Suricata Ruleset not updating!

Hi everybody,

I didn’t pay attention but it seems that on one of my ipfire (I have 3 :wink: ), the Surricata rules don’t update every weekend !

I use “Emergingthreats.net Community Rules

I have some errors in the logs:

...
...
10:21:06	suricata:	Signature(s) loaded, Detect thread(s) activated.
10:21:06	suricata:	rule reload complete
10:19:51	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.telnet.busybox' is checked but not set. Checked in 2023019 and 2 other sigs
10:19:51	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
10:19:51	suricata:	[ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'is_proto_irc' is checked but not set. Checked in 2002029 and 6 other sigs
10:19:49	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop tls $EXT ERNAL_NET any -> $HOME_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malle able C2 (ja3s) M1"; flow:established,from_server; ja3s.hash; content:"649d6810e8 392f63dc311eecb6b7098b"; tls.cert_subject; content:!"servicebus.windows.net"; fl owbits:isset,ET.cobaltstrike.ja3; classtype:command-and-control; sid:2028832; re v:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_ target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_cate gory JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 201 9_10_15;)" from file /var/lib/suricata/emerging-ja3.rules at line 43
10:19:49	suricata:	[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3(s) support is not enabled
10:19:49	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $HO ME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Mall eable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961 a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbit s:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid: 2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_B it, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, upd ated_at 2019_10_15;)" from file /var/lib/suricata/emerging-ja3.rules at line 41
10:19:49	suricata:	[ERRCODE: SC_WARN_JA3_DISABLED(309)] - ja3 support is not enabled
10:19:43	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HO ME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IP Grabber CnC Activity"; flow: established,to_server; http.method; content:"POST"; http.uri; content:"/datareco rd/"; endswith; http.request_body; content:"username="; startswith; content:"&co ntent=IP%3a+"; distance:0; fast_pattern; content:"%0a"; endswith: reference:md5, 635b08c141465abf86eaec88391b5ee6; classtype:command-and-control; sid:2030599; re v:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_ target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)" from file /var/lib/suricata/emerging-malware.rul es at line 15791
10:19:43	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - unexpected option to endswith keyword: 'endswith'
10:19:42	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "drop http $HO ME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.TRM Data Exfil (sysi nfo)"; flow:established,to_server; http.method; content:"POST"; http.start; cont ent:"Cookie|3a 20|dkv="; fast_pattern; http.cookie; content:"dkv="; startswith; content:"|3b|YSC="; distance:32; within:5; pcre:"/^dkv=[a-f0-9]{32}\x3bYSC=\d+$/ C"; http.header_names; content:!"Referer"; content:!"Content-Type"; http.request _body; content:"DQpIb3N0IE5hbWU6"; startswith: reference:md5,d2b81c4f5d075daa681 f823cc9a5e4c0; reference:url,twitter.com/w3ndige/status/1247547923845578755; cla sstype:command-and-control; sid:2029855; rev:1; metadata:affected_product Window s_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 20 20_04_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_09;)" from file /var/lib/suricata/e merging-malware.rules at line 1
10:19:42	suricata:	[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - unexpected option to startswith keywor d: 'startswith'
10:19:39	suricata:	rule reload starting
10:19:39	suricata:	all 8 packet processing threads, 2 management threads initialized, engine starte d.
10:19:39	suricata:	[ERRCODE: SC_WARN_NO_STATS_LOGGERS(261)] - stats are enabled but no loggers are active
10:19:39	suricata:	This is Suricata version 5.0.6 RELEASE running in SYSTEM mode
10:19:38	suricata:	(W-NFQ#7) Verdict: Accepted 125037, Dropped 1206, Replaced 0
10:19:38	suricata:	(W-NFQ#7) Treated: Pkts 126243, Bytes 26763804, Errors 0
10:19:38	suricata:	(W-NFQ#6) Verdict: Accepted 132023, Dropped 914, Replaced 0
10:19:38	suricata:	(W-NFQ#6) Treated: Pkts 132937, Bytes 35605193, Errors 0
10:19:38	suricata:	(W-NFQ#5) Verdict: Accepted 99831, Dropped 929, Replaced 0
10:19:38	suricata:	(W-NFQ#5) Treated: Pkts 100760, Bytes 21521177, Errors 0
10:19:38	suricata:	(W-NFQ#4) Verdict: Accepted 169192, Dropped 5368, Replaced 0
10:19:38	suricata:	(W-NFQ#4) Treated: Pkts 174560, Bytes 27094823, Errors 0
10:19:38	suricata:	(W-NFQ#3) Verdict: Accepted 130907, Dropped 427, Replaced 0
10:19:38	suricata:	(W-NFQ#3) Treated: Pkts 131334, Bytes 40315598, Errors 0
10:19:38	suricata:	(W-NFQ#2) Verdict: Accepted 167362, Dropped 1160, Replaced 0
10:19:38	suricata:	(W-NFQ#2) Treated: Pkts 168522, Bytes 24847942, Errors 0
10:19:38	suricata:	(W-NFQ#1) Verdict: Accepted 62441, Dropped 163, Replaced 0
10:19:38	suricata:	(W-NFQ#1) Treated: Pkts 62604, Bytes 11697947, Errors 0
10:19:38	suricata:	(W-NFQ#0) Verdict: Accepted 2893314, Dropped 47154, Replaced 0
10:19:38	suricata:	(W-NFQ#0) Treated: Pkts 2940468, Bytes 2184053348, Errors 0
10:19:37	suricata:	Signal Received. Stopping engine.
08:30:59	suricata:	Signature(s) loaded, Detect thread(s) activated.
...
...

but it seems that this should not have any impact on the functioning of Surricata !
That said, I would like to know if these errors can also be solved because I don’t understand why they occur :frowning:

Many thanks

whats your IPfire setup. I am running core 156.

check through WUI- Firewall-Intrusion Prevention System
on the bottom it says

Ruleset (2021-06-30

Hi Peppe,
I use Ipfire last version (core 157) and the version of my rules for Surricata is Ruleset (2020-08-17 02:47:22)
Thanks

Hi @tikok974

The lines in your logs that mention JA3 and JA3_DISABLED are failing because IPFire does not have JA3 support enabled. This is mentioned in the following thread
https://community.ipfire.org/t/suricata-service-fails-errcode-sc-warn-ja3-disabled-309/3470

There is also a bug on this.
https://bugzilla.ipfire.org/show_bug.cgi?id=12507

You need to uncheck the emerging-ja3.rules rule from your Emerging Threats set.

The lines with this look to be having a problem with specific signatures. Either these were corrupted during download or there is a problem with those signatures from Emerging Threats.

If you change completely to a different ruleset, such as Snort VRT Community Rules, and activate it and then go back to Emerging Threats do you still get the same messages in the logs.
You might need to clear the rules from the directory they are in and then reload them but I can’t remember now how to do that.I am sure there will be others who can help on that.

This is just a warning and not an error. I believe it is saying that the flowbit has been checked but in that signature it is not set. The following suricata info might help.

https://suricata.readthedocs.io/en/latest/rules/flow-keywords.html

1 Like

Thanks you very much Adolf for all your explanations :wink:
I disable JA3.
As you suggested, I try to change the rules (i select Snort VRT Community Rules) and then switch back to Emergency and it’s ok now !

Ruleset (2021-07-01 09:46:06)

I’ll see if the next time I update the rules (it happens on my config every week) the update is done correctly :wink:

Thanks a lot anyway to everyone who replied for all your advice and comments :wink:
Mickaël

2 Likes