Actions
Bug #3280
closedsuricata-update will enable smb-events for non-Rust builds
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport
Description
Suricata-Update will enable smb-events.rules because smb is enabled in the yaml. However those rules only work for the Rust enabled version of Suricata.
This will lead to -T failure.
2019-10-24 10:51:39,332 - <INFO> - Using data-directory /var/lib/suricata. 2019-10-24 10:51:39,332 - <INFO> - Using Suricata configuration /etc/suricata/suricata.yaml 2019-10-24 10:51:39,332 - <INFO> - Using /etc/suricata/rules for Suricata provided rules. 2019-10-24 10:51:39,337 - <INFO> - Found Suricata version 4.1.5 at /usr/bin/suricata. 2019-10-24 10:51:39,337 - <INFO> - Loading /etc/suricata/suricata.yaml 2019-10-24 10:51:39,343 - <INFO> - Disabling rules with proto krb5 2019-10-24 10:51:39,343 - <INFO> - Disabling rules with proto nfs 2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto tftp 2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto modbus 2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto dnp3 2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto enip 2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto ntp 2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto dhcp 2019-10-24 10:51:39,344 - <INFO> - No sources configured, will use Emerging Threats Open 2019-10-24 10:51:39,344 - <INFO> - Fetching https://rules.emergingthreats.net/open/suricata-4.1.5/emerging.rules.tar.gz. 2019-10-24 10:51:41,007 - <INFO> - Done. 2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/app-layer-events.rules 2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/decoder-events.rules 2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/dnp3-events.rules 2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/dns-events.rules 2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/files.rules 2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/http-events.rules 2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/ipsec-events.rules 2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/kerberos-events.rules 2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/modbus-events.rules 2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/nfs-events.rules 2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/ntp-events.rules 2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/smb-events.rules 2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/smtp-events.rules 2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/stream-events.rules 2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/tls-events.rules 2019-10-24 10:51:41,080 - <INFO> - Ignoring file rules/emerging-deleted.rules 2019-10-24 10:51:42,573 - <INFO> - Loaded 25511 rules. 2019-10-24 10:51:42,991 - <INFO> - Disabled 20 rules. 2019-10-24 10:51:42,992 - <INFO> - Enabled 0 rules. 2019-10-24 10:51:42,992 - <INFO> - Modified 0 rules. 2019-10-24 10:51:42,992 - <INFO> - Dropped 0 rules. 2019-10-24 10:51:43,144 - <INFO> - Enabled 42 rules for flowbit dependencies. 2019-10-24 10:51:43,144 - <INFO> - Backing up current rules. 2019-10-24 10:51:43,167 - <INFO> - Writing rules to /var/lib/suricata/rules/suricata.rules: total: 25511; enabled: 20461; added: 25511; removed 0; modified: 0 2019-10-24 10:51:43,375 - <INFO> - Testing with suricata -T. 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 malformed request data"; flow:to_server; app-layer-event:ikev2.malformed_data; classtype:protocol-command-decode; sid:2224000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25377 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 malformed response data"; flow:to_client; app-layer-event:ikev2.malformed_data; classtype:protocol-command-decode; sid:2224001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25378 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Encryption)"; flow:to_client; app-layer-event:ikev2.weak_crypto_enc; classtype:protocol-command-decode; sid:2224002; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25379 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (PRF)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224003; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25380 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Auth)"; flow:to_client; app-layer-event:ikev2.weak_crypto_auth; classtype:protocol-command-decode; sid:2224004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 25381 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)"; flow:to_client; app-layer-event:ikev2.weak_crypto_dh; classtype:protocol-command-decode; sid:2224005; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 25382 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no Diffie-Hellman exchange parameters"; flow:to_client; app-layer-event:ikev2.weak_crypto_nodh; classtype:protocol-command-decode; sid:2224006; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25383 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no authentication"; flow:to_client; app-layer-event:ikev2.weak_crypto_noauth; classtype:protocol-command-decode; sid:2224007; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25384 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no encryption (AH)"; flow:to_client; app-layer-event:ikev2.no_encryption; classtype:protocol-command-decode; sid:2224008; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25385 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 invalid proposal"; flow:to_server; app-layer-event:ikev2.invalid_proposal; classtype:protocol-command-decode; sid:2224009; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25386 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 invalid proposal selected"; flow:to_client; app-layer-event:ikev2.invalid_proposal; classtype:protocol-command-decode; sid:2224010; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25387 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 unknown proposal"; flow:to_server; app-layer-event:ikev2.unknown_proposal; classtype:protocol-command-decode; sid:2224011; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25388 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 unknown proposal selected"; flow:to_client; app-layer-event:ikev2.unknown_proposal; classtype:protocol-command-decode; sid:2224012; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25389 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "internal_error" registered 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB internal parser error"; flow:to_server; app-layer-event:smb.internal_error; classtype:protocol-command-decode; sid:2225000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25405 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "internal_error" registered 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB internal parser error"; flow:to_client; app-layer-event:smb.internal_error; classtype:protocol-command-decode; sid:2225001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25406 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_data" registered 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed request data"; flow:to_server; app-layer-event:smb.malformed_data; classtype:protocol-command-decode; sid:2225002; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25407 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_data" registered 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed response data"; flow:to_client; app-layer-event:smb.malformed_data; classtype:protocol-command-decode; sid:2225003; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25408 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_ntlmssp_request" registered 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed NTLMSSP record"; flow:to_server; app-layer-event:smb.malformed_ntlmssp_request; classtype:protocol-command-decode; sid:2225004; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25409 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "negotiate_malformed_dialects" registered 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed request dialects"; flow:to_server; app-layer-event:smb.negotiate_malformed_dialects; classtype:protocol-command-decode; sid:2225005; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25410 24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed. 2019-10-24 10:51:44,254 - <ERROR> - Suricata test failed, aborting.
The ikev2 errors are tracked in #3279
Updated by Victor Julien about 5 years ago
- Affected Versions 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5 added
Updated by Andreas Herz about 5 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Isn't that something suricata-update should take care of (other Project tracker in that case)
Updated by Victor Julien about 5 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jason Ish
- Priority changed from Normal to High
Updated by Jason Ish about 5 years ago
- Project changed from Suricata to Suricata-Update
- Target version deleted (
TBD)
Updated by Jason Ish about 5 years ago
- Copied to Bug #3381: suricata-update will enable smb-events for non-Rust builds (1.1.1) added
Updated by Jason Ish about 5 years ago
- Copied to Bug #3382: suricata-update will enable smb-events for non-Rust builds (1.0.x) added
Updated by Jason Ish about 5 years ago
- Status changed from Assigned to Closed
Updated by Jason Ish over 4 years ago
- Target version changed from 1.2.0 to 1.2.0rc1
Actions