Hi all
I’ve the IPFire 2.27 (armv6l) - Core Update 166 on the RPI 3, and I activated IPS with only 1 interface (red) and 1 rule (emerging-malware rule). And after the activation I see this log with lot of ERR codes:
15:37:30 | suricata: | Signature(s) loaded, Detect thread(s) activated. |
---|---|---|
15:37:30 | suricata: | rule reload complete |
15:37:30 | suricata: | cleaning up signature grouping structure… complete |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.tcpraw.png’ is checked but not set . Checked in 2035477 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘min.gethttp’ is checked but not set. Checked in 2023711 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.autoit.ua’ is checked but not set. Checked in 2019165 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.javaclient’ is checked but no t set. Checked in 2015657 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.Socks5.OnionReq’ is checked but no t set. Checked in 2027704 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.smb.binary’ is checked but not set . Checked in 2027402 and 4 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.IE7.NoRef.NoCookie’ is checked but not set. Checked in 2023671 and 7 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.armwget’ is checked but not set. C hecked in 2024242 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.binary’ is checked but not se t. Checked in 2023741 and 2 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.MS.WinHttpRequest.no.exe.request’ is checked but not set. Checked in 2022653 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.MCOFF’ is checked but not set. Che cked in 2022303 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.MS.XMLHTTP.no.exe.request’ is chec ked but not set. Checked in 2022053 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.MS.XMLHTTP.ip.request’ is checked but not set. Checked in 2022050 and 1 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.wininet.UA’ is checked but not set . Checked in 2021312 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.MSSQL’ is checked but not set. Che cked in 2020569 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.DocVBAProject’ is checked but not set. Checked in 2020170 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.ELFDownload’ is checked but not se t. Checked in 2019896 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.javaclient.vulnerable’ is che cked but not set. Checked in 2013036 and 0 other sigs |
15:36:41 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘is_proto_irc’ is checked but not set. Checked in 2002029 and 4 other sigs |
15:36:41 | suricata: | 8566 signatures processed. 0 are IP-only rules, 1325 are inspecting packet paylo ad, 7067 inspect application layer, 105 are decoder event only |
15:36:40 | suricata: | [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: /usr/share/suricata/threshold .config: No such file or directory |
15:36:40 | suricata: | 17 rule files processed. 8566 rules successfully loaded, 14 rules failed |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus Request flood detected; flow:to_server ; app-layer-event:modbus.flooded; classtype:protocol-command-decode; sid:2250009 ; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 18 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus Data mismatch; flow:to_client; app-lay er-event:modbus.value_mismatch; classtype:protocol-command-decode; sid:2250008; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 16 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus Exception code invalid; flow:to_client ; app-layer-event:modbus.invalid_exception_code; classtype:protocol-command-deco de; sid:2250007; rev:2;) from file /usr/share/suricata/rules/modbus-events.rule s at line 14 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus invalid Value; app-layer-event:modbus. invalid_value; classtype:protocol-command-decode; sid:2250006; rev:2;) from fil e /usr/share/suricata/rules/modbus-events.rules at line 12 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus invalid Function code; app-layer-event :modbus.invalid_function_code; classtype:protocol-command-decode; sid:2250005; r ev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 10 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus invalid Unit Identifier; app-layer-eve nt:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:225000 4; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 8 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus invalid Length; app-layer-event:modbus .invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;) from f ile /usr/share/suricata/rules/modbus-events.rules at line 6 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus unsolicited response; app-layer-event: modbus.unsolicited_response; classtype:protocol-command-decode; sid:2250002; rev :2;) from file /usr/share/suricata/rules/modbus-events.rules at line 4 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus invalid Protocol version; app-layer-ev ent:modbus.invalid_protocol_id; classtype:protocol-command-decode; sid:2250001; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 2 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any → any any (msg:SURICATA DNP3 Unknown object; app-layer-event:dnp3 .unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;) from f ile /usr/share/suricata/rules/dnp3-events.rules at line 25 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any → any any (msg:SURICATA DNP3 Bad transport CRC; app-layer-event:d np3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;) from file /usr/share/suricata/rules/dnp3-events.rules at line 21 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any → any any (msg:SURICATA DNP3 Bad link CRC; app-layer-event:dnp3.b ad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;) from file /usr/share/suricata/rules/dnp3-events.rules at line 17 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any → any any (msg:SURICATA DNP3 Length too small; app-layer-event:dn p3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;) from file /usr/share/suricata/rules/dnp3-events.rules at line 13 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled |
15:36:40 | suricata: | [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any → any any (msg:SURICATA DNP3 Request flood detected; app-layer-ev ent:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;) from file /usr/share/suricata/rules/dnp3-events.rules at line 7 |
15:36:40 | suricata: | [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled |
15:36:36 | suricata: | Including configuration file /var/ipfire/suricata/suricata-default-rules.yaml. |
15:36:36 | suricata: | Including configuration file /var/ipfire/suricata/suricata-emerging-used-rulefil es.yaml. |
15:36:36 | suricata: | Including configuration file /var/ipfire/suricata/suricata-used-providers.yaml. |
15:36:36 | suricata: | Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml. |
15:36:36 | suricata: | Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml. |
15:36:36 | suricata: | Including configuration file /var/ipfire/suricata/suricata-homenet.yaml. |
15:36:36 | suricata: | rule reload starting |
15:36:36 | suricata: | all 4 packet processing threads, 2 management threads initialized, engine starte d. |
15:36:36 | suricata: | fail-open mode should be set on queue |
15:36:36 | suricata: | NFQ running in ‘workers’ runmode, will not use mutex. |
15:36:36 | suricata: | setting nfnl bufsize to 6144000 |
15:36:36 | suricata: | setting queue length to 4096 |
15:36:36 | suricata: | binding this thread 3 to queue ‘3’ |
15:36:36 | suricata: | fail-open mode should be set on queue |
15:36:36 | suricata: | NFQ running in ‘workers’ runmode, will not use mutex. |
15:36:36 | suricata: | setting nfnl bufsize to 6144000 |
15:36:36 | suricata: | setting queue length to 4096 |
15:36:36 | suricata: | binding this thread 2 to queue ‘2’ |
15:36:36 | suricata: | fail-open mode should be set on queue |
15:36:36 | suricata: | NFQ running in ‘workers’ runmode, will not use mutex. |
15:36:36 | suricata: | setting nfnl bufsize to 6144000 |
15:36:36 | suricata: | setting queue length to 4096 |
15:36:36 | suricata: | binding this thread 1 to queue ‘1’ |
15:36:36 | suricata: | fail-open mode should be set on queue |
15:36:36 | suricata: | NFQ running in ‘workers’ runmode, will not use mutex. |
15:36:36 | suricata: | setting nfnl bufsize to 6144000 |
15:36:36 | suricata: | setting queue length to 4096 |
15:36:36 | suricata: | binding this thread 0 to queue ‘0’ |
15:36:36 | suricata: | Packets will start being processed before signatures are active. |
15:36:36 | suricata: | fast output device (regular) initialized: fast.log |
15:36:36 | suricata: | dropped the caps for main thread |
15:36:36 | suricata: | NFQ running in REPEAT mode with mark 2147483648/2147483648 |
15:36:36 | suricata: | Enabling fail-open on queue |
15:36:36 | suricata: | HTTP memcap: 268435456 |
15:36:36 | suricata: | CPUs/cores online: 4 |
15:36:36 | suricata: | This is Suricata version 5.0.8 RELEASE running in SYSTEM mode |
what have I to do?
thanks
Vincenzo