Suricata Ruleset not updating!

Hi everybody,

I didn’t pay attention but it seems that on one of my ipfire (I have 3 ), the Surricata rules don’t update every weekend !

I use “Emergingthreats.net Community Rules”

I have some errors in the logs:

...
...
10:21:06	suricata:	Signature(s) loaded, Detect thread(s) activated.
10:21:06	suricata:	rule reload complete
10:19:51	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.telnet.busybox' is checked but not set. Checked in 2023019 and 2 other sigs
10:19:51	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
10:19:51	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 6 other sigs
10:19:49	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXT ERNAL_NET any -> $HOME_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malle able C2 (ja3s) M1"; flow:established,from_server; ja3s.hash; content:"649d6810e8 392f63dc311eecb6b7098b"; tls.cert_subject; content:!"servicebus.windows.net"; fl owbits:isset,ET.cobaltstrike.ja3; classtype:command-and-control; sid:2028832; re v:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_ target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_cate gory JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 201 9_10_15;)" from file /var/lib/suricata/emerging-ja3.rules at line 43
10:19:49	suricata:	[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3(s) support is not enabled
10:19:49	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HO ME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Mall eable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961 a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbit s:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid: 2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_B it, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, upd ated_at 2019_10_15;)" from file /var/lib/suricata/emerging-ja3.rules at line 41
10:19:49	suricata:	[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled
10:19:43	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HO ME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IP Grabber CnC Activity"; flow: established,to_server; http.method; content:"POST"; http.uri; content:"/datareco rd/"; endswith; http.request_body; content:"username="; startswith; content:"&co ntent=IP%3a+"; distance:0; fast_pattern; content:"%0a"; endswith: reference:md5, 635b08c141465abf86eaec88391b5ee6; classtype:command-and-control; sid:2030599; re v:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_ target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)" from file /var/lib/suricata/emerging-malware.rul es at line 15791
10:19:43	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - unexpected option to endswith keyword: 'endswith'
10:19:42	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HO ME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.TRM Data Exfil (sysi nfo)"; flow:established,to_server; http.method; content:"POST"; http.start; cont ent:"Cookie|3a 20|dkv="; fast_pattern; http.cookie; content:"dkv="; startswith; content:"|3b|YSC="; distance:32; within:5; pcre:"/^dkv=[a-f0-9]{32}\x3bYSC=\d+$/ C"; http.header_names; content:!"Referer"; content:!"Content-Type"; http.request _body; content:"DQpIb3N0IE5hbWU6"; startswith: reference:md5,d2b81c4f5d075daa681 f823cc9a5e4c0; reference:url,twitter.com/w3ndige/status/1247547923845578755; cla sstype:command-and-control; sid:2029855; rev:1; metadata:affected_product Window s_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 20 20_04_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_09;)" from file /var/lib/suricata/e merging-malware.rules at line 1
10:19:42	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - unexpected option to startswith keywor d: 'startswith'
10:19:39	suricata:	rule reload starting
10:19:39	suricata:	all 8 packet processing threads, 2 management threads initialized, engine starte d.
10:19:39	suricata:	[ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
10:19:39	suricata:	This is Suricata version 5.0.6 RELEASE running in SYSTEM mode
10:19:38	suricata:	(W-NFQ#7) Verdict: Accepted 125037, Dropped 1206, Replaced 0
10:19:38	suricata:	(W-NFQ#7) Treated: Pkts 126243, Bytes 26763804, Errors 0
10:19:38	suricata:	(W-NFQ#6) Verdict: Accepted 132023, Dropped 914, Replaced 0
10:19:38	suricata:	(W-NFQ#6) Treated: Pkts 132937, Bytes 35605193, Errors 0
10:19:38	suricata:	(W-NFQ#5) Verdict: Accepted 99831, Dropped 929, Replaced 0
10:19:38	suricata:	(W-NFQ#5) Treated: Pkts 100760, Bytes 21521177, Errors 0
10:19:38	suricata:	(W-NFQ#4) Verdict: Accepted 169192, Dropped 5368, Replaced 0
10:19:38	suricata:	(W-NFQ#4) Treated: Pkts 174560, Bytes 27094823, Errors 0
10:19:38	suricata:	(W-NFQ#3) Verdict: Accepted 130907, Dropped 427, Replaced 0
10:19:38	suricata:	(W-NFQ#3) Treated: Pkts 131334, Bytes 40315598, Errors 0
10:19:38	suricata:	(W-NFQ#2) Verdict: Accepted 167362, Dropped 1160, Replaced 0
10:19:38	suricata:	(W-NFQ#2) Treated: Pkts 168522, Bytes 24847942, Errors 0
10:19:38	suricata:	(W-NFQ#1) Verdict: Accepted 62441, Dropped 163, Replaced 0
10:19:38	suricata:	(W-NFQ#1) Treated: Pkts 62604, Bytes 11697947, Errors 0
10:19:38	suricata:	(W-NFQ#0) Verdict: Accepted 2893314, Dropped 47154, Replaced 0
10:19:38	suricata:	(W-NFQ#0) Treated: Pkts 2940468, Bytes 2184053348, Errors 0
10:19:37	suricata:	Signal Received. Stopping engine.
08:30:59	suricata:	Signature(s) loaded, Detect thread(s) activated.
...
...

but it seems that this should not have any impact on the functioning of Surricata !
That said, I would like to know if these errors can also be solved because I don’t understand why they occur

Many thanks

whats your IPfire setup. I am running core 156.

check through WUI- Firewall-Intrusion Prevention System
on the bottom it says

Ruleset (2021-06-30

Hi Peppe,
I use Ipfire last version (core 157) and the version of my rules for Surricata is Ruleset (2020-08-17 02:47:22)
Thanks

Hi @tikok974

The lines in your logs that mention JA3 and JA3_DISABLED are failing because IPFire does not have JA3 support enabled. This is mentioned in the following thread
https://community.ipfire.org/t/suricata-service-fails-errcode-sc-warn-ja3-disabled-309/3470

There is also a bug on this.
https://bugzilla.ipfire.org/show_bug.cgi?id=12507

You need to uncheck the emerging-ja3.rules rule from your Emerging Threats set.

The lines with this look to be having a problem with specific signatures. Either these were corrupted during download or there is a problem with those signatures from Emerging Threats.

If you change completely to a different ruleset, such as Snort VRT Community Rules, and activate it and then go back to Emerging Threats do you still get the same messages in the logs.
You might need to clear the rules from the directory they are in and then reload them but I can’t remember now how to do that.I am sure there will be others who can help on that.

This is just a warning and not an error. I believe it is saying that the flowbit has been checked but in that signature it is not set. The following suricata info might help.

https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html

Thanks you very much Adolf for all your explanations
I disable JA3.
As you suggested, I try to change the rules (i select Snort VRT Community Rules) and then switch back to Emergency and it’s ok now !

Ruleset (2021-07-01 09:46:06)

I’ll see if the next time I update the rules (it happens on my config every week) the update is done correctly

Thanks a lot anyway to everyone who replied for all your advice and comments
Mickaël

Hello all, has anyone same problem with IPS? I use Emergingthreats.net Community Rules , from maybe 14 days i have problem with ruleset updates etc. Enable/Disable ruleset. IPfire stuck on this screen:

I try to disable/enable IDS, disable/enable ruleset provider. In log file see following as only error from suricata:
[ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: “/usr/share/suricata/threshold .config”: No such file or directory
Before i havent this error message. I think that this problem was after core 164 update.
Last action i take was to “Force ruleset update” Now i am not sure that have any ruleset active or not, because sometime i see them all, sometimes not.

In IPS logs see, that have blocked connections but i am not sure that disabled or enabled rulesset are really enabled or disabled because of attached screen

It’s a bug in 164 which should be solved in 165. There are some threads in this forum about this. For example: Enabling Talos IPS rules cause trouble after upgrading to Core Update 164

I read the thread last week, but there is no reported errors for these rulesset. I try with snort that are reported as working rulesset. for me is the same as emergingthreats. Will wait for 165 Core update and reinstall if no changes.

I think this posting describes exactly the problem: Enabling Talos IPS rules cause trouble after upgrading to Core Update 164 - #33 by stevee

For what it’s worth,
I’ve been running a fresh install of a recent core 165 for a few days now, and everything is working normal.
The only error I get is …
00:16:46 suricata: [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: “/usr/share/suricata/threshold .config”: No such file or directory

but I think that’s only superficial, and does not affect IPS operations.

So i hope that release of 165 will be soon and update from 164 to 165 will solve this… I am scared from new installation

Update. A fresh release of Core update 165 was installed. At first look all rulesets from Emerging threads that i need to activate are updated and activated successful. There is no stuck when applying.
Only thing i have in log file is some warnings like this:

suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘RULE_NAME_HERE’ is checked but not set

And error message from 164 CU:
suricata: [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: “/usr/share/suricata/threshold .config”: No such file or directory

Hi,

just a quick comment on that: This is normal, and not caused by IPFire, but by the IPS ruleset provider you use. It certainly looks ugly nevertheless, but we cannot do anything about it.

Thanks, and best regards,
Peter Müller

Dear Peter, that is clearly. Maybe only thing that help to deactivate problematic rules is to show their description in logfile , witch is in web interface. In log file rule_names are not same like rule_names in web interface . Whatever, IPFire is best

Hi,

hm, this might be a tricky thing to do. In the logs, Suricata at least provides one IPS rule ID (called “SID” - for “signature ID” I guess), but truncates the rest:

Apr 10 03:18:12 maverick suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.JavaArchiveOrClass' is checked but not set. Checked in 2017768 and 11 other sigs

I vaguely remember log messages from Snort, which we used before Suricata, complaining about flowbit issues as well. So I guess this is neither an acute problem, nor care the IPS ruleset provider to fix it (or nobody ever told them, but I hope they do some QA on their rules, where they would have seen that themselves ).

So, I guess it is not worth the effort to bother about them. Generally not a good idea when it comes to security, but in this case it did not create any harm over the past few years.

Thank you - glad to hear that.

Thanks, and best regards,
Peter Müller

Hi everybody,

I also have this kind of alerts in messages.log:

...
...
...
uricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yam
l option app-layer.protocols.dnp3.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected";       app-layer-event:dnp3.flooded; classtype:protocol-command-
decode; sid:2270000; rev:2;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 7
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yam
l option app-layer.protocols.dnp3.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Length too small";       app-layer-event:dnp3.len_too_small; classtype:protocol-command-
decode; sid:2270001; rev:3;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 13
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yam
l option app-layer.protocols.dnp3.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad link CRC";       app-layer-event:dnp3.bad_link_crc; classtype:protocol-command-decod
e; sid:2270002; rev:2;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 17
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yam
l option app-layer.protocols.dnp3.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Bad transport CRC";       app-layer-event:dnp3.bad_transport_crc; classtype:protocol-com
mand-decode; sid:2270003; rev:2;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 21
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.dnp3.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object";       app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 25
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Protocol version"; app-layer-event:modbus.invalid_protocol_id; classtype:protocol-command-decode; sid:2250001; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 2
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus unsolicited response"; app-layer-event:modbus.unsolicited_response; classtype:protocol-command-decode; sid:2250002; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 4
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Length"; app-layer-event:modbus.invalid_length; classtype:protocol-command-decode; sid:2250003; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 6
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Unit Identifier"; app-layer-event:modbus.invalid_unit_identifier; classtype:protocol-command-decode; sid:2250004; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 8
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Function code"; app-layer-event:modbus.invalid_function_code; classtype:protocol-command-decode; sid:2250005; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 10
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus invalid Value"; app-layer-event:modbus.invalid_value; classtype:protocol-command-decode; sid:2250006; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 12
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Exception code invalid"; flow:to_client; app-layer-event:modbus.invalid_exception_code; classtype:protocol-command-decode; sid:2250007; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 14
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Data mismatch"; flow:to_client; app-layer-event:modbus.value_mismatch; classtype:protocol-command-decode; sid:2250008; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 16
Jul 13 11:28:11 myfirewall suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "modbus" cannot be used in a signature.  Either detection for this protocol is not yet supported OR detection has been disabled for protocol through the yaml option app-layer.protocols.modbus.detection-enabled
Jul 13 11:28:11myfirewall suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert modbus any any -> any any (msg:"SURICATA Modbus Request flood detected"; flow:to_server; app-layer-event:modbus.flooded; classtype:protocol-command-decode; sid:2250009; rev:2;)" from file /usr/share/suricata/rules/modbus-events.rules at line 18
...
...
...
myfirewall suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 4 other sigs
Jul 13 11:28:28 myfirewall suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
Jul 13 11:28:28 myfirewall suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.tcpraw.png' is checked but not set. Checked in 2035477 and 0 other sigs
Jul 13 11:28:28 myfirewall suricata: [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.telnet.busybox' is checked but not set. Checked in 2023019 and 2 other sigs
...
...
...

Is there anything I can do to remove them ?

I tried to find the Surricata rules that are responsible for them to uncheck them but I couldn’t find them.
Does anyone have an idea please ?

My Ipfire:

Many thanks

Hi Mikael,
Did you figure this out?