No loggers are active

barczs · 26 December 2019 11:48

Every day at 5.00 am restars my firewall. At the same time surricata rules will be relaoded es well.
When checking IPS system logs under Logs > System Logs > Intrusion Prevention I found each day an error message:

[ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active

How can I fix it? Somebody any idea?
Here you’ll find the entire loggiing section:

 01:25:32	suricata: 	rule reload starting
01:26:06	suricata: 	rule reload complete
05:00:54	suricata: 	Signal Received. Stopping engine.
05:00:55	suricata: 	(W-Q0) Treated: Pkts 44439, Bytes 33877055, Errors 0
05:00:55	suricata: 	(W-Q0) Verdict: Accepted 44409, Dropped 30, Replaced 0
05:00:55	suricata: 	(W-Q1) Treated: Pkts 4529, Bytes 375262, Errors 0
05:00:55	suricata: 	(W-Q1) Verdict: Accepted 4528, Dropped 1, Replaced 0
05:00:55	suricata: 	(W-Q2) Treated: Pkts 434, Bytes 282213, Errors 0
05:00:55	suricata: 	(W-Q2) Verdict: Accepted 434, Dropped 0, Replaced 0
05:00:55	suricata: 	(W-Q3) Treated: Pkts 589, Bytes 493083, Errors 0
05:00:55	suricata: 	(W-Q3) Verdict: Accepted 588, Dropped 1, Replaced 0
05:00:56	suricata: 	This is Suricata version 4.1.5 RELEASE
05:00:56	suricata: 	[ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
05:00:56	suricata: 	all 4 packet processing threads, 2 management threads initialized, engine starte d.
05:00:56	suricata: 	rule reload starting
05:01:55	suricata: 	rule reload complete
05:01:55	suricata: 	Signature(s) loaded, Detect thread(s) activated.

ms · 26 December 2019 13:27

Hi,

this is disabled deliberately, so that we won’t write loads of stat data, that we will never use. However, we enabled this during development to hunt some issues.

This should probably be marked as a warning instead of an error.

cbrown · 26 December 2019 15:48

Would it be safe to assume that the other errors/warnings are from Suricata lack of support for some of the features in Talos rules?

Dec 26 03:00:16 ipfire suricata: [ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
Dec 26 03:00:16 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - “http_raw_uri” keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Dec 26 03:00:16 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “drop tcp $EXTERNAL_NET any → $HOME_NET $HTTP_PORTS (msg:“FILE-OFFICE Microsoft Office directory traversal attempt”; flow:to_server,established; file_data; content:”…|5C|“; http_raw_uri; content:“InfoPath.3|3B| ms-office|3B| MSOffice 15”; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http; reference:cve,2019-0801; reference:url,Security Update Guide - Microsoft Security Response Center; classtype:attempted-user; sid:49733; rev:1;)” from file /var/lib/suricata/file-office.rules at line 1503

… <many more similar>

Dec 26 03:00:22 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “drop tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file”; flow:to_client,established; flowbits:isset,file.zip; file_data; content:”.gif.exe"; fast_pattern:only; content:“Content-Length:”; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:2;)" from file /var/lib/suricata/indicator-compromise.rules at line 224
Dec 26 03:00:22 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - “http_header” keyword seen with a sticky buffer still set. Reset sticky buffer with pkt_data before using the modifier.
Dec 26 03:00:22 ipfire suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature “drop tcp $EXTERNAL_NET $HTTP_PORTS → $HOME_NET any (msg:“INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file”; flow:to_client,established; flowbits:isset,file.zip; file_data; content:”.doc.exe"; fast_pattern:only; content:“Content-Length:”; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:2;)" from file /var/lib/suricata/indicator-compromise.rules at line 225

… <then many warnings with flowbit issue>

Dec 26 03:00:23 ipfire suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘file.xls’ is checked but not set. Checked in 16654 and 84 other sigs
Dec 26 03:00:23 ipfire suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘file.rtf’ is checked but not set. Checked in 18680 and 126 other sigs
Dec 26 03:00:23 ipfire suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘file.ole’ is checked but not set. Checked in 21794 and 70 other sigs

… <many more similar>

Dec 26 03:00:23 ipfire suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘file.visio’ is checked Dec 26 03:00:23 ipfire suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘file.pdf&file.ttf’ is checked but not set. Checked in 28585 and 1 other sigs
Dec 26 03:00:23 ipfire suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘backdoor.fearless.runtime’ is checked but not set. Checked in 7112 and 0 other sigs
Dec 26 03:00:23 ipfire suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘alienspy.rat’ is checked but not set. Checked in 32006 and 0 other sigs

[Edit]
Total of 141 with SC_ERR_INVALID_SIGNATURE
Total of 124 with SC_WARN_FLOWBIT

ms · 26 December 2019 20:25

Yeah these are not great, but a problem of the rule set. I suppose the vendor can say things about this.