep.c:297)
thank you for your help
I think you need to upgrade to the latest suricata configs on SELKS5 - that would take care of the iprep warnings/errs.
@markeur -- any chance you can post your hyper-v config for SELKS here? I'm getting an error that says GRUB can not be installed during the installation when using hyper-v.
Hello, I am running selks since few weeks and after few days the RAM is growing high and regulary suricata crash with erros in log like rules' "error parsing signature".
My server has the following configuration :
Please can you help me.