Project

General

Profile

Actions

Bug #4402

closed

SC_ERR_UNKNOWN_VALUE(129)

Added by Jesus Padro over 3 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Current installed Suricata version is 5.0.5
Updated the Eules and receied the following notifications.
20/3/2021 -- 07:48:49 - <Notice> - This is Suricata version 5.0.5 RELEASE running in SYSTEM mode
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_WARN_DEPRECATED(203)] - Unified2 alert has been deprecated and will be removed by December 2019.
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:817 uses unknown classtype: "command-and-control", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:930 uses unknown classtype: "pup-activity", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:1794 uses unknown classtype: "coin-mining", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:3875 uses unknown classtype: "exploit-kit", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:4899 uses unknown classtype: "targeted-activity", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:4979 uses unknown classtype: "credential-theft", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:8194 uses unknown classtype: "social-engineering", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:8322 uses unknown classtype: "domain-c2", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:49 - <Warning> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /etc/nsm/rules/downloaded.rules:8777 uses unknown classtype: "external-ip-check", using default priority 3. This message won't be shown again for this classtype
20/3/2021 -- 07:48:50 - <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - failed to parse address "2001:41"
20/3/2021 -- 07:48:50 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp [200.122.181.101,200.122.181.78,2001:40e8:0000:f091:0000:0000:0000:0100,2001:41,2001:41c8:0051:0490:feff:00ff:fe00:3214,2001:41d0:0001:777c:0200:c0a8:64b5:0000,2001:41d0:0001:81cf:0000:0000:0000:0001,2001:41d0:0001:8719:0000:0000:0000:0001,2001:41d0:0001:8b3b:0000:0000:0000:0001,2001:41d0:0002:1ecc:0000:0000:0000:0000] any > $HOME_NET any (msg:"ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 377"; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; flowbits:set,ET.TorIP; sid:2522376; rev:4374; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag TOR, signature_severity Audit, created_at 2008_12_01, updated_at 2021_03_19;)" from file /etc/nsm/rules/downloaded.rules at line 31906
20/3/2021 -
07:48:54 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.

Looking for these lines within the downloaded.rules file I see that most are already commented out. So why are they still being identified within the suricata.log file as being an Error if they are commented out.

Actions #1

Updated by Jeff Lucovsky over 3 years ago

Suricata ignores lines that are
- empty (blank line)
- begin with the comment character '#'
- or have whitespace (blank or tab) as the first character

Can you re-check and see if any of the reported lines are not commented out or start with whitespace?

Actions #2

Updated by Jesus Padro over 3 years ago

I will check the lines to see if there are whitespaces. Will let you know what I find.

Actions #3

Updated by Victor Julien over 3 years ago

  • Target version deleted (5.0.5)
Actions #4

Updated by Victor Julien over 1 year ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF