Project

General

Profile

Actions

Bug #3280

closed

suricata-update will enable smb-events for non-Rust builds

Added by Victor Julien about 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Difficulty:
Label:
Needs backport

Description

Suricata-Update will enable smb-events.rules because smb is enabled in the yaml. However those rules only work for the Rust enabled version of Suricata.

This will lead to -T failure.

2019-10-24 10:51:39,332 - <INFO> - Using data-directory /var/lib/suricata.
2019-10-24 10:51:39,332 - <INFO> - Using Suricata configuration /etc/suricata/suricata.yaml
2019-10-24 10:51:39,332 - <INFO> - Using /etc/suricata/rules for Suricata provided rules.
2019-10-24 10:51:39,337 - <INFO> - Found Suricata version 4.1.5 at /usr/bin/suricata.
2019-10-24 10:51:39,337 - <INFO> - Loading /etc/suricata/suricata.yaml
2019-10-24 10:51:39,343 - <INFO> - Disabling rules with proto krb5
2019-10-24 10:51:39,343 - <INFO> - Disabling rules with proto nfs
2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto tftp
2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto modbus
2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto dnp3
2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto enip
2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto ntp
2019-10-24 10:51:39,344 - <INFO> - Disabling rules with proto dhcp
2019-10-24 10:51:39,344 - <INFO> - No sources configured, will use Emerging Threats Open
2019-10-24 10:51:39,344 - <INFO> - Fetching https://rules.emergingthreats.net/open/suricata-4.1.5/emerging.rules.tar.gz.
2019-10-24 10:51:41,007 - <INFO> - Done.
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/decoder-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/dns-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/files.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/http-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
2019-10-24 10:51:41,079 - <INFO> - Loading distribution rule file /etc/suricata/rules/modbus-events.rules
2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/nfs-events.rules
2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/ntp-events.rules
2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/smb-events.rules
2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/smtp-events.rules
2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/stream-events.rules
2019-10-24 10:51:41,080 - <INFO> - Loading distribution rule file /etc/suricata/rules/tls-events.rules
2019-10-24 10:51:41,080 - <INFO> - Ignoring file rules/emerging-deleted.rules
2019-10-24 10:51:42,573 - <INFO> - Loaded 25511 rules.
2019-10-24 10:51:42,991 - <INFO> - Disabled 20 rules.
2019-10-24 10:51:42,992 - <INFO> - Enabled 0 rules.
2019-10-24 10:51:42,992 - <INFO> - Modified 0 rules.
2019-10-24 10:51:42,992 - <INFO> - Dropped 0 rules.
2019-10-24 10:51:43,144 - <INFO> - Enabled 42 rules for flowbit dependencies.
2019-10-24 10:51:43,144 - <INFO> - Backing up current rules.
2019-10-24 10:51:43,167 - <INFO> - Writing rules to /var/lib/suricata/rules/suricata.rules: total: 25511; enabled: 20461; added: 25511; removed 0; modified: 0
2019-10-24 10:51:43,375 - <INFO> - Testing with suricata -T.
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 malformed request data"; flow:to_server; app-layer-event:ikev2.malformed_data; classtype:protocol-command-decode; sid:2224000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25377
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 malformed response data"; flow:to_client; app-layer-event:ikev2.malformed_data; classtype:protocol-command-decode; sid:2224001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25378
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Encryption)"; flow:to_client; app-layer-event:ikev2.weak_crypto_enc; classtype:protocol-command-decode; sid:2224002; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25379
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (PRF)"; flow:to_client; app-layer-event:ikev2.weak_crypto_prf; classtype:protocol-command-decode; sid:2224003; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25380
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Auth)"; flow:to_client; app-layer-event:ikev2.weak_crypto_auth; classtype:protocol-command-decode; sid:2224004; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 25381
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)"; flow:to_client; app-layer-event:ikev2.weak_crypto_dh; classtype:protocol-command-decode; sid:2224005; rev:2;)" from file /var/lib/suricata/rules/suricata.rules at line 25382
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no Diffie-Hellman exchange parameters"; flow:to_client; app-layer-event:ikev2.weak_crypto_nodh; classtype:protocol-command-decode; sid:2224006; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25383
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no authentication"; flow:to_client; app-layer-event:ikev2.weak_crypto_noauth; classtype:protocol-command-decode; sid:2224007; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25384
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 no encryption (AH)"; flow:to_client; app-layer-event:ikev2.no_encryption; classtype:protocol-command-decode; sid:2224008; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25385
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 invalid proposal"; flow:to_server; app-layer-event:ikev2.invalid_proposal; classtype:protocol-command-decode; sid:2224009; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25386
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 invalid proposal selected"; flow:to_client; app-layer-event:ikev2.invalid_proposal; classtype:protocol-command-decode; sid:2224010; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25387
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 unknown proposal"; flow:to_server; app-layer-event:ikev2.unknown_proposal; classtype:protocol-command-decode; sid:2224011; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25388
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "ikev2" cannot be used in a signature.  Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.ikev2.detection-enabled
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ikev2 any any -> any any (msg:"SURICATA IKEv2 unknown proposal selected"; flow:to_client; app-layer-event:ikev2.unknown_proposal; classtype:protocol-command-decode; sid:2224012; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25389
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "internal_error" registered
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB internal parser error"; flow:to_server; app-layer-event:smb.internal_error; classtype:protocol-command-decode; sid:2225000; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25405
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "internal_error" registered
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB internal parser error"; flow:to_client; app-layer-event:smb.internal_error; classtype:protocol-command-decode; sid:2225001; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25406
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_data" registered
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed request data"; flow:to_server; app-layer-event:smb.malformed_data; classtype:protocol-command-decode; sid:2225002; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25407
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_data" registered
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed response data"; flow:to_client; app-layer-event:smb.malformed_data; classtype:protocol-command-decode; sid:2225003; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25408
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "malformed_ntlmssp_request" registered
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed NTLMSSP record"; flow:to_server; app-layer-event:smb.malformed_ntlmssp_request; classtype:protocol-command-decode; sid:2225004; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25409
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - app-layer-event keyword's protocol "smb" doesn't have event "negotiate_malformed_dialects" registered
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert smb any any -> any any (msg:"SURICATA SMB malformed request dialects"; flow:to_server; app-layer-event:smb.negotiate_malformed_dialects; classtype:protocol-command-decode; sid:2225005; rev:1;)" from file /var/lib/suricata/rules/suricata.rules at line 25410
24/10/2019 -- 10:51:44 - <Error> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
2019-10-24 10:51:44,254 - <ERROR> - Suricata test failed, aborting.

The ikev2 errors are tracked in #3279


Related issues 2 (0 open2 closed)

Copied to Suricata-Update - Bug #3381: suricata-update will enable smb-events for non-Rust builds (1.1.1)ClosedJason IshActions
Copied to Suricata-Update - Bug #3382: suricata-update will enable smb-events for non-Rust builds (1.0.x)ClosedJason IshActions
Actions #1

Updated by Victor Julien about 5 years ago

  • Affected Versions 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5 added
Actions #2

Updated by Andreas Herz about 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD

Isn't that something suricata-update should take care of (other Project tracker in that case)

Actions #3

Updated by Victor Julien about 5 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jason Ish
  • Priority changed from Normal to High
Actions #4

Updated by Jason Ish about 5 years ago

  • Project changed from Suricata to Suricata-Update
  • Target version deleted (TBD)
Actions #5

Updated by Jason Ish almost 5 years ago

  • Label Needs backport added
Actions #6

Updated by Jason Ish almost 5 years ago

  • Target version set to 1.2.0
Actions #7

Updated by Jason Ish almost 5 years ago

  • Copied to Bug #3381: suricata-update will enable smb-events for non-Rust builds (1.1.1) added
Actions #8

Updated by Jason Ish almost 5 years ago

  • Copied to Bug #3382: suricata-update will enable smb-events for non-Rust builds (1.0.x) added
Actions #9

Updated by Jason Ish almost 5 years ago

  • Status changed from Assigned to Closed
Actions #10

Updated by Jason Ish about 4 years ago

  • Target version changed from 1.2.0 to 1.2.0rc1
Actions

Also available in: Atom PDF