Project

General

Profile

Actions

Bug #3382

closed

suricata-update will enable smb-events for non-Rust builds (1.0.x)

Added by Jason Ish about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata-Update will enable smb-events.rules because smb is enabled in the yaml. However those rules only work for the Rust enabled version of Suricata.

This will lead to -T failure.

2019-10-24 10:51:39,332 - <INFO> - Using data-directory /var/lib/suricata.
2019-10-24 10:51:39,332 - <INFO> - Using Suricata configuration /etc/suricata/suricata.yaml
2019-10-24 10:51:39,332 - <INFO> - Using /etc/suricata/rules for Suricata provided rules.
2019-10-24 10:51:39,337 - <INFO> - Found Suricata version 4.1.5 at /usr/bin/suricata.
2019-10-24 10:51:39,337 - <INFO> - Loading /etc/suricata/suricata.yaml
2019-10-24 10:51:39,343 - <INFO> - Disabling rules with proto krb5
2019-10-24 10:51:39,343 - <INFO> - Disabling rules with proto nfs
2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto tftp
2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto modbus
2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto dnp3
2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto enip
2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto ntp
2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto dhcp
2019-10-24 10:51:39,344 - <INFO> - No sources configured, will use Emerging Threats Open
2019-10-24 10:51:39,344 - <INFO> - Fetching https://rules.emergingthreats.net/open/suricata-4.1.5/emerging.rules.tar.gz.
2019-10-24 10:51:41,007 - <INFO> - Done.
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/decoder-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/dns-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/files.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/http-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/modbus-events.rules
2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/nfs-events.rules
2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/ntp-events.rules
2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/smb-events.rules
2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/smtp-events.rules
2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/stream-events.rules
2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/tls-events.rules
2019-10-24 10:51:41,080 - <INFO> - Ignoring file rules/emerging-deleted.rules
2019-10-24 10:51:42,573 - <INFO> - Loaded 25511 rules.
2019-10-24 10:51:42,991 - <INFO> - Disabled 20 rules.
2019-10-24 10:51:42,992 - <INFO> - Enabled 0 rules.
2019-10-24 10:51:42,992 - <INFO> - Modified 0 rules.
2019-10-24 10:51:42,992 - <INFO> - Dropped 0 rules.
2019-10-24 10:51:43,144 - <INFO> - Enabled 42 rules for flowbit dependencies.
2019-10-24 10:51:43,144 - <INFO> - Backing up current rules.
2019-10-24 10:51:43,167 - <INFO> - Writing rules to /var/lib/suricata/rules/suricata.rules: total: 25511; enabled: 20461; added: 25511; removed 0; modified: 0
2019-10-24 10:51:43,375 - <INFO> - Testing with suricata -T.
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 malformed request data"; flow:to_server; app-layer-event:ikev2.malformed_data; classtype:protocol-command-decode; sid:2224000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25377
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 malformed response data"; flow:to_client; app-layer-event:ikev2.malformed_data; classtype:protocol-command-decode; sid:2224001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25378
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Encryption)"; flow:to_client; app-layer-event:ikev2.weak_crypto_enc; classtype:protocol-command-decode; sid:2224002; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25379
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (PRF)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224003; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25380
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Auth)"; flow:to_client; app-layer-event:ikev2.weak_crypto_auth; classtype:protocol-command-decode; sid:2224004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 25381
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)"; flow:to_client; app-layer-event:ikev2.weak_crypto_dh; classtype:protocol-command-decode; sid:2224005; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 25382
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no Diffie-Hellman exchange parameters"; flow:to_client; app-layer-event:ikev2.weak_crypto_nodh; classtype:protocol-command-decode; sid:2224006; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25383
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no authentication"; flow:to_client; app-layer-event:ikev2.weak_crypto_noauth; classtype:protocol-command-decode; sid:2224007; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25384
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no encryption (AH)"; flow:to_client; app-layer-event:ikev2.no_encryption; classtype:protocol-command-decode; sid:2224008; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25385
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 invalid proposal"; flow:to_server; app-layer-event:ikev2.invalid_proposal; classtype:protocol-command-decode; sid:2224009; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25386
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 invalid proposal selected"; flow:to_client; app-layer-event:ikev2.invalid_proposal; classtype:protocol-command-decode; sid:2224010; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25387
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 unknown proposal"; flow:to_server; app-layer-event:ikev2.unknown_proposal; classtype:protocol-command-decode; sid:2224011; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25388
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 unknown proposal selected"; flow:to_client; app-layer-event:ikev2.unknown_proposal; classtype:protocol-command-decode; sid:2224012; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25389
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "internal_error" registered
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB internal parser error"; flow:to_server; app-layer-event:smb.internal_error; classtype:protocol-command-decode; sid:2225000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25405
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "internal_error" registered
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB internal parser error"; flow:to_client; app-layer-event:smb.internal_error; classtype:protocol-command-decode; sid:2225001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25406
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_data" registered
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed request data"; flow:to_server; app-layer-event:smb.malformed_data; classtype:protocol-command-decode; sid:2225002; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25407
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_data" registered
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed response data"; flow:to_client; app-layer-event:smb.malformed_data; classtype:protocol-command-decode; sid:2225003; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25408
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_ntlmssp_request" registered
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed NTLMSSP record"; flow:to_server; app-layer-event:smb.malformed_ntlmssp_request; classtype:protocol-command-decode; sid:2225004; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25409
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "negotiate_malformed_dialects" registered
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed request dialects"; flow:to_server; app-layer-event:smb.negotiate_malformed_dialects; classtype:protocol-command-decode; sid:2225005; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25410
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
2019-10-24 10:51:44,254 - <ERROR> - Suricata test failed, aborting.

The ikev2 errors are tracked in #3279


Related issues 1 (0 open1 closed)

Copied from Suricata-Update - Bug #3280: suricata-update will enable smb-events for non-Rust buildsClosedJason IshActions
Actions #1

Updated by Jason Ish about 5 years ago

  • Copied from Bug #3280: suricata-update will enable smb-events for non-Rust builds added
Actions #2

Updated by Victor Julien about 5 years ago

  • Subject changed from suricata-update will enable smb-events for non-Rust builds (1.0x) to suricata-update will enable smb-events for non-Rust builds (1.0.x)
Actions #3

Updated by Jason Ish about 5 years ago

  • Status changed from New to Closed

Merged into 1.0.x and released with 1.0.6.

Actions

Also available in: Atom PDF