Ruleset has errors

[VN1977]

Hello! I updated suricata to 3.2, then changed the path in ETOpen Ruleset source to https://rules.emergingthreats.net/open/suricata-3.2/emerging.rules.tar.gz. But I still have warnings

    SC_ERR_UNKNOWN_DECODE_EVENT: unknown decode event "decoder.ipv4.frag_too_large"
    SC_ERR_INVALID_SIGNATURE: error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv4 Packet size too large"; decode-event:ipv4.frag_too_large; sid:2200069; rev:1;)"
    SC_ERR_UNKNOWN_DECODE_EVENT: unknown decode event "decoder.ipv6.frag_too_large"
    SC_ERR_INVALID_SIGNATURE: error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_too_large; sid:2200071; rev:1;)"

What's wrong?

[pevma]

I think it is known issue for our update part. Did you update the ruleset?

[VN1977]

Yes, I did it but the same error.

[regit]

@VN1977 You may have a too old Suricata. What version are you running ?

[VN1977]

it was 3.1 and I updated to 3.2

[pevma]

I think the rule set was updated in a way that does not include the decoder events rules and those are left from that point of time. The events rules in general are being distributed with the Suricata source.

What you can do as a test is to delete/remove the ruleset and the source and recreate those again and see if you get the same error. If not you can just upload manually the decoder event rules.

[VN1977]

Hello! I deleted and created ETOpen Ruleset again. It works! No errors any more. Thank you!