Ah yes, these are caused by a few quirks that unfortunately slipped through when testing Core Update 164. Upcoming Core Update 167 will fix them - at least it does so on my testing machine, where I use the same configuration.
A testing version of Core Update 167 will be available within the next few days. It would be great if you could install it, and confirm whether these log lines are gone afterwards.
[ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/share/suricata/threshold .config": No such file or directory
Still not fixed?
I also get modbus unknown protocol errors:
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/share/suricata/rules/ap p-layer-events.rules:9 uses unknown classtype: protocol-command-decode, using default priority 3. This message won't be shown again for this classtype|
|---|---|---|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any -> any any (msg:SURICATA DNP3 Request flood detected; app-layer-ev ent:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;) from file /usr/share/suricata/rules/dnp3-events.rules at line 7|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any -> any any (msg:SURICATA DNP3 Length too small; app-layer-event:dn p3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;) from file /usr/share/suricata/rules/dnp3-events.rules at line 13|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any -> any any (msg:SURICATA DNP3 Bad link CRC; app-layer-event:dnp3.b ad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;) from file /usr/share/suricata/rules/dnp3-events.rules at line 17|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any -> any any (msg:SURICATA DNP3 Bad transport CRC; app-layer-event:d np3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;) from file /usr/share/suricata/rules/dnp3-events.rules at line 21|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any -> any any (msg:SURICATA DNP3 Unknown object; app-layer-event:dnp3 .unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;) from f ile /usr/share/suricata/rules/dnp3-events.rules at line 25|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus invalid Protocol version; app-layer-ev ent:modbus.invalid_protocol_id; classtype:protocol-command-decode; sid:2250001; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 2|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus unsolicited response; app-layer-event: modbus.unsolicited_response; classtype:protocol-command-decode; sid:2250002; rev :2;) from file /usr/share/suricata/rules/modbus-events.rules at line 4|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus invalid Length; app-layer-event:modbus .invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;) from f ile /usr/share/suricata/rules/modbus-events.rules at line 6|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus invalid Unit Identifier; app-layer-eve nt:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:225000 4; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 8|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus invalid Function code; app-layer-event :modbus.invalid_function_code; classtype:protocol-command-decode; sid:2250005; r ev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 10|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus invalid Value; app-layer-event:modbus. invalid_value; classtype:protocol-command-decode; sid:2250006; rev:2;) from fil e /usr/share/suricata/rules/modbus-events.rules at line 12|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus Exception code invalid; flow:to_client ; app-layer-event:modbus.invalid_exception_code; classtype:protocol-command-deco de; sid:2250007; rev:2;) from file /usr/share/suricata/rules/modbus-events.rule s at line 14|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus Data mismatch; flow:to_client; app-lay er-event:modbus.value_mismatch; classtype:protocol-command-decode; sid:2250008; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 16|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus Request flood detected; flow:to_server ; app-layer-event:modbus.flooded; classtype:protocol-command-decode; sid:2250009 ; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 18|
|10:03:32|suricata: |17 rule files processed. 291 rules successfully loaded, 14 rules failed|