search

StamusNetworks / scirius

Scirius is a web application for Suricata ruleset management and threat hunting.
GNU General Public License v3.0
626 stars 150 forks source link

Unable add source #106

Closed esmelnikov closed 7 years ago

esmelnikov commented 7 years ago

Hello! After removing the source of "ETOpen Ruleset" due to errors: SC_ERR_UNKNOWN_DECODE_EVENT: unknown decode event "decoder.ipv4.frag_too_large"      SC_ERR_INVALID_SIGNATURE: error parsing signature "alert pkthdr any any -> any any (msg:" SURICATA FRAG IPv4 Packet size too large "; decode-event: ipv4.frag_too_large; sid: 2200069; rev: 1;)"      SC_ERR_UNKNOWN_DECODE_EVENT: unknown decode event "decoder.ipv6.frag_too_large"      SC_ERR_INVALID_SIGNATURE: error parsing signature "alert pkthdr any any -> any any (msg:" SURICATA FRAG IPv6 Packet size too large "; decode-event: ipv6.frag_too_large; sid: 2200071; rev: 1;)"

I'm trying to add this source again, but I get the following error:

add sourse error

How to fix the error?

stamus commented 7 years ago

On 30 Apr 2017, at 09:30, Eduard notifications@github.com wrote:

Hello! After removing the source of "ETOpen Ruleset" due to errors: SC_ERR_UNKNOWN_DECODE_EVENT: unknown decode event "decoder.ipv4.frag_too_large" SC_ERR_INVALID_SIGNATURE: error parsing signature "alert pkthdr any any -> any any (msg:" SURICATA FRAG IPv4 Packet size too large "; decode-event: ipv4.frag_too_large; sid: 2200069; rev: 1;)" SC_ERR_UNKNOWN_DECODE_EVENT: unknown decode event "decoder.ipv6.frag_too_large" SC_ERR_INVALID_SIGNATURE: error parsing signature "alert pkthdr any any -> any any (msg:" SURICATA FRAG IPv6 Packet size too large "; decode-event: ipv6.frag_too_large; sid: 2200071; rev: 1;)"

I'm trying to add this source again, but I get the following error:

How to fix the error?

Does the ETOpen ruleset page open from your browser ? It looks like may have been temporarily down ...

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

esmelnikov commented 7 years ago

The source "ETOpen Ruleset" was available in the browser, but it still could not be updated. If you remove the source before upgrading to SELKS 4, then there is no problem with the subsequent addition.

pevma commented 7 years ago

You can still remove it and add it in after the SELKS 4 upgrade correct?

esmelnikov commented 7 years ago

No, I deleted and created the source before upgrading to SELKS 4. After the update, I could not do it. But if you re-create the source in SELKS 3, then in SELKS 4 with this source you can work without problems, i.e. Delete and create a new one.

pevma commented 7 years ago

Thank you for the feedback!