23/10/2019 -- 13:16:08 - -- Using data-directory /usr/local/var/lib/suricata. 23/10/2019 -- 13:16:08 - -- Using Suricata configuration /usr/local/etc/suricata/suricata.yaml 23/10/2019 -- 13:16:08 - -- Using /usr/local/share/suricata/rules for Suricata provided rules. 23/10/2019 -- 13:16:08 - -- Found Suricata version 4.1.4 at /usr/local/bin/suricata. 23/10/2019 -- 13:16:08 - -- Loading /usr/local/etc/suricata/suricata.yaml 23/10/2019 -- 13:16:08 - -- Disabling rules with proto dhcp 23/10/2019 -- 13:16:08 - -- Disabling rules with proto tftp 23/10/2019 -- 13:16:08 - -- Disabling rules with proto krb5 23/10/2019 -- 13:16:08 - -- Disabling rules with proto ntp 23/10/2019 -- 13:16:08 - -- Disabling rules with proto modbus 23/10/2019 -- 13:16:08 - -- Disabling rules with proto enip 23/10/2019 -- 13:16:08 - -- Disabling rules with proto dnp3 23/10/2019 -- 13:16:08 - -- Disabling rules with proto nfs 23/10/2019 -- 13:16:08 - -- Fetching https://rules.emergingthreats.net/open/suricata-4.1.4/emerging.rules.tar.gz. 23/10/2019 -- 13:16:08 - -- Failed to fetch https://rules.emergingthreats.net/open/suricata-4.1.4/emerging.rules.tar.gz: 23/10/2019 -- 13:16:08 - -- Fetching https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules. 23/10/2019 -- 13:16:09 - -- Failed to fetch https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules: 23/10/2019 -- 13:16:09 - -- Fetching https://security.etnetera.cz/feeds/etn_aggressive.rules. 23/10/2019 -- 13:16:09 - -- Failed to fetch https://security.etnetera.cz/feeds/etn_aggressive.rules: 23/10/2019 -- 13:16:09 - -- Last download less than 15 minutes ago. Not downloading https://openinfosecfoundation.org/rules/trafficid/trafficid.rules. 23/10/2019 -- 13:16:09 - -- Fetching https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz. 23/10/2019 -- 13:16:09 - -- Failed to fetch https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz: 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/app-layer-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/decoder-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/dnp3-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/dns-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/files.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/http-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/ipsec-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/kerberos-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/modbus-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/nfs-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/ntp-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/smb-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/smtp-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/stream-events.rules 23/10/2019 -- 13:16:09 - -- Loading distribution rule file /usr/local/share/suricata/rules/tls-events.rules 23/10/2019 -- 13:16:09 - -- Loaded 359 rules. 23/10/2019 -- 13:16:09 - -- Disabled 20 rules. 23/10/2019 -- 13:16:09 - -- Enabled 0 rules. 23/10/2019 -- 13:16:09 - -- Modified 0 rules. 23/10/2019 -- 13:16:09 - -- Dropped 0 rules. 23/10/2019 -- 13:16:09 - -- Enabled 0 rules for flowbit dependencies. 23/10/2019 -- 13:16:09 - -- Backing up current rules. 23/10/2019 -- 13:16:09 - -- Writing rules to /usr/local/var/lib/suricata/rules/suricata.rules: total: 359; enabled: 298; added: 34; removed 0; modified: 0 23/10/2019 -- 13:16:09 - -- Testing with suricata -T. 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "internal_error" registered 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB internal parser error"; flow:to_server; app-layer-event:smb.internal_error; classtype:protocol-command-decode; sid:2225000; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 30 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no Diffie-Hellman exchange parameters"; flow:to_client; app-layer-event:ikev2.weak_crypto_nodh; classtype:protocol-command-decode; sid:2224006; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 32 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 invalid proposal selected"; flow:to_client; app-layer-event:ikev2.invalid_proposal; classtype:protocol-command-decode; sid:2224010; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 61 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (PRF)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224003; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 74 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Auth)"; flow:to_client; app-layer-event:ikev2.weak_crypto_auth; classtype:protocol-command-decode; sid:2224004; rev:2;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 87 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no encryption (AH)"; flow:to_client; app-layer-event:ikev2.no_encryption; classtype:protocol-command-decode; sid:2224008; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 114 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_data" registered 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed response data"; flow:to_client; app-layer-event:smb.malformed_data; classtype:protocol-command-decode; sid:2225003; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 124 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 malformed response data"; flow:to_client; app-layer-event:ikev2.malformed_data; classtype:protocol-command-decode; sid:2224001; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 126 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_ntlmssp_request" registered 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed NTLMSSP record"; flow:to_server; app-layer-event:smb.malformed_ntlmssp_request; classtype:protocol-command-decode; sid:2225004; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 138 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "internal_error" registered 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB internal parser error"; flow:to_client; app-layer-event:smb.internal_error; classtype:protocol-command-decode; sid:2225001; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 178 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no authentication"; flow:to_client; app-layer-event:ikev2.weak_crypto_noauth; classtype:protocol-command-decode; sid:2224007; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 180 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 unknown proposal"; flow:to_server; app-layer-event:ikev2.unknown_proposal; classtype:protocol-command-decode; sid:2224011; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 207 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 unknown proposal selected"; flow:to_client; app-layer-event:ikev2.unknown_proposal; classtype:protocol-command-decode; sid:2224012; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 222 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)"; flow:to_client; app-layer-event:ikev2.weak_crypto_dh; classtype:protocol-command-decode; sid:2224005; rev:2;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 236 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 invalid proposal"; flow:to_server; app-layer-event:ikev2.invalid_proposal; classtype:protocol-command-decode; sid:2224009; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 265 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Encryption)"; flow:to_client; app-layer-event:ikev2.weak_crypto_enc; classtype:protocol-command-decode; sid:2224002; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 279 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "negotiate_malformed_dialects" registered 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed request dialects"; flow:to_server; app-layer-event:smb.negotiate_malformed_dialects; classtype:protocol-command-decode; sid:2225005; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 294 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_data" registered 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed request data"; flow:to_server; app-layer-event:smb.malformed_data; classtype:protocol-command-decode; sid:2225002; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 332 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 malformed request data"; flow:to_server; app-layer-event:ikev2.malformed_data; classtype:protocol-command-decode; sid:2224000; rev:1;)" from file /usr/local/var/lib/suricata/rules/suricata.rules at line 334 23/10/2019 -- 13:16:09 - -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed. 23/10/2019 -- 13:16:09 - -- Suricata test failed, aborting. 23/10/2019 -- 13:16:09 - -- Restoring previous rules.