Bug #1663
closedRule paths issue - Windows
Description
Hello,
I've installed the most recent version on a Windows Server 2012 deployment. The installation gave out a couple of path errors which was due to double backslashes. However, I'm now receiving more path errors for rules, I can see the issue is double backslashing but I have no idea how or where to address this issue. I've checked the yaml file as well as all configuration files but there's nothing about rule paths.
Can anyone help out with this?
OUTPUT;
C:\Program Files (x86)\Suricata>suricata c suricata.yaml -s signatures.rules -i 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
eth0
cygwin warning:
MS-DOS style path detected: C:\Program Files (x86)\Suricata\log
Preferred POSIX equivalent is: /Suricata/log
CYGWIN environment variable option "nodosfilewarning" turns off this warning.
Consult the user's guide for more details about POSIX paths:
http://cygwin.com/cygwin-ug-net/using.html#using-pathnames
7/1/2016 -
ng rule file C:\Program Files (x86)\Suricata\rules\\botcc.rule: No such file or
directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\ciarmy.rule: No such file or
directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\compromised.rule: No such fi
le or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\drop.rule: No such file or d
irectory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\dshield.rule: No such file o
r directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-activex.rule: No su
ch file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-attack_response.rul
e: No such file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-chat.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-current_events.rule
: No such file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-dns.rule: No such f
ile or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-dos.rule: No such f
ile or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-exploit.rule: No su
ch file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-ftp.rule: No such f
ile or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-games.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-icmp_info.rule: No
such file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-icmp.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-imap.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-inappropriate.rule:
No such file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-malware.rule: No su
ch file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-misc.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-mobile_malware.rule
: No such file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-netbios.rule: No su
ch file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-p2p.rule: No such f
ile or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-policy.rule: No suc
h file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-pop3.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-rpc.rule: No such f
ile or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-scada.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-scan.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-shellcode.rule: No
such file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-smtp.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-snmp.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-sql.rule: No such f
ile or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-telnet.rule: No suc
h file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-tftp.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-trojan.rule: No suc
h file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-user_agents.rule: N
o such file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-voip.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-web_client.rule: No
such file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-web_server.rule: No
such file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-web_specific_apps.r
ule: No such file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\emerging-worm.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\rbn-malvertisers.rule: No su
ch file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\rbn.rule: No such file or di
rectory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\tor.rule: No such file or di
rectory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\decoder-events.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\stream-events.rule: No such
file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\http-events.rule: No such fi
le or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\smtp-events.rule: No such fi
le or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file C:\Program Files (x86)\Suricata\rules\\dns-events.rule: No such fil
e or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] - openi
ng rule file signatures.rules: No such file or directory.
7/1/2016 -- 15:04:15 - <Error> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 50 rule
files specified, but no rule was loaded at all!
7/1/2016 -- 15:04:16 - <Error> - [ERRCODE: SC_ERR_PCAP_ACTIVATE_HANDLE(27)] - Co
uldn't activate the pcap handler, error Error opening adapter: The system cannot
find the device specified. (20)
7/1/2016 -- 15:04:16 - <Error> - [ERRCODE: SC_ERR_THREAD_INIT(49)] - thread "RxP
capeth01" closed on initialization.
7/1/2016 -- 15:04:16 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Engine i
nitialization failed, aborting...
C:\Program Files (x86)\Suricata>
Updated by Peter Manev over 8 years ago
Do you have rules in the rules directory?
Updated by James Sevie over 8 years ago
decoder-events.rules
dns-events.rules
files.rules
http-events.rules
smtp-events.rules
stream.events.rules
tls-events.rules
There are no ET rule sets but regardless, there are still pathing errors even for the rules that are present.
default-rule-path: C:\Program Files (x86)\Suricata\rules
rule-files:
- botcc.rules
- ciarmy.rules
- compromised.rules
- drop.rules
- dshield.rules
- emerging-activex.rules
- emerging-attack_response.rules
- emerging-chat.rules
- emerging-current_events.rules
- emerging-dns.rules
- emerging-dos.rules
- emerging-exploit.rules
- emerging-ftp.rules
- emerging-games.rules
- emerging-icmp_info.rules
- emerging-icmp.rules
- emerging-imap.rules
- emerging-inappropriate.rules
- emerging-malware.rules
- emerging-misc.rules
- emerging-mobile_malware.rules
- emerging-netbios.rules
- emerging-p2p.rules
- emerging-policy.rules
- emerging-pop3.rules
- emerging-rpc.rules
- emerging-scada.rules
- emerging-scan.rules
- emerging-shellcode.rules
- emerging-smtp.rules
- emerging-snmp.rules
- emerging-sql.rules
- emerging-telnet.rules
- emerging-tftp.rules
- emerging-trojan.rules
- emerging-user_agents.rules
- emerging-voip.rules
- emerging-web_client.rules
- emerging-web_server.rules
- emerging-web_specific_apps.rules
- emerging-worm.rules
- rbn-malvertisers.rules
- rbn.rules
- tor.rules
- decoder-events.rules # available in suricata sources under rules dir
- stream-events.rules # available in suricata sources under rules dir
- http-events.rules # available in suricata sources under rules dir
- smtp-events.rules # available in suricata sources under rules dir
- dns-events.rules # available in suricata sources under rules dir
Is where the rules are currently being pulled. The emerging rules will obviously throw that error but the rules that are actually present are still erroring due to double backslashes which I can't seem to figure out.
Updated by Peter Manev over 8 years ago
ET Open rules you can get form here -
http://rules.emergingthreats.net/open/suricata/ http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
Once you download and place the rules - they should load without an issue (despite the double backslashes which are needed for some config variables - magic file for example)
(there is also a pdf manual with the msi installation that helps out a bit too - to be updated with the new release)
I also noticed that you use -
suricata c suricata.yaml -s signatures.rules -i eth0
Do you have eth0 interface on the Win 2012 server ?
You can use this instead -
suricata -c suricata.yaml -s signatures.rules -i IP.IP.IP.IP -v
Updated by James Sevie over 8 years ago
There is no eth0 no. The server IP works fine and the engine initializes. I'm just still having issues with rules. I figured out that if you append the rules path with '\', it will fix the double backslash issue. Magic file loads fine.
Rules seem to be loading, I just need to generate some test traffic.
Updated by Andreas Herz over 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
So what error messages are now left?
Updated by Andreas Herz almost 7 years ago
- Status changed from New to Closed
Closed since no response after 8months, reopen if necessary, thanks!
Updated by Victor Julien almost 7 years ago
- Assignee deleted (
OISF Dev) - Target version deleted (
TBD)