[ERRCODE: SC_ERR_FOPEN(44)] - Errors in Suricata

peppetech · 29 March 2022 18:47

I upgraded to Core 165
This is Suricata version 5.0.8 RELEASE running in SYSTEM mode

I notice new errors in the system log:

11:25:46	suricata: 	rule reload starting
11:25:46	suricata: 	Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
11:25:46	suricata: 	Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
11:25:46	suricata: 	Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
11:25:46	suricata: 	Including configuration file /var/ipfire/suricata/suricata-used-providers.yaml.
11:25:46	suricata: 	Including configuration file /var/ipfire/suricata/suricata-sslbl_blacklist-used- rulefiles.yaml.
11:25:46	suricata: 	Including configuration file /var/ipfire/suricata/suricata-emerging-used-rulefil es.yaml.
11:25:46	suricata: 	Including configuration file /var/ipfire/suricata/suricata-default-rules.yaml.
11:26:20	suricata: 	[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/emerging-user_agents.rules
11:26:20	suricata: 	[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/emerging-p2p.rules
11:26:20	suricata: 	[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/emerging-malware.rules
11:26:20	suricata: 	[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/emerging-attack_response.rules
11:26:20	suricata: 	[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/emerging-compromised.rules
11:26:20	suricata: 	[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/emerging-drop.rules
11:26:20	suricata: 	[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/emerging-chat.rules
11:26:20	suricata: 	[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/emerging-ciarmy.rules
11:26:20	suricata: 	[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/emerging-hunting.rules
11:26:20	suricata: 	[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/emerging-scan.rules
11:26:20	suricata: 	[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/emerging-inappropriate.rules
11:26:20	suricata: 	[ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/emerging-mobile_malware.rules
11:26:20	suricata: 	48 rule files processed. 17732 rules successfully loaded, 0 rules failed
11:26:20	suricata: 	[ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/share/suricata/threshold .config": No such file or directory
11:26:20	suricata: 	17732 signatures processed. 50 are IP-only rules, 2231 are inspecting packet pay load, 15450 inspect application layer, 0 are decoder event only
11:26:21	suricata: 	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.JavaNotJar' is checked but not set . Checked in 2016540 and 0 other sigs
11:26:21	suricata: 	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.telnet.busybox' is checked but not set. Checked in 2023019 and 2 other sigs
11:28:52	suricata: 	cleaning up signature grouping structure... complete
11:28:52	suricata: 	rule reload complete
11:28:52	suricata: 	rule reload starting
11:28:52	suricata: 	Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
11:28:52	suricata: 	Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
11:28:52	suricata: 	Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
11:28:52	suricata: 	Including configuration file /var/ipfire/suricata/suricata-used-providers.yaml.
11:28:52	suricata: 	Including configuration file /var/ipfire/suricata/suricata-sslbl_blacklist-used- rulefiles.yaml.
11:28:52	suricata: 	Including configuration file /var/ipfire/suricata/suricata-emerging-used-rulefil es.yaml.
11:28:52	suricata: 	Including configuration file /var/ipfire/suricata/suricata-default-rules.yaml.
11:29:38	suricata: 	48 rule files processed. 27958 rules successfully loaded, 0 rules failed
11:29:39	suricata: 	[ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/share/suricata/threshold .config": No such file or directory
11:29:41	suricata: 	27961 signatures processed. 217 are IP-only rules, 3959 are inspecting packet pa yload, 23762 inspect application layer, 0 are decoder event only
11:35:11	suricata: 	cleaning up signature grouping structure... complete
11:35:11	suricata: 	rule reload complete

pmueller · 3 April 2022 09:31

Hi,

thank you for reporting this.

Could you please post a screenshot of your IPS configuration and the enabled IPS ruleset providers here?

Cc: @stevee

Thanks, and best regards,
Peter Müller

peppetech · 5 April 2022 07:17

Hello Peter,
here is the screenshot, I only had the ET rules enabled.

pmueller · 10 April 2022 14:48

Hi,

sorry for the late reply.

Ah yes, these are caused by a few quirks that unfortunately slipped through when testing Core Update 164. Upcoming Core Update 167 will fix them - at least it does so on my testing machine, where I use the same configuration.

A testing version of Core Update 167 will be available within the next few days. It would be great if you could install it, and confirm whether these log lines are gone afterwards.

Thanks in advance, and best regards,
Peter Müller

tphz · 28 April 2022 17:44

Hi Peter.

After upgrading to CU167 I notice an error:

[ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/share/suricata/threshold .config": No such file or directory

After creating an empty threshold.config file, this error does not appear.

touch /usr/share/suricata/threshold.config

Below is a link to the page where I found the hint:

github.com/StamusNetworks/Amsterdam

Suricata can't start due to missing file

opened 11:35AM - 26 Dec 15 UTC

closed 09:13AM - 21 Apr 16 UTC

bladeswords

Suricata fails to start and supervisor states too many failed attempts to start …suricata. The following were the steps I took to fix the issue (missing file). If I have time I will make a pull request. /usr/bin/suricata -T /etc/suricata/suricata.yaml 26/12/2015 -- 21:26:03 - <Info> - Running suricata under test mode 26/12/2015 -- 21:26:03 - <Notice> - This is Suricata version 3.0RC3 RELEASE 26/12/2015 -- 21:26:13 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata//threshold.config": No such file or directory 26/12/2015 -- 21:26:13 - <Notice> - Configuration provided was successfully loaded. Exiting. touch /etc/suricata/threshold.config /usr/bin/suricata -T /etc/suricata/suricata.yaml 26/12/2015 -- 21:26:46 - <Info> - Running suricata under test mode 26/12/2015 -- 21:26:46 - <Notice> - This is Suricata version 3.0RC3 RELEASE 26/12/2015 -- 21:26:56 - <Notice> - Configuration provided was successfully loaded. Exiting.

Greetings
Tom

xperimental · 14 June 2022 08:14

Have the same:

[ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/share/suricata/threshold .config": No such file or directory

Still not fixed?

I also get modbus unknown protocol errors:

|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - signature at /usr/share/suricata/rules/ap p-layer-events.rules:9 uses unknown classtype: protocol-command-decode, using default priority 3. This message won't be shown again for this classtype|
|---|---|---|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any -> any any (msg:SURICATA DNP3 Request flood detected; app-layer-ev ent:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;) from file /usr/share/suricata/rules/dnp3-events.rules at line 7|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any -> any any (msg:SURICATA DNP3 Length too small; app-layer-event:dn p3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;) from file /usr/share/suricata/rules/dnp3-events.rules at line 13|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any -> any any (msg:SURICATA DNP3 Bad link CRC; app-layer-event:dnp3.b ad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;) from file /usr/share/suricata/rules/dnp3-events.rules at line 17|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any -> any any (msg:SURICATA DNP3 Bad transport CRC; app-layer-event:d np3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;) from file /usr/share/suricata/rules/dnp3-events.rules at line 21|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any -> any any (msg:SURICATA DNP3 Unknown object; app-layer-event:dnp3 .unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;) from f ile /usr/share/suricata/rules/dnp3-events.rules at line 25|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus invalid Protocol version; app-layer-ev ent:modbus.invalid_protocol_id; classtype:protocol-command-decode; sid:2250001; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 2|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus unsolicited response; app-layer-event: modbus.unsolicited_response; classtype:protocol-command-decode; sid:2250002; rev :2;) from file /usr/share/suricata/rules/modbus-events.rules at line 4|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus invalid Length; app-layer-event:modbus .invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;) from f ile /usr/share/suricata/rules/modbus-events.rules at line 6|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus invalid Unit Identifier; app-layer-eve nt:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:225000 4; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 8|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus invalid Function code; app-layer-event :modbus.invalid_function_code; classtype:protocol-command-decode; sid:2250005; r ev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 10|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus invalid Value; app-layer-event:modbus. invalid_value; classtype:protocol-command-decode; sid:2250006; rev:2;) from fil e /usr/share/suricata/rules/modbus-events.rules at line 12|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus Exception code invalid; flow:to_client ; app-layer-event:modbus.invalid_exception_code; classtype:protocol-command-deco de; sid:2250007; rev:2;) from file /usr/share/suricata/rules/modbus-events.rule s at line 14|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus Data mismatch; flow:to_client; app-lay er-event:modbus.value_mismatch; classtype:protocol-command-decode; sid:2250008; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 16|
|10:03:32|suricata: |[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled|
|10:03:32|suricata: |[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any -> any any (msg:SURICATA Modbus Request flood detected; flow:to_server ; app-layer-event:modbus.flooded; classtype:protocol-command-decode; sid:2250009 ; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 18|
|10:03:32|suricata: |17 rule files processed. 291 rules successfully loaded, 14 rules failed|