Project

General

Profile

Actions

Bug #4402

closed

SC_ERR_UNKNOWN_VALUE(129)

Added by Jesus Padro almost 4 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Current installed Suricata version is 5.0.5
Updated the Eules and receied the following notifications.
20/3/2021 -- 07:48:49 - <Notice> - This is Suricata version 5.0.5 RELEASE running in SYSTEM mode
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - Unified2 alert has been deprecated and will be removed by December 2019.
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:817 uses unknown classtype: "command-and-control", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:930 uses unknown classtype: "pup-activity", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:1794 uses unknown classtype: "coin-mining", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:3875 uses unknown classtype: "exploit-kit", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:4899 uses unknown classtype: "targeted-activity", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:4979 uses unknown classtype: "credential-theft", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:8194 uses unknown classtype: "social-engineering", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:8322 uses unknown classtype: "domain-c2", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:8777 uses unknown classtype: "external-ip-check", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:50 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address "2001:41"
20/3/2021 -- 07:48:50 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [200.122.181.101,200.122.181.78,2001:40e8:0000:f091:0000:0000:0000:0100,2001:41,2001:41c8:0051:0490:feff:00ff:fe00:3214,2001:41d0:0001:777c:0200:c0a8:64b5:0000,2001:41d0:0001:81cf:0000:0000:0000:0001,2001:41d0:0001:8719:0000:0000:0000:0001,2001:41d0:0001:8b3b:0000:0000:0000:0001,2001:41d0:0002:1ecc:0000:0000:0000:0000] any > $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 377"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522376; rev:4374; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2021_03_19;)" from file /etc/nsm/rules/downloaded.rules at line 31906
20/3/2021 -
07:48:54 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.

Looking for these lines within the downloaded.rules file I see that most are already commented out. So why are they still being identified within the suricata.log file as being an Error if they are commented out.

Actions

Also available in: Atom PDF