Suricata ERR_CODE issues

Security Intrusion Prevention
1

Hi all

I’ve the IPFire 2.27 (armv6l) - Core Update 166 on the RPI 3, and I activated IPS with only 1 interface (red) and 1 rule (emerging-malware rule). And after the activation I see this log with lot of ERR codes:

15:37:30 suricata: Signature(s) loaded, Detect thread(s) activated.
15:37:30 suricata: rule reload complete
15:37:30 suricata: cleaning up signature grouping structure… complete
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.tcpraw.png’ is checked but not set . Checked in 2035477 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘min.gethttp’ is checked but not set. Checked in 2023711 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.autoit.ua’ is checked but not set. Checked in 2019165 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.javaclient’ is checked but no t set. Checked in 2015657 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.Socks5.OnionReq’ is checked but no t set. Checked in 2027704 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.smb.binary’ is checked but not set . Checked in 2027402 and 4 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.IE7.NoRef.NoCookie’ is checked but not set. Checked in 2023671 and 7 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.armwget’ is checked but not set. C hecked in 2024242 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.binary’ is checked but not se t. Checked in 2023741 and 2 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.MS.WinHttpRequest.no.exe.request’ is checked but not set. Checked in 2022653 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.MCOFF’ is checked but not set. Che cked in 2022303 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.MS.XMLHTTP.no.exe.request’ is chec ked but not set. Checked in 2022053 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.MS.XMLHTTP.ip.request’ is checked but not set. Checked in 2022050 and 1 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.wininet.UA’ is checked but not set . Checked in 2021312 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.MSSQL’ is checked but not set. Che cked in 2020569 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.DocVBAProject’ is checked but not set. Checked in 2020170 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.ELFDownload’ is checked but not se t. Checked in 2019896 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.javaclient.vulnerable’ is che cked but not set. Checked in 2013036 and 0 other sigs
15:36:41 suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘is_proto_irc’ is checked but not set. Checked in 2002029 and 4 other sigs
15:36:41 suricata: 8566 signatures processed. 0 are IP-only rules, 1325 are inspecting packet paylo ad, 7067 inspect application layer, 105 are decoder event only
15:36:40 suricata: [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: /usr/share/suricata/threshold .config: No such file or directory
15:36:40 suricata: 17 rule files processed. 8566 rules successfully loaded, 14 rules failed
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus Request flood detected; flow:to_server ; app-layer-event:modbus.flooded; classtype:protocol-command-decode; sid:2250009 ; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 18
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus Data mismatch; flow:to_client; app-lay er-event:modbus.value_mismatch; classtype:protocol-command-decode; sid:2250008; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 16
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus Exception code invalid; flow:to_client ; app-layer-event:modbus.invalid_exception_code; classtype:protocol-command-deco de; sid:2250007; rev:2;) from file /usr/share/suricata/rules/modbus-events.rule s at line 14
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus invalid Value; app-layer-event:modbus. invalid_value; classtype:protocol-command-decode; sid:2250006; rev:2;) from fil e /usr/share/suricata/rules/modbus-events.rules at line 12
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus invalid Function code; app-layer-event :modbus.invalid_function_code; classtype:protocol-command-decode; sid:2250005; r ev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 10
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus invalid Unit Identifier; app-layer-eve nt:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:225000 4; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 8
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus invalid Length; app-layer-event:modbus .invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;) from f ile /usr/share/suricata/rules/modbus-events.rules at line 6
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus unsolicited response; app-layer-event: modbus.unsolicited_response; classtype:protocol-command-decode; sid:2250002; rev :2;) from file /usr/share/suricata/rules/modbus-events.rules at line 4
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert modbus any any → any any (msg:SURICATA Modbus invalid Protocol version; app-layer-ev ent:modbus.invalid_protocol_id; classtype:protocol-command-decode; sid:2250001; rev:2;) from file /usr/share/suricata/rules/modbus-events.rules at line 2
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol modbus cannot be used in a signature. Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modb us.detection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any → any any (msg:SURICATA DNP3 Unknown object; app-layer-event:dnp3 .unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;) from f ile /usr/share/suricata/rules/dnp3-events.rules at line 25
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any → any any (msg:SURICATA DNP3 Bad transport CRC; app-layer-event:d np3.bad_transport_crc; classtype:protocol-command-decode; sid:2270003; rev:2;) from file /usr/share/suricata/rules/dnp3-events.rules at line 21
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any → any any (msg:SURICATA DNP3 Bad link CRC; app-layer-event:dnp3.b ad_link_crc; classtype:protocol-command-decode; sid:2270002; rev:2;) from file /usr/share/suricata/rules/dnp3-events.rules at line 17
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any → any any (msg:SURICATA DNP3 Length too small; app-layer-event:dn p3.len_too_small; classtype:protocol-command-decode; sid:2270001; rev:3;) from file /usr/share/suricata/rules/dnp3-events.rules at line 13
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled
15:36:40 suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature alert dnp3 an y any → any any (msg:SURICATA DNP3 Request flood detected; app-layer-ev ent:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;) from file /usr/share/suricata/rules/dnp3-events.rules at line 7
15:36:40 suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol dnp3 cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled
15:36:36 suricata: Including configuration file /var/ipfire/suricata/suricata-default-rules.yaml.
15:36:36 suricata: Including configuration file /var/ipfire/suricata/suricata-emerging-used-rulefil es.yaml.
15:36:36 suricata: Including configuration file /var/ipfire/suricata/suricata-used-providers.yaml.
15:36:36 suricata: Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
15:36:36 suricata: Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
15:36:36 suricata: Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
15:36:36 suricata: rule reload starting
15:36:36 suricata: all 4 packet processing threads, 2 management threads initialized, engine starte d.
15:36:36 suricata: fail-open mode should be set on queue
15:36:36 suricata: NFQ running in ‘workers’ runmode, will not use mutex.
15:36:36 suricata: setting nfnl bufsize to 6144000
15:36:36 suricata: setting queue length to 4096
15:36:36 suricata: binding this thread 3 to queue ‘3’
15:36:36 suricata: fail-open mode should be set on queue
15:36:36 suricata: NFQ running in ‘workers’ runmode, will not use mutex.
15:36:36 suricata: setting nfnl bufsize to 6144000
15:36:36 suricata: setting queue length to 4096
15:36:36 suricata: binding this thread 2 to queue ‘2’
15:36:36 suricata: fail-open mode should be set on queue
15:36:36 suricata: NFQ running in ‘workers’ runmode, will not use mutex.
15:36:36 suricata: setting nfnl bufsize to 6144000
15:36:36 suricata: setting queue length to 4096
15:36:36 suricata: binding this thread 1 to queue ‘1’
15:36:36 suricata: fail-open mode should be set on queue
15:36:36 suricata: NFQ running in ‘workers’ runmode, will not use mutex.
15:36:36 suricata: setting nfnl bufsize to 6144000
15:36:36 suricata: setting queue length to 4096
15:36:36 suricata: binding this thread 0 to queue ‘0’
15:36:36 suricata: Packets will start being processed before signatures are active.
15:36:36 suricata: fast output device (regular) initialized: fast.log
15:36:36 suricata: dropped the caps for main thread
15:36:36 suricata: NFQ running in REPEAT mode with mark 2147483648/2147483648
15:36:36 suricata: Enabling fail-open on queue
15:36:36 suricata: HTTP memcap: 268435456
15:36:36 suricata: CPUs/cores online: 4
15:36:36 suricata: This is Suricata version 5.0.8 RELEASE running in SYSTEM mode

what have I to do?

thanks
Vincenzo

2

This is a regular error in the suricata signatures. It means that the signature writer indicated that a flowbit should be checked but it was not set so it couldn’t be checked. The signature will still work and the only fix is for the signature writers to set the flowbit or not check for it.
I see these in my logs also.

and

are errors that I do not see in my logs. I also have emerging-malware.rules selected. Did you just take the default selected rules within that ruleset or did you select additional ones?

What happens if you unselect the emerging-malware.rules entry and select another one such as emerging-phishing.rules, do you still get the same error codes?

3

Hi Adolf

I tried your suggestion. Disabling the emerging-malware and activating the phisihing one… this is the log:

19:26:02 suricata: Signature(s) loaded, Detect thread(s) activated.
19:26:02 suricata: rule reload complete
19:26:02 suricata: cleaning up signature grouping structure… complete
19:25:58 suricata: 2229 signatures processed. 0 are IP-only rules, 28 are inspecting packet payload , 2028 inspect application layer, 105 are decoder event only
19:25:58 suricata: [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: /usr/share/suricata/threshold .config: No such file or directory
19:25:58 suricata: 15 rule files processed. 2229 rules successfully loaded, 0 rules failed
19:25:57 suricata: Including configuration file /var/ipfire/suricata/suricata-default-rules.yaml.
19:25:57 suricata: Including configuration file /var/ipfire/suricata/suricata-emerging-used-rulefil es.yaml.
19:25:57 suricata: Including configuration file /var/ipfire/suricata/suricata-used-providers.yaml.
19:25:57 suricata: Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
19:25:57 suricata: Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
19:25:57 suricata: Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
19:25:57 suricata: rule reload starting
19:25:57 suricata: all 4 packet processing threads, 2 management threads initialized, engine starte d.
19:25:57 suricata: fail-open mode should be set on queue
19:25:57 suricata: NFQ running in ‘workers’ runmode, will not use mutex.
19:25:57 suricata: setting nfnl bufsize to 6144000
19:25:57 suricata: setting queue length to 4096
19:25:57 suricata: binding this thread 3 to queue ‘3’
19:25:57 suricata: fail-open mode should be set on queue
19:25:57 suricata: NFQ running in ‘workers’ runmode, will not use mutex.
19:25:57 suricata: setting nfnl bufsize to 6144000
19:25:57 suricata: setting queue length to 4096
19:25:57 suricata: binding this thread 2 to queue ‘2’
19:25:57 suricata: fail-open mode should be set on queue
19:25:57 suricata: NFQ running in ‘workers’ runmode, will not use mutex.
19:25:57 suricata: setting nfnl bufsize to 6144000
19:25:57 suricata: setting queue length to 4096
19:25:57 suricata: binding this thread 1 to queue ‘1’
19:25:57 suricata: fail-open mode should be set on queue
19:25:57 suricata: NFQ running in ‘workers’ runmode, will not use mutex.
19:25:57 suricata: setting nfnl bufsize to 6144000
19:25:57 suricata: setting queue length to 4096
19:25:57 suricata: binding this thread 0 to queue ‘0’
19:25:57 suricata: Packets will start being processed before signatures are active.
19:25:57 suricata: fast output device (regular) initialized: fast.log
19:25:57 suricata: dropped the caps for main thread
19:25:57 suricata: NFQ running in REPEAT mode with mark 2147483648/2147483648
19:25:57 suricata: Enabling fail-open on queue
19:25:57 suricata: HTTP memcap: 268435456
19:25:57 suricata: CPUs/cores online: 4
19:25:57 suricata: This is Suricata version 5.0.8 RELEASE running in SYSTEM mode
19:25:56 suricata: cleaning up signature grouping structure… complete
19:25:55 suricata: (W-NFQ#3) Verdict: Accepted 1392, Dropped 0, Replaced 0
19:25:55 suricata: (W-NFQ#3) Treated: Pkts 1392, Bytes 695462, Errors 0
19:25:55 suricata: (W-NFQ#2) Verdict: Accepted 4110, Dropped 0, Replaced 0
19:25:55 suricata: (W-NFQ#2) Treated: Pkts 4110, Bytes 3476894, Errors 0
19:25:55 suricata: (W-NFQ#1) Verdict: Accepted 4561, Dropped 0, Replaced 0
19:25:55 suricata: (W-NFQ#1) Treated: Pkts 4561, Bytes 4734667, Errors 0
19:25:55 suricata: (W-NFQ#0) Verdict: Accepted 6321, Dropped 0, Replaced 0
19:25:55 suricata: (W-NFQ#0) Treated: Pkts 6321, Bytes 1319214, Errors 0
19:25:55 suricata: time elapsed 26428.551s
19:25:54 suricata: Signal Received. Stopping engine.

Only 1 ERR_FOPEN… for the rest it seems working.
But in the IPS Log viewer, i see:

Log

Total of number of activated rules for April 23: 0

Is it correct? maybe tomorrow I can see something?

thanks
vincenzo